In this post I’m going to discuss how snapshots are an important feature of the ability to recover data effectively and efficiently in the event of a ransomware attack.
Sadly we live in a day and age whereby ransomware is the “go-to method of attack” for Cybercriminals. It’s estimated that every 14 seconds a business falls victim to a ransomware attack. We see details of the impact of attacks in the news on an almost daily basis and it’s severely impacting the ability of businesses to generate revenue and public services to function as expected. The damage of these attacks is costing billions globally with the estimated cost predicted to reach over $20 Billion by 2021.
Due to this a question we are frequently asked at Catalogic is how can I ensure my content within my NetApp environment is fully protected from the threat of ransomware and more importantly enable the ability to only recover potentially infected files if ransomware hits?
Our simple one word answer is – CryptoSpike
CryptoSpike delivers real-time detection of ransomware on NetApp file systems.
It enables protection against ransomware through 3 key elements of product.
1 – The Blacklist – This stops ransomware at the front door. The blacklist contains over 2960 file types and ransomware signatures, meaning we prevent these from being stored on the filer.
This Blacklist is automatically updated via a global team that are collecting information regarding the latest known ransomware attacks signatures and file types from multiple sources.
2 – The Whitelist – This blocks all file types expect the allowed file type list. This is very good from a security perspective but limits types of files. This works very well when applied at a granular level i.e. an accounting folder allows only Excel files in a specific share.
3 – The AI Learner Module – The most intelligent part of the product, the AI learner module. Because we are monitoring SMB transactions on the filer we can detect unusual behavior i.e. too many files read or altered in a period of time vs. that users typical behavior and cut off user access. This means if an unknown or cutting edge attack starts or even a malicious user is wanting to start wreaking havoc CryptoSpike prevents this from happening via blocking the user.
All SMB transactions can be monitored for clusters, SVMs, volumes and shares. We can also setup granularity to only monitor specific clusters, SVMs, volumes and shares.
The impact of the monitoring being made active is very minimal. Generally you can expect up to 0.3ms increase in latency, due to the TCP packets being sent, between OTNAP and our the F-Policy servers.
All this sounds great, but what about the ability to recover data in the event of a ransomware attack.
One of the key differentiators of CryptoSpike is we provide the ability to quickly restore individual files from snapshots meaning in the event of an ransomware attack or data breach you only recover the impacted data
Enabling NetApp users to use snapshots as part a valid ransomware protection solution
Data needing to be recovered can be quickly and easily identified via file activity reporting CryptoSpike. This is because CryptoSpike monitors and logs all user file access (reads, writes, opens, etc).
This means you can identify who was infected, who accessed which files, who has made changes to files, who has deleted files and quickly make business orientated decisions off the back of this to ensure the businesses data is quickly recovered and available again to ensure business operations can continue as normal.
The next good news story is that CryptoSpike is incredibly simple to deploy with minimal resources required for 1 x CryptoSpike Server and 2 x F-Policy Servers.
The requirements for these are as follows:
All can be deployed via OVA files into VMware vSphere environments.
An example of the architecture of a typical CryptoSpike setup is shown below
We understand that companies maybe hesitant to deploy CryptoSpike based on the potential impact it has to block user access to critical file data.
Therefore at the start of a proof of concept to ensure no actions are taken via CryptoSpike we recommend you put CryptoSpike into asynchronous mode.
In asynchronous mode the Cryptospike will not block anything. The user will appear in “Blocked Users” but an also the email notification will be sent, but the user is not really blocked.
After a period for 7+ days you can then switch from asynchronous mode to synchronous mode making CryptoSpike live and your environment protected
If you want to learn more, get a no obligation quote or run a proof of concept feel free to get in contact with us we can quickly provide you with what you are looking for.
No comments:
Post a Comment