With the R5 release of the code for the HPE Alletra MP B10000, among many other nice improvements (for example NAS and a nice new CSI driver), everyone now gets heavy-duty ransomware detection.
We have invented some new and unique ways for detecting modern ransomware that encrypts data in advanced ways (for example intermittent encryption), but most importantly, ways to detect encryption that doesn’t even look like encryption (which defeats other detection methods that rely on fixed entropy detection thresholds). See explainer here for more details on why this is crucial.
The whole point of doing this is early detection.
Why Early Detection is Important
Imagine if you have not detected something slowly corrupting your data for months and THEN the hackers lock your systems down and demand ransom (they never want to ask immediately, they need to ensure it would be completely unfeasible for you to recover).
Recovering from backups would be impossible – you wouldn’t even know when the problem started (and the hackers won’t tell you when they started encrypting your data).
All you would know is that you tried recovering yesterday’s backup and that didn’t work, then the backup from the day before, and the day before that…
At what point would you give up and just pay them?
How much time would you be willing to waste?
And even if you knew when they started encrypting your data, if that date is 3 months in the past, would you be willing to lose 3 months’ worth of data?
This means that quick ransomware detection is crucial to avoid prolonged data loss (you will always lose data in these cases, the goal is to make that impact as small as possible).
How is This Done?
For more detail on the how, refer to the other article.
But among many cool things (and I can’t share too much information since competitors and hackers also read this), we don’t use a fixed encryption detection threshold.
That fancy detection mechanism was initially for Zerto – which made sense since it’s also the solution that allows super-granular recovery (down to the second), useful for ensuring as little business disruption as possible.
Now we’ve adapted and enhanced the algorithms for use in the B10000 system. You don’t need Zerto for the detection if you have a B10000. Of course, having Zerto provides all sorts of extra functionality and ultra-granular recovery for virtualized environments and can all work together in a unified way.
What Do You Get? How Is It Different?
You get a built-in detection engine in the array that goes beyond marketing and actually works against modern, sneaky ransomware that specializes in detection avoidance.
We’ve also built a dedicated lab just for this purpose, and test by truly infecting systems with modern ransomware – all the unique and interesting variants we can find. Otherwise, it would all just be theory. Suggestions and ransomware samples welcome, if you can send them in a secure way 🙂
What makes this differentiated:
- The detection doesn’t rely on signatures that need to be updated
- Negligible performance impact (it didn’t even merit a toggle in our performance sizer)
- Totally dynamic and adapts to your data (which is why we call it Data-Adaptive Detection – my little contribution to product naming. Catchy and descriptive :))
- Detects intermittent encryption
- Detects encryption that doesn’t look like encryption! That’s a special one.
How Do You Put It All Together?
You can watch the linked videos, but in general you have to flip a switch to enable the detection feature on the array and send log data to a syslog server/SIEM. Using Virtual Lock snaps is also a very good idea (nobody can delete those until they expire – no exceptions, otherwise what would be the point of the feature). Lots of ransomware will try to delete your snaps and backups before the hackers ask for money.
The system then will alert you in multiple ways through all management interfaces and logging systems, and will even automatically take a locked snapshot for forensics purposes.
Once your SecOps team has deemed the network clear of hackers, you’d then need to mount a snapshot from before the detection event (if you have Zerto then that can be ultra-granular, otherwise you’d be going to your normal snapshot granularity).
A Dose of Reality
Doing a recovery properly will take a long time. Don’t let anyone tell you otherwise. This is serious stuff. Every recovery has to be verified, systems to be recovered have to be prioritized…
Some try and trivialize all this by saying “just restore to the last snap” but that’s not the hard part.
And Never Forget:
If your data has been encrypted, this means the hackers managed to evade all your other detection methods, starting at your perimeter and working inwards.
Prevention is the name of the game here. You shouldn’t rely on your storage system only. In fact, it’s just the absolute last resort. Yes, we built it to be as elegant and strong as possible but avoiding the hassle of infection in the first place is always best 🙂
Summary and Other Resources
First, here’s a document outlining the entire protection framework: HPE Alletra Storage MP B10000 ransomware protection framework
Then we have a couple of videos showing this in action.
First, here’s one that shows how to set up the system for sending log data.
HPE Alletra Storage MP B10000 Configuring log events to identify realtime security threats
Second, here’s the one that shows how the detection looks and feels.
HPE Alletra Storage MP B10000 Data-adaptive ransomware detection
It’s worth mentioning that HPE can provide various levels of solution here:
- Just the array
- Just Zerto
- Array + Zerto
- Array + Zerto + SIEM
- Array + Zerto + Air-Gapped Vault + SIEM – we can do a fully managed solution if you like
Plus integrations with solutions like CrowdStrike, backup systems, network-level security…
The possibilities are up to you and what level of resiliency you’re after.
We take it a bit beyond “the array does ransomware detection” 🙂
D