Retrospect Backup refines anomaly detection in ransomware battle

Feb 16, 2022 | Retrospect, StorCentric

StorCentric backup software brand allows customer fine-tuning of anomaly detection in struggle against ransomware, and adds immutable copies via object locking in Azure

StorCentric’s Retrospect backup product has launched version 18.5, which adds improved anomaly detection to detect ransomware infection, as well as the ability to retain immutable copies of backups in the Microsoft Azure cloud via object locking.

Retrospect is an SME-focused backup product that belongs to StorCentric. It was acquired in 2019 and sits alongside SAN array brand Nexsan and consumer and SME NAS brand Drobo in the company stable.

Retrospect specialises in backing up endpoints, but also protects applications such as email, servers and storage arrays.

Like other data protection and storage makers, a big current focus is ransomware.

Retrospect’s main thrusts against ransomware are anomaly detection and data immutability. In this version, it has added to its anomaly detection capability by allowing for user-set thresholds and filters, said general manager JG Heithcock.

“In version 18, we had a bit of a sledgehammer approach where if 60% of data in a backup was new, we flagged this up to the customer,” said Heithcock.

Here the idea is that when a ransomware executable encrypts data and creates new file endings, it will increase the data volume significantly and so be easily detected.

In version 18.5, Retrospect has allowed for customers to select the percentage threshold of data volume growth and for the software to disregard certain file types. That is so users can account for genuine file growth in certain workloads with notifications being generated.

Now genuine email notifications and alerts have been added, whereas previously there was literally just a flag beside a file or folder.

“There’s no real overhead on this operation,” said Heithcock. “We already scan everything as part of the backup, so it’s just a case of applying selectors.”

What’s on the roadmap? Machine learning, said Heithcock. “We’re investigating how machine learning would help us out, to be able to decide between normal files and suspicious objects.”

Retrospect has also added to its ability to retain backups as immutable copies by adding the use of object locking in Azure, where it can be run as an instance. Here, users can enter Azure credentials and policies into Retrospect and the software will retain backups in an existing cloud bucket or create a new one, if needed.

Microsoft Azure as a cloud target for backups adds to existing support in AWS and Google Cloud Platform.

Retrospect’s immutability capabilities are centred on cloud object locking, but also encompass the ability to literally air-gap data via tape, with the latest generation – LTO-9 – support. Stable-mate array brand Nexsan allows for data to be object-locked in a private S3 layer.

If dormant ransomware executables are discovered on existing backups, they can be filtered out on restore by excluding, for example, executable files within particular time parameters.

Retrospect Backup is sold as a one-time licensed purchase or through channel partners, making it an attractive alternative to IT buyers on smaller budgets.

StorCentric acquired Retrospect in 2019. It is one of a handful of recent StorCentric purchases, which in the past few years have also included Nexsan, Vexata, Drobo and Violin Systems, among others.