The Veeam Difference: Coveware by Veeam

Veeam’s product development and collaboration pace with security vendors is not just a differentiator, it’s a trust signal. Veeam has proven to innovate fast and integrate wide. This session highlights these integrations, iteration velocity and the breadth of the ecosystem. Coveware by Veeam, acquired in March 2024, significantly enhances Veeam’s in-house capabilities in ransomware incident response. Since 2018, Coveware has amassed a large database from supporting 50-100 ransomware cases monthly, allowing them to publish quarterly reports detailing threat actor techniques, tactics, and procedures (TTPs). This proactive intelligence helps organizations understand prevalent threats and implement preventative measures like patching, whitelisting, and enhanced due diligence.

Coveware provides a comprehensive incident response retainer service, including cyber extortion negotiation, cryptocurrency settlements, and decryption support, leveraging their extensive database of decryption tools and keys. They offer 24/7/365 response, typically engaging with organizations within 15 minutes, and partner with other incident response firms like CrowdStrike and Mandiant for specialized containment and eradication efforts. A key differentiator is Coveware’s patent-pending Recon Scanner, a forensic investigation tool deployed on impacted systems to collect logs and build attack timelines. This scanner highlights critical warnings and identifies malicious activity, brute-force attempts, data exfiltration, privilege escalation, and other behaviors indicative of threat actor movement within an environment.

The Recon Scanner’s output, including detailed attack timelines, helps organizations understand the progression of an incident. While its primary use is during an active incident, its ability to uncover historical malicious activity that may have bypassed other security tools makes it a powerful forensic asset. Veeam emphasizes that while they do not advocate paying ransoms, Coveware’s negotiation expertise often focuses on buying time for recovery efforts rather than facilitating payments. This allows organizations to activate their incident response plans, communicate with stakeholders, and restore operations from clean backups. The continuous focus on education and best practices, like immutable backups and encryption passwords, is crucial for organizations to build resilience and improve their posture against evolving cyber threats.