Everyone knows that a ransomware attack is one of the top cybersecurity threats an organization can face. The potential damage is not just the direct associated recovery costs—which increased 241% between 2019 and 2020—it’s also the impact on the company’s reputation and brand.
As a small, and completely virtual business ourselves, i-Virtualize understands the challenges so many businesses are facing when it comes to ransomware. Ransomware protection requires more than just detection.
The more defenses the better
It’s important for ransomware detection to occur as early as possible so that you can prevent its spread and avoid costly downtime. However, an effective ransomware detection strategy should include more than a single layer of protection. You wouldn’t want to rely on just your seatbelt to protect you in an accident. Your vehicle probably has air bags, antilock brakes, and even forward-collision warning as standard features, all to help prevent you from getting into an accident in the first place, and if you do to ensure you and your loved ones can walk away.
Ransomware protection should be viewed in the same way.
For example, hijacking a single user account is just one avenue a hacker might take when launching a ransomware attack; malicious actors are constantly evolving their attack techniques. That’s why NetApp FPolicy, in combination with NetApp Cloud Insights or similar capabilities, do an excellent job of detecting ransomware via user behavioral analytics (UBA). They look for potential ransomware attacks from the aspect of an individual user’s behavior.
NetApp Active IQ® and Active IQ Unified Manager also provide additional layers of detection for ransomware. Active IQ checks ONTAP systems for adherence to NetApp configuration best practices like enabling FPolicy. Active IQ Unified Manager generates alerts for abnormal growth of NetApp Snapshot copies or storage efficiency loss, which can indicate potential ransomware attacks.
This is where ONTAP’s anti-ransomware feature comes into play. It leverages built-in on-box machine learning (ML) that looks at volume workload activity plus data entropy to automatically detect ransomware. It keeps an eye out for activity that is different from UBA, so it may detect attacks that UBA does not.
On-box machine learning and automatic detection
ONTAP anti-ransomware protection is provided as part of the NetApp Security and Compliance software bundle. Customers who already have the bundle only need to upgrade to the latest ONTAP version (9.10.1) to take advantage of the feature. It’s configurable via the ONTAP built-in management interface, System Manager, and is enabled on a per-volume basis.
The anti-ransomware feature starts off in learning mode. NetApp recommends a period of at least 30 days, so that the ML gets a chance to understand the typical workloads on the NAS volumes. Once anti-ransomware is put into active mode, it starts looking for the abnormal volume activity that might potentially be ransomware.
If abnormal activity is detected, an automatic Snapshot copy is immediately taken, which provides a restoration point as close as possible to the file infection. Simultaneously, an automatic alert is generated that allows administrators to see the abnormal file activity so that they can determine whether the activity is indeed malicious and take appropriate action. Or, if the activity was an expected workload, they can easily mark it as a false positive; the anti-ransomware ML notes the change in workload and no longer flags it as a potential attack. In addition, the feature does not disrupt I/O in any way. Instead, it provides administrators with native analytics, insights, and data recovery capabilities for unprecedented on-box ransomware detection. The anti-ransomware feature makes it easier than ever to enable automatic ransomware detection for your NAS workloads in ONTAP.
Ransomware has evolved, and detection has too
Two things are clear: Ransomware is a continuous threat that shows no signs of slowing down, and it must be dealt with in a holistic way. The methods that hackers use are only going to evolve in the future.
That’s why i-Virtualize is always looking for new solutions to help you get ahead of attacks before they get you. Find out more about NetApp storage solutions capabilities and take our 6-question assessment or contact us and learn what i-Virtualize can do for your business.