Abstract
This whitepaper provides an overview of the Cyber Recover framework of LockEM LATO, detailing its core architecture and its major solution components for cyber resiliency strategy implementation over an organisation.
Copyright
LATO Framework Architecture
The information in this publication is provided as is. LockEM makes no representations or warranties of any kind regarding the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. The use, copying, and distribution of any software described in this publication requires an applicable software licence.
Copyright © 2025 LockEM. All Rights Reserved.
LockEM, LATO, and other trademarks are trademarks of LockEM. Microsoft, Windows, Microsoft logo and the Microsoft 365 logo are trademarks of Microsoft Corporation. Other trademarks may be trademarks of their respective owners.
Published in PT 03/25 | White Paper LCK003.
LockEM believes the information in this document is accurate as of its publication date. However, the information is subject to change without notice.
Introduction
Executive Summary
LockEM LATO is a cyber-recovery framework designed to ensure business resiliency after a cyber-attack. LATO provides seamless deployment, integration and orchestration with major Linux and Windows Filesystems, as well as SaaS protection for solutions such as Microsoft 365.
The main objective of LATO is to support organisations to recover after a cyber-attack while maintaining logically isolated and fully auditable copies of the data that are stored as immutable, with full integrity and clean from malware or ransomware.
Audience
This white paper target audience are for cyber security analysts, domain experts, IT generalists and key technical decision-makers that deal with cybersecurity technologies.
Note: This document may contain language from third-party content that is not under LockEM’s control and may not align with LockEM’s current content guidelines. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.
Business Challenges
With the rise of ransomware and malware attacks, organisations need to implement a robust cyber recovery strategy against these type of threats. As of 2023, 72% of the cybersecurity attacks were motivated by ransomware[1]. With the rise of this trend, businesses have suffered reputational damage and significant financial impacts.
[1] https://www.getastra.com/blog/security-audit/cyber-security-statistics/
Solution
LATO Overview
LATO is a best-of-breed cyber recovery framework that integrates a network abstraction layer to build an ecosystem of OnPrem, Hybrid and Cloud deployments connected to the LockEM Cloud XStream (CxS). LATO is deployed in the cloud or at the edge, connected to CxS, leveraging a unique communication protocol for enhanced security.
The LockEM CxS is a high-throughput, low-latency cloud service with an orchestration layer designed to ensure that LATO operates over predefined states.
Figure n.º 1 – LockEM LATO high-level Architecture
There are several components operating at each level according to the Figure n.º 1. We can classify 3 domains, each with different responsibilities and roles:
· Agent/Service – The domain where the organisation’s data stands and where LockEM agent/service is deployed. Currently, there are 2 LATO solutions available, which are: LATO for Filesystem and LATO for Microsoft 365.
· LATO – The edge-deployed solution composed of a Controller and a Repository. The Controller communicates with CxS and instructs the agents and the Repository for the operation. The Repository is where data is stored immutably, clean and with integrity verification. This layer also analyses the files, runs compliance benchmarks and collects data such as metrics for further analytics to detect threats.
· Cloud XStream – This is the LockEM’s cloud service with orchestration capabilities, delivering instructions to the LATO edge solutions. This layer also manages all solution operations and hosts major analytics processes, including our novel threat detection mechanism to identify ransomware activity.
All the communication is handled through a communication protocol that ensures the protection of our cloud service, CxS. We ensure this communication protection leveraging no APIs, but instead a scalable and resilient communication protocol to safeguard operations and orchestration.
LATO Architecture
The LATO architecture is built on the zero-trust principle where there are two major planes of communication, each with different authentication mechanisms.
The control plane instructs the operation of the solution, while the data plane manages the unique data chunk copies stored in the data repository, as shown in Figure nº2.
Figure n.º 2 – LockEM LATO control and data flows
The architecture consists of key components that ensure seamless solution operation throughout the data cycle. The architecture has a controller that acts as a node within the network that manages entire operations. The controller doesn’t handle organisational data, it simply instructs agents to protect the data and ensures the repository is ready to receive agent communication.
On the data plane side, the agent leverages a fingerprint to access the repository to write the data. This user can write snapshots and read snapshots (restore) but cannot delete data.
The repository server is a logical entity with embedded storage that acts as a repository for agents to send data. The repository receives but cannot execute data. It communicates with the agents through HTTPS with TLS and deduplicates and compresses data for space efficiency.
The repository implements indexing and leverage cryptography for integrity checks and data efficiency calculations, reducing overall storage requirements for data snapshots. The data is stored encrypted in the repository with AES-256bit for enhanced data security and compliance.
Key Components
LATO has several key components that, when leveraged, deliver a robust solution for implementing cyber resilience strategies in organisations. Wherever and whenever you are in your journey, LATO can be deployed OnPrem, Hybrid or Cloud-based, aligned with the business strategy.
Orchestration and automation
The LockEM Cloud XStream (CxS) handles major operations and orchestration services, including initiating data snapshots, triggering analytics functions and handling management operations. The cloud service ensures data persistence, high performance and low latency, even during intermittent communications. All communication is protected with JWT and mutual TLS, providing enhanced security and logical isolation of the data streams. In the event of network issues, the solution buffers the data and synchronises with CxS once the network is restored.
Management
The LockEM Viewer layer allows organisations to configure systems with multi-tenant capabilities, meaning that a single organization can manage multiple LATO systems within the same GUI. The GUI is also used for monitoring, generating reports, and checking daily metrics such as analytics and compliance. It provides detailed validation of operation cycles to ensure the solution behaves as expected.
Analytics
The analytics layer receives and store data from the edge, learning data usage patterns by profiling it with machine learning capabilities. LockEM Threat Detection algorithm leverages a time-series approach, analysing metric dispersion to report anomalies.
This layer learns and adapts to each organisation’s application profile, and the data is daily tested out-of-band against the model to detect suspicious activity in the snapshots within the repository server. This layer is also responsible for receiving file signatures to detect malware and report in case of a match.
If a known signature is detected, the system will activate the clean copy for the next snapshot cycle, ensuring that the snapshot is free from malware.
Controller Server
The controller server acts as a node at the edge, providing instructions to the agents and the repository. While the controller does not access the organisation’s data, it instructs from an orchestration perspective to allow snapshots to occur and collect statistics.
The controller has its own authentication mechanism and serves as the implementation of the control plane in the LATO solution.
Repository Server
The repository server is where the snapshots are stored and where data validations occur. Data is kept in an immutable storage, with no file execution and with an authentication for the agents to write the data. No agent can delete data – only write and read operations are permitted.
Data integrity checks leverage cryptography to verify data snapshots and content authenticity. The repository also implements logical isolation to ensure that data is not exposed for extended periods, thereby reducing the attack surface. Additionally, it runs audit benchmarks to validate data, operations, and repository configuration.
Agent
The agent is where the organisation’s data is stored, and it communicates with the controller server through the control plane and with the repository server through the data plane.
The agent only communicates with the repository on its timeslot, sending the unique data chunks for faster upload. This ensures that the repository is only opened for the necessary amount of time.
The agent supports protection for On-Prem applications as well as SaaS applications.
Summary
LockEM LATO is a turnover solution to enhance corporations’ cyber resilience strategy while aligning with key compliance initiatives. It is a modern cyber recovery framework with network abstraction, offering flexibility for deployment On-Prem, Cloud or hybrid.
Its capabilities to protect data, validate integrity and uncover threats make it a unique solution to complement any organisation’s cybersecurity roadmap.
We value your feedback
LockEM and the authors of this document welcome your feedback on the solution documentation. You can contact the LockEM team by email at: [email protected].
Author: Henrique Ferreira
