Disaster Recovery Journal Spring 2025

project and archiving or deleting its data. These and other events can cause anomaly detection sys tems to flag legitimate activi ties as suspicious. This highlights the chal lenges of implementing anomaly detection—detect ing anomalies does not auto matically mean detecting ransomware. Organizations must carefully evaluate data protection solutions with anomaly detection to ensure they provide meaningful alerts. Creating Proper Associations Before deploying a data protection solution with anom aly detection, organizations should look for solutions that can create proper associations between anomalies and real threats. Ideally, the solution should have time to learn an organiza tion’s typical data access and usage patterns. Normal activ ity in one organization may appear anomalous in another, and vice versa. More impor tantly, this learning period helps it differentiate between anomalies caused by routine business activities and those indicating ransomware. This learning period also minimizes false positives. If a solution generates too many false alarms, organiza tions may start ignoring alerts, reducing the system’s effects. Conversely, detecting few or no anomalies creates a dif ferent risk. Organizations may assume their environment is secure when, in reality, the

anomaly detection system is ineffective. Effective Anomaly Detection and Alerting Requires Generative AI To be truly effective, a data protection solution with anom aly detection must perform two critical tasks: 1. Monitor and analyze the behavior of both applications and users accessing data. anomaly is business-related or indicative of suspicious activity. Because distinguishing between these two types of events is difficult, organiza tions should be skeptical of solutions that rely solely on preprogrammed, nonconfigu rable anomaly detection capa bilities. To more accurately differen tiate between business-related and suspicious anomalies, organizations should look for data protection solutions with generative artificial intelli gence (AI) capabilities. Generative AI enables a data protection solution to learn an organization’s IT envi ronment, analyze backup data, track changes over time, and distinguish between routine business anomalies and poten tial ransomware threats. v 2. Determine whether an

Anomaly Detection’s Emergence in Data Protection Solutions

The Nature of an Anomalous Event Using anomaly detection in data protection solutions, such as backup software and backup targets, may seem intuitive. Every organization wants to be alerted quickly to ransom ware. However, determining the nature of each anomalous event can be complex. Organizations may assume that if a data protection solu tion identifies an anomaly, it must have detected ransom ware. However, this one to-one relationship does not always hold true. The detection of an anom aly may indicate ransomware in an organization’s IT envi ronment. However, it may just as likely result from an unusual but acceptable business event. Changes to production data that are unrelated to ransom ware can trigger anomaly detection. Examples of such business related anomalies include: n Increased application usage, resulting in higher data change rates. n Corporate acquisitions, which alter data access and usage patterns. n Data cleanup efforts, such as archiving or deleting infrequently accessed data. n More frequent backups, leading to increased stored data. n Moving data or applications between storage locations. n Encrypting data to comply with new regulations. n Retiring an application or

To identify customized ransomware strains, a new generation of data protection solutions has emerged that includes anomaly detection. The rise of anomaly detection in data protection stems from its ability to perform historical data analysis. Perimeter cybersecurity solutions primarily analyze production data in real time. While they can theoretically monitor and regularly scan all production data, this approach is problematic. Scanning incurs significant overhead on production systems and may fail to detect ransomware cus tomized for specific organiza tions. By contrast, using a data protection solution to routinely monitor and scan backup data is more effective. Moving scanning to the backup envi ronment shifts the overhead to nonproduction systems. Since data protection solutions often sit idle during off-backup hours, organizations can use those resources to scan for ran somware. The nature of these new ransomware strains makes it more effective to look for data anomalies over time. Some strains may only affect a spe cific organization or alter small chunks of data. Detecting these subtle changes may take days, weeks, or months. This sug gests that data protection solu tions with anomaly detection are better suited to identify them.

Jerome Wendt, an AWS Certified Solutions Architect, is the president and founder of DCIG, LLC., a technology analyst firm. DCIG, LLC.,

focuses on providing competitive intel ligence for the enterprise data protection, data storage, disaster recovery, and cloud technology markets.

DISASTER RECOVERY JOURNAL | SPRING 2025 29