Ransomware attacks have increased in the last decade and are among the favourite attack vectors for cybercriminals. There are two types of ransomware attacks: data exfiltration ransom and denial of service ransom. The most common version of ransomware today is a denial of service (DoS) attack. This attack infects computers, servers, NFS and CIFS shares by encrypting files throughout the network. It’s crucial to detect such an attack as soon as possible.
A multi-layered approach to security: NetApp’s Ransomware solution
NetApp, a global leader in data storage, has added ransomware protection as a standard feature among its security features. This shouldn’t come as a surprise, since NetApp has its presence in data centres and hyper-scale clouds like Amazon Web Services, Microsoft Azure, Google Cloud and other private cloud providers. Therefore, safeguarding data on the storage system is a must for NetApp solutions.
At the heart of NetApp’s approach to ransomware protection is a multi-layered solution. Many of these layers are already built into systems, monitoring suspicious activity. One of them is NetApp Active IQ, a well-known digital advisor that simplifies the proactive care and optimization of NetApp Storage. It provides an overview of storage activities and is one of the first layers to advance your cybersecurity posture. Within NetApp Active IQ, we can track abnormal volume growth rates, snapshot copies and storage efficiency loss, which can indicate unusual activity, such as ransomware attacks on the storage systems. Such alerts should not be overlooked. However, the IT department should also implement additional layers within the system to reduce false positives.
The second layer of protection is NetApp FPolicy, which has been present in NetApp’s systems for over a decade, and NetApp Cloud Insight. NetApp FPolicy is a file-notification framework that is used to monitor and manage file access for NFS or SMB/CIFS protocols. FPolicy was initially used to block unwanted file types like .mov and .mp3 files. Nowadays, it can be used to to block known ransomware file extensions.
Fpolicy with NetApp Cloud Insight leverages user behavioural analytics (UBA) to detect anomalies. They screen potential attacks from the aspect of an individual user’s behaviour. Fpolicy’s external mode in the storage operating system, called ONTAP, uses UBA as a key weapon to stop zero-day ransomware attacks. It learns the normal user behaviour and creates a pattern of how files are stored, accessed, and modified at the storage level. By comparing patterns, the system is able to uncover abnormal activity on the storage system and detect a potential ransomware attack. To enable this type of detection, we first need to connect the system to an external Fpolicy server. A possible solution is Cloud Insights.
Cloud Insights is a SaaS infrastructure and service monitoring solution which can monitor on-premise and cloud environments. One of its key features, Cloud Secure, analyses data access patterns and identifies potential ransomware attacks.
NetApp has also added more comprehensive ransomware protection in the new release of its storage operations system ONTAP 9.10.1.
ONTAP, installed on NetApp FAS and AFF physical systems and in all major hyper-scale clouds, is called Cloud Volumes ONTAP. Its ransomware protection feature, added to the storage OS, leverages machine learning (ML) so ONTAP can understand how data is written, and quickly detect anomalies.
NetApp’s ML software examines how data is saved and used on a storage system. If the algorithm detects an anomaly in the write patterns, an automatic snapshot is taken of the data and replicated with SnapLock, NetApp’s feature which enables WORM (write once, read many) storage. With the use of SnapLock, data can be read but not changed or deleted.
This goal of this automated action is to increase the speed of recovery, giving the IT personnel the ability to react as soon as an attack is detected. This concept includes the sending of automated alters to IT so they can isolate the systems quickly.
Data backup is important
No protection is 100 percent successful, and therefore good backup is essential. NetApp’s enterprise-grade data protection software can be used to backup all types of data wherever it resides. Restoration takes just a few minute and can help you achieve business continuity.
