|
|
 Emilee Tellez and Rick Vanover presented for Veeam at Security Field Day 13 |
Follow on Twitter using the following hashtags or usernames: #XFD13
Have You Seen Veeam Lately?
Watch on YouTube
Watch on Vimeo
Veeam is the #1 global market leader in data resilience. Veeam solutions are purpose-built for powering data resilience by providing data backup, data recovery, data portability, data security, and data intelligence. Veeam, a company with over $1.7 billion in revenue and 5,500 employees globally, has significantly expanded its portfolio beyond its origins as a VMware backup tool. They now offer a comprehensive suite of solutions across on-premises, as-a-service, and hybrid models, protecting over 150 different data types. A key recent development is the Veeam Cyber Secure offering, built on the acquisition of Coveware, which is central to their enhanced data security capabilities. Veeam emphasizes that their current offerings represent a significant evolution from the Veeam many people once knew, extending far beyond virtual machine backup to encompass a vast array of data protection needs, including being the most deployed Microsoft 365 backup solution worldwide.
Veeam’s approach to data security is structured around three core pillars: innovation, ecosystem partnerships, and incident response expertise through Coveware. In terms of innovation, Veeam is integrating new security technologies into its products to accelerate mean time to detection and response, ensuring that critical information is readily available to those responding to security events. Their commitment to a strong security ecosystem is demonstrated by alliances with over 65 different security vendors, including major players like CrowdStrike, Palo Alto, and Splunk, acknowledging that organizations have already invested significantly in diverse cybersecurity solutions. This collaborative approach allows Veeam to complement existing security infrastructures rather than attempting to replace them.
The acquisition of Coveware is a cornerstone of Veeam’s data security strategy, particularly for incident response. Coveware is recognized for its extensive data aggregation related to threat actor decryption keys, which is crucial for recovering from ransomware incidents. Beyond their technological prowess, Coveware brings a team of experienced negotiators and cool-headed professionals who assist organizations in navigating the complexities of ransomware incidents and payment negotiations. This unique blend of technology innovation, strategic partnerships, and specialized human expertise positions Veeam as a comprehensive data resilience provider, focused on keeping “good data safe from bad things” and supporting organizations throughout the entire incident response lifecycle.
Personnel: Emilee Tellez, Rick Vanover
Security Innovations at Veeam
Watch on YouTube
Watch on Vimeo
Veeam has delivered true security capabilities in the platform, both to protect the Veeam installation itself and to identify threats in the data they are safeguarding. Veeam has been developing security features and enhancements for its platform, starting with instant virtual machine recovery and extending into proactive threat hunting. Key innovations include the Veeam Data Platform 12.1, which introduced a threat center, AI-based inline malware detection, and proactive threat hunting capabilities. The acquisition of Coveware further strengthened Veeam’s incident response capabilities, providing expertise in ransomware negotiation and proactive incident planning.
Veeam’s security innovations focus on both protecting the Veeam environment and identifying threats within the protected data. Threat Hunter provides signature-based scans of backups, while AI-based inline detection scans data streams for anomalies. Indicators of Compromise (IOC) analysis identifies known attacker toolkits, and suspicious file activity analysis examines unusual file behavior. Veeam also offers security and compliance analyzers to ensure best practices in data protection and infrastructure security, including MFA and four-eyes authorization. These features aim to provide a multi-layered approach to security, addressing threats both during and after the backup process.
To facilitate incident response, Veeam offers an Incident API, enabling bi-directional communication between security tools and the Veeam platform. This allows for automated actions, such as creating out-of-band backups when a security tool detects an active attack. Veeam’s Threat Center provides a high-level overview of the security status of the data protection environment, while the Data Platform Scorecard assesses overall resilience and adherence to best practices. Veeam also integrates with security ecosystems, allowing customers to leverage their existing security investments. This comprehensive approach aims to minimize data loss and accelerate recovery in the event of a security incident.
Personnel: Emilee Tellez, Rick Vanover
Security Ecosystem at Veeam
Watch on YouTube
Watch on Vimeo
Veeam’s product development and collaboration pace with security vendors is not just a differentiator, it’s a trust signal. Veeam has proven to innovate fast and integrate wide. This session highlights these integrations, iteration velocity and the breadth of the ecosystem. Veeam emphasizes its “power of three” strategy, extending beyond internal innovation to encompass robust partnerships with over 65 security vendors, including major players like Palo Alto, CrowdStrike, Splunk, and Sophos. This extensive ecosystem allows organizations to leverage their existing security investments by feeding information directly from Veeam’s data protection platform into their chosen security tools. The Veeam CyberSecure program, which includes advanced capabilities, incident response retainers, and a ransomware recovery warranty with zero claims to date, further underscores their commitment to data safety.
