Protect Your File Data Storage from Ransomware with Holistic Security
by Stefan Radtke, Field CTO EMEA, Qumulo
A holistic approach to security is needed to protect your data from ransomware
When it comes to ransomware, an ounce of prevention is worth 3x the cure
Your business continuity plan may look much the same when it comes to recovering your data – whether the data loss is caused by a natural disaster or a ransomware attack. Earlier this year, I covered Qumulo“s built-in security controls to help you protect your data from malware as part of a holistic security posture. In this series we are going to focus on ransomware in the context of disaster recovery and business continuity because, with the advent of ransomware as-a-service (RaaS) and the huge ransoms being paid, attacks are on the rise. For instance, the FBI has investigations into more than 100 variants of RaaS, many of which have been used in multiple ransomware campaigns. While recent ransomware incidents have been highly publicized, many more have been kept private to protect the victim“s reputations.
Business-critical data is being encrypted for ransom and cyber criminals are getting paid for the sake of business continuity
According to Sophos“ 2021 State of Ransomware, a report based on data from 5,400 decision makers representing over 30 countries – organizations on average, got only 65% of their data back after paying the ransom. But the cost to business continuity, the downtime, is what hurts organizations the most. The report states the average ransom paid by mid-sized organizations was US $170,404. However, the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US$1.85 million.
How does ransomware get in? Let me count the ways…
Cyber criminals use clever tactics to infiltrate a company“s environment at multiple layers and deploy ransomware. One of the most common is social engineering-a phishing email where a company insider is tricked into sharing credentials or downloading malware and letting the threat in.
USB drives, partner networks, unpatched vulnerabilities, and easy-to-obtain passwords-all are potential threat vectors for malware to gain entry. New hybrid work models may create more. This is why it“s important to take a holistic approach to security to prevent entry, detect it when it happens and stop it from spreading to other parts of the network. Last but not least, a holistic approach includes having a business continuity plan in place that includes data backup and disaster recovery from ransomware.
Ransomware: The Anatomy of an Attack
Ransomware can infect just about any device with an operating system or digital connection including network devices, IoT devices, desktop computers, servers, digital cameras, printers, and zip drives. The goal of most ransomware attacks is to exfiltrate data and/or encrypt data to force organizations to pay for keys to decrypt their data. Attacks typically happen in phases:
Gain access to the network and at least one initial device
Infect as many additional devices as possible to gather information
Deploy additional modules that; for example, encrypt data
Encrypt data for extortion
In the first phase, the intruders continue to gather more information about the infrastructure (users, data flows, network topologies, devices). Then, at a later stage, they start to exfiltrate data and/or load additional malware to start other threads that can access data and encrypt files.
This is why an efficient risk management strategy is needed that focuses on attack vectors to prevent infection or detect early phases at the point on the network and compute devices where the infection occurred. Data storage is at the end of the infection cycle. The longer the malware runs, the further the infection spreads, complicating disaster recovery and resumption of operations.
An Overview: Qumulo“s Holistic Security Architecture
A holistic security approach to malware detection captures data from as many devices as possible to identify suspicious events at the entry point(s) for analysis and correlation. Upon detection, action is taken to stop the ransomware from gaining access to subsequent layers including your file storage.
Implementing a holistic security approach that includes network, compute, device and event-monitoring techniques, together with data correlation and analysis, is preferable over siloed security solutions that are embedded in the storage system. The goal is to keep the ransomware from getting anywhere near your file data.
The Qumulo File Data Platform is built with security at its core and includes a broad spectrum of modern technologies and data services designed to keep data safe. Qumulo“s software architecture is a purpose-built file system with a natively developed protocol stack. It uses no third-party code for file data access protocols. Bi-weekly software updates include Qumulo image and operating system and updates and fixes are built in by Qumulo including any common vulnerability and exposure (CVE) issues.
HOLISTIC DOMAIN: PREVENTION
The most common malware attack exploits happen outside your storage system and you want to prevent them from getting there. The first objective of ransomware is to get behind your firewall and into your network-where the bad actor can watch, move around, and plan the attack. Here are many of the easy-to-use security features that are built into the Qumulo file system software to reduce the threat surface available to ransomware and other exploits.
