Securing Netapp

Ransomware and malicious activity, prevention and recovery for NetApp storage users.

NetApp customers already have a lot of tools to cope with malicious activity built into their systems as standard. Ultra efficient snapshotting and replication allows for the creation of immutable and ‘air gapped’ protection points without impact to system capacity or performance.
But even with these powerful tools, it is still advisable to add further levels of protection and recovery to combat the ever resourceful and evolving cyber criminals.

Many cyber attacks fall into 2 camps

• Ransomware attack which tries to corrupt and lock as many files as it can in as short a space of time as possible.

• Stealth mode attack, (which may last weeks or months) and may also include ex-filtration or ‘stealing of data’.

NetApp users can add some very powerful tools which help in both these cases.

These tools utilise NetApp’s built in F Policy engine to monitor and control all file activity. It is possible to monitor all file modifications and check against a huge known list of ransomware signatures before the changes are saved to disk.

SnapGuard can also alert if a user opens, modifies or deletes more than a predetermined number of files. So the high speed frontal attack type can be spotted and blocked very quickly. Conversely, with slow-infector stealth attacks, SnapGuard can check the main file types and alert if data corruptions are spotted. And deploy ‘Honey Trap’ files. This is where files that should not be accessed by normal users are monitored, and any attempt to open them triggers alerts and blocking of further user activity. This is powerful method to provide high conviction success and eliminate false positives.

Prevention Features

• Prevent ransomware attacks before they happen. With features like FPolicy firewall and Live View, you can nip malicious behavior in the bud.

• But what happens when an attack slips through the cracks? That's where SnapGuard's detection capabilities come in. With the ability to detect abnormal behavior and automatically disable accounts, you can catch potential threats before they become disasters.

• And if the worst does happen, SnapGuard offers features like volume read-only mode and emergency snapshots for damage control.

• Real-time agentless employee behavior monitoring (FPolicy): SnapGuard monitors employee behavior in real-time without installing agents on endpoints, enabling it to identify potential insider threats and block known ransomware and malicious file types.

• FPolicy-based firewall: FPolicy-based firewall operates in-band, meaning it can stop malicious behavior instantly and scales up to millions of requests per second.
• Live View: The Live View feature allows real-time observation of client activity and provides fine-grained permissions to view ongoing operations. It operates completely agentless and can be attached to any ONTAP volume in real-time.

• Block suspicious clients: The ability to block suspicious clients with a single click adds an additional layer of protection to SnapGuard's ransomware prevention capabilities.

• Scalability with DMT: offload firewall functions to computers in different security zones, making it ideal for service providers and large organizations.

 

Recovery & Response Features

But what about the data that gets corrupted? SnapGuard can repair it with features like automated differential recovery.

Integrates seamlessly with other systems like security information and event management (SIEM) platforms. And with data management features like encrypted and off-site logs, as well as the event viewer and analyzer, you can manage your data more effectively.

In addition, SnapGuard's improves auditing, features such as CVTX Blockchain and FPolicy integration, create tamper-proof logs of file access and changes, so you don't have to worry about event integrity. And with compatibility with systems like NetApp ONTAP and Amazon FSx, SnapGuard is the perfect solution for any organization.

SnapGuard provides the ultimate protection option against ransomware attacks. Here's a brief overview of our powerful features that ensure optimal protection.

• Differential Recovery: The Differential Recovery feature enables the repair of corrupted data, leaving uncompromised data intact.

• Volume Analyzer: The Volume Analyzer can efficiently generate a breakdown of metadata, and an overview of all file extensions used and their location/distribution, making it easier to identify changes or anomalies in file behavior.

• Next-Gen Ransomware Protection: Based on recognized best practices, SnapGuard's Next-Gen Ransomware Protection is designed to prevent ransomware attacks from happening in the first place.

• Traceability of all file manipulations: Audit logs via the FPolicy mechanism provide traceability of all file manipulations, allowing organizations to quickly identify suspicious behavior and prevent potential attacks.

• Encrypted and externally stored audit logs: In the near future (in our roadmap), audit logs can be encrypted and stored externally, protecting them from tampering and data loss. The S3 lifecycle policy makes it impossible to modify the log files and ensures the integrity of the data.

• Blockchain-format audit logs: Blockchain-format audit logs ensure tamper protection and audit compliance, making it easy for organizations to meet the most demanding compliance requirements for logging file access on NetApp ONTAP systems.

• EVTX Viewer: SnapGuard has a built-in viewer with search capabilities for native NetApp audit log files, enabling users to identify and analyze potential threats quickly.

• SIEM Support: SnapGuard can forward a subset or all events to an external SIEM system to improve threat analysis and incident response.