A common mistake made in responding to ransomware is rushing through a recovery only to realize that the recovery point was a compromised copy of the system, and in turn, re-introduces the threat back into the environment. To make matters worse, if a replicated copy were to be recovered at a tertiary site, it might introduce malware into networks that it previously didn’t have access to and further impact business operations. 

Rubrik Zero Trust Data Security™ provides insights and capabilities to help customers respond to cyber attacks. For example, customers can be proactive in their data security strategy by seeking out indicators of compromise (IOC) with Rubrik Threat Hunting, or quickly respond to cyber incidents with intelligent and automated recoveries provided by Ransomware Investigation and Orchestrated Application Recovery

Building upon this foundation, Rubrik Threat Containment was recently announced at FORWARD and will provide customers the ability to reduce the risk of re-introducing malware into the environment from a recovery operation, wherever Rubrik is deployed. Let’s take a quick look at a few details of the feature.

Maintain control of your data during a cyber attack

In the event of a cyber attack, malware containment is a key step before the eradication and recovery process can begin. When you consider the systems, platforms, and storage repositories of legacy data protection, containing the risk of re-introducing compromised data could be a significant challenge. 

Rubrik Threat Containment, however, takes advantage of the unified platform by Rubrik; where data is managed end-to-end through a centralized control plane that is delivered as a software as a service (SaaS). This means that within a single workflow, flagged data from a threat hunt can be contained, thus removing the chance of potentially harmful operations during the incident response process. As an added benefit, the data quarantine is effective for not only the primary copy but also the replicas that could exist in another data center as part of a disaster recovery plan.

For example, let’s say that your company has been hit by ransomware, and your incident response team is actively working towards containing the threat. You’ve run a Threat Hunt scan that has identified malware artifacts in the backups that need to be quarantined and analyzed before they are cleared to be used for recovery. In a single workflow, Rubrik Threat Containment quarantines the flagged snapshots in both the primary and secondary CDM cluster and restricts the ability of a user, application, or automation script to recover the quarantined data.



Now, if a Rubrik user attempts to recover a quarantined snapshot, they are notified in the interface of limited recovery operations that they can execute until the quarantine is cleared.



In the event of an attack, preventing the re-introduction of malware back into the environment is a key element of a successful recovery. The restoration of a single infected file could mean that the entire recovery process needs to be restarted, resulting in more downtime and more impact on business and customers. This is on top of having to recover, or clean, the recovery environment that was just infected.

Become proactive in the fight against cyber threats

For Rubrik customers, a policy-driven model, immutable backups, and orchestration tools continue to be the engine that drives their data security needs. With this foundation in place, Rubrik customers can become proactive in defending against cyber threats, and take advantage of the unique data that is stored within Rubrik.

For security operations, threat intelligence is an information feed that is supplied 24/7/365 with vulnerabilities, patches, and IOCs to be researched, tested, and deployed to an environment. Because of the fluid nature of security operations and threat intelligence, looking for IOCs from a historical perspective is crucial so that dormant or inactive threats can be neutralized before they activate. As an example, if a threat hunt picks up a known IOC on a web server, a security engineer could proactively quarantine snapshots for the systems that are associated with that application, and proceed with the remediation playbook to eliminate the malware from the network.




The rapid increase in cyber threats and ransomware campaigns continues to escalate the efforts needed to secure digital assets. With Rubrik, providing the ability to detect and recover from an attack or security incident is always paramount; but as customers become more proactive and refine their data security strategy, Rubrik will continue to add applications with actionable insights to help customers secure their data.

For a recap of the FORWARD 2022 user conference keynote and sessions, please visit forward.rubrik.com.