Locked-down Linux OS-a minimal Ubuntu image to reduce risk surface
Bi-weekly product updates – with built-in security features and patches
The file system runs completely in user space (LD/LDAP)
Role based access control (RBAC)-specifies what each user group can do with predefined roles and delegates least privileges
Restrictions to SMB and NFS file access to hosts on network
Access-based enumeration (ABE)-privileges required
The ability to hide SMB shares (the exact path is needed to mount the share)
Data encryption (data at rest is encrypted by default))
Data on the wire can be encrypted and set per share
Ransomware prevention — Limit accessibility to shares and exports
HOLISTIC DOMAIN: DETECTION
Integration with modern security information and event management (SIEM) solutions capture data from devices and offer holistic approaches to detect and stop malware infections. One important aspect for detective controls is central event capturing and correlation. The advantage of a centralized SIEM approach is that it provides a common solution for all data center or cloud instances and services. Data can be gathered easily, and indexed, filtered, analyzed, searched, and visualized. Automated or semi-automated actions can be triggered when suspicious activities are detected. This is the most effective approach because ransomware is being identified and stopped before it reaches your file system.
Qumulo sends audit logs to SIEM solutions to detect threat activity.
Qumulo sends audit logs in industry-standard syslog format to SIEM solutions on the market including Splunk, Elastic Search, AWS Cloudwatch, and Azure Sentinel.
In addition, intrusion detection systems (IDS) can detect patterns of dangerous network traffic; for example, anomalous domain name server (DNS) queries used to exfiltrate data packets that are correlated to an exploit technique. Many companies are using intrusion prevention systems (IPS) for detection controls with advanced fire walling and exploit-detection capabilities that block some categories of attacks.
Implement automated responses using the Qumulo API
The Qumulo File Data Platform supports all major security software on the market through its auditing feature. In addition, Qumulo“s API allows you to initiate automated mitigation actions from any attack surface should a malicious activity be detected. There are multiple ways to leverage the Qumulo API with direct API calls and Qumulo provides Python libraries to simplify API script development and the Qumulo Core CLI.
On the network, once the IDS system has detected a suspicious or even malicious activity for a file, the system can trigger automated events to mitigate risk. Qumulo provides a rich REST API which allows automating all kinds of management tasks on the cluster including malware mitigation tasks in case of a security event:
Set a quota for a directory or set the full system to 0. Any new write activity is prevented (but overwrites might still be possible).
Set a share to read-only or restricted IP addresses
Remove privileges for a user(s)
Take or restore a snapshot
Start an antivirus on-demand scan
Recent history has shown that even good security controls can be overcome by ransomware; and therefore, a means to recover and resume operations is needed. Qumulo“s file system supports disaster recovery strategies with some very effective and easy-to-implement data services that are built into Qumulo Core including erasure coding, immutable snapshots, cloud backup, and snapshot policy replication.
In the next article I“ll cover the third holistic domain: the recovery and resumption of operations (roll back) after a ransomware attack.
Dr. Stefan Radtke, Field CTO EMEA, has spent his career working in technology and is the principal evangelist of universal-scale storage for Qumulo. He started as employee #1 in EMEA in 2017 as Technical Director where he built a fantastic multi-national technical team. Recently he took over the role of the Field CTO and he is now focusing on building a strong technical team for Cloud Q. He“s a certified AWS Solution Architect Professional and Azure Solution Architect Expert.
Über Qumulo, Inc.
Qumulo ist marktführender Anbieter eines radikal einfachen Enterprise Filedaten-Managements in hybriden Umgebungen. Die hochleistungsfähige Filedaten Plattform von Qumulo wurde entwickelt, um Daten in ihrem nativen Format zu speichern, zu managen sowie Workflows und Anwendungen zu erstellen – auf Massive-Scale Niveau, On-Premises sowie in der Public Cloud. Qumulo hat das Vertrauen von Fortune-500-Unternehmen, von großen Film- und Animationsstudios bis hin zu einigen der größten Forschungseinrichtungen der Welt, um den gesamten Datenlebenszyklus mit grösster Einfachheit zu managen (Daten-Ingestion, Transformation, Daten-Publishing, Archivierung, dynamische Skalierbarkeit, automatische Verschlüsselung, Real-Time Daten-Transparenz, kosteneffiziente Kapazität). Eine fortschrittliche API versetzt Kunden in die Lage, Qumulo ganz einfach in ihr Ökosystem und ihre Workflows zu integrieren. qumulo.com.