Veeam provides comprehensive monitoring and reporting through Veeam ONE, which tracks hypervisor, cloud workloads, and Microsoft 365 backup products. This critical data is fed into security partners’ platforms, offering insights into anomalies such as unusual data read-write rates or suspicious login attempts, enabling quicker threat notification. Veeam supports various event types, from malware detection to overall system overviews, making this information available via Syslog and JSON formats. This allows customers to filter events based on their needs and avoid alert fatigue, integrating seamlessly with any Security Information and Event Management (SIEM) tool, including free options. Notably, Veeam makes its documentation publicly accessible, reflecting its commitment to transparency and empowering users.
A key aspect of Veeam’s integration strategy is its recent collaboration with CrowdStrike, offering dashboards for data protection monitoring and security events within the CrowdStrike platform. These pre-built dashboards provide a high-level overview of security events within the Veeam environment, allowing users to drill down for detailed information. Furthermore, Veeam’s integration with Palo Alto XSOAR enables automated playbooks, such as initiating instant VM recovery or deploying security agents on compromised machines. This bidirectional communication helps orchestrate responses across data protection and security operations, enabling security analysts to build customized workflows, even without direct experience with Veeam’s application, as demonstrated by a customer who leveraged Veeam events in Splunk to drive Palo Alto XSOAR automations.
Personnel: Emilee Tellez, Rick Vanover
The Veeam Difference: Coveware by Veeam
Watch on YouTube
Watch on Vimeo
Veeam’s product development and collaboration pace with security vendors is not just a differentiator, it’s a trust signal. Veeam has proven to innovate fast and integrate wide. This session highlights these integrations, iteration velocity and the breadth of the ecosystem. Coveware by Veeam, acquired in March 2024, significantly enhances Veeam’s in-house capabilities in ransomware incident response. Since 2018, Coveware has amassed a large database from supporting 50-100 ransomware cases monthly, allowing them to publish quarterly reports detailing threat actor techniques, tactics, and procedures (TTPs). This proactive intelligence helps organizations understand prevalent threats and implement preventative measures like patching, whitelisting, and enhanced due diligence.
Coveware provides a comprehensive incident response retainer service, including cyber extortion negotiation, cryptocurrency settlements, and decryption support, leveraging their extensive database of decryption tools and keys. They offer 24/7/365 response, typically engaging with organizations within 15 minutes, and partner with other incident response firms like CrowdStrike and Mandiant for specialized containment and eradication efforts. A key differentiator is Coveware’s patent-pending Recon Scanner, a forensic investigation tool deployed on impacted systems to collect logs and build attack timelines. This scanner highlights critical warnings and identifies malicious activity, brute-force attempts, data exfiltration, privilege escalation, and other behaviors indicative of threat actor movement within an environment.
The Recon Scanner’s output, including detailed attack timelines, helps organizations understand the progression of an incident. While its primary use is during an active incident, its ability to uncover historical malicious activity that may have bypassed other security tools makes it a powerful forensic asset. Veeam emphasizes that while they do not advocate paying ransoms, Coveware’s negotiation expertise often focuses on buying time for recovery efforts rather than facilitating payments. This allows organizations to activate their incident response plans, communicate with stakeholders, and restore operations from clean backups. The continuous focus on education and best practices, like immutable backups and encryption passwords, is crucial for organizations to build resilience and improve their posture against evolving cyber threats.
Personnel: Emilee Tellez, Rick Vanover
What’s Next from Veeam?
Watch on YouTube
Watch on Vimeo
This segment takes a look into the Veeam roadmap from a security perspective, highlighting the fan favorite from VeeamON 2025 – the Veeam Software Appliance. A major upcoming innovation from Veeam is the new Veeam Software Appliance, a fan favorite from VeeamON 2025. This appliance runs the core Veeam platform on Rocky Linux, hardened with DISA STIG security standards, and is designed to be a purpose-built, highly secure backup infrastructure. It aims to significantly enhance the protection of the backup environment itself, moving towards a “secure by default” delivery model. Veeam will manage all security patching for these appliances, offering forced updates with scheduled timelines, thereby reducing the burden on customers for maintaining server security.
Another key future innovation is the introduction of universal continuous data protection (CDP), extending beyond current VMware capabilities to support physical systems and various hypervisors, with future targets including hyperscalers. This aims to provide near-instant recovery point objectives (RPOs) down to two seconds across diverse environments. While Veeam already supports CDP via VMware’s VAIO Filter Driver, this new universal CDP will broaden its applicability across the entire ecosystem.
Finally, Veeam is exploring the integration of AI into its data fabric to unlock deeper insights from customer data, particularly for eDiscovery scenarios. This involves leveraging Veeam’s extensive backup data to enable rapid querying and analysis that would otherwise take significantly longer. While still in early stages and requiring a public statement on responsible AI, this initiative promises attractive future capabilities in data intelligence. Veeam offers flexible licensing through its universal license (VUL) model, which simplifies pricing across various workloads, and their top-tier Veeam CyberSecure offering includes comprehensive capabilities and a ransomware recovery warranty.
Personnel: Emilee Tellez, Rick Vanover