Protecting Against Ransomware With NetApp Cloud Secure
In this blog
Before we dive into NetApp Cloud Secure, we need to discuss how you set up and deploy NetApp Cloud Secure inside your environment.
NetApp Cloud Secure is a feature built into NetApp Cloud Insights, Cloud Insights is a hybrid cloud infrastructure monitoring tool, managed by NetApp, and provided as a SaaS platform for the user. When you deploy NetApp Cloud Insights you enable an active tenant in the NetApp managed platform in order to operate with your own environment. With Cloud Insights, you can monitor, troubleshoot, and optimize all of your infrastructure resources via a single management plane, and you have the ability to customize the tenant based on your company's needs.
The NetApp Cloud Secure component is enabled by default with any NetApp Cloud Insights premium subscriptions. We will not spend a ton of time discussing Cloud Insights here, but if you need more information please reach out to your local WWT account team. In addition to all of the features of NetApp Cloud Insights, the NetApp Cloud Secure component adds the following benefits:
- Visibility: The ability to have centralized control and visibility over user access to critical data. Rather than having manual tools and processes to gather accurate visibility, Cloud Secure uses machine learning and user behavior algorithms to offer real-time alerts of any malicious behavior inside your environment.
- Protection: The machine learning and anomaly detection mechanism within Cloud Secure will alert and take action should any abnormal data activity appear.
- Compliance: Along with the machine learning and automated detection mentioned above, you have the power to audit any user data access at any time.
Once you have NetApp Cloud Insights licensed and running inside of your NetApp managed tenant, there are a few additional steps to take advantage of Cloud Secure. We will cover each component in detail below:
Although Cloud Secure is a part of the Cloud Insights tenant, it does require a separate agent in order to operate properly. This agent is a lightweight virtual machine (VM) deployed inside of your OnPrem or cloud environment. The requirements for this VM can be found here. Once the agent VM is created you can start to configure the agent for Cloud Secure. The agent VM is connected to your Cloud Secure environment using a token generated directly through the admin section inside Cloud Secure. The agent also must adhere to certain firewall and port requirements. You can review all of the steps to install the agent here.
After you have installed the Cloud Secure agent and it is operational and connected to your tenant, you can then start configuring your data collectors. A data collector is an agentless component in Cloud Secure that uses the agent VM (previously created) in order to collect data from several endpoints. There is documented setup instructions for all of the following data collector endpoints:
To accurately identify breaches, every user activity across on-premises and hybrid cloud environments is captured and analyzed. Based on the data collector and agent points above, you can monitor all user activity and data activity inside of your environment.
Cloud Secure detects anomalies in user behavior by building a behavioral model for each user. From that behavioral model, it detects abnormal changes in user activity and analyzes those behavior patterns to determine whether the threat is ransomware or a malicious user. This behavioral model reduces false positive noise.
Today's ransomware and malware are sophisticated, using random extensions and file names, which makes detection by signature-based (blocked list) solutions ineffective. Cloud Secure uses advanced machine learning algorithms to uncover unusual data activity and detect a potential attack. This approach provides dynamic and accurate detection and reduces false detection noise.
Cloud Secure alerts you to a potential ransomware attack and provides multiple automatic response policies to protect your data from the attack. These automated response policies can be configured to do all or any of the following actions should abnormal behavior be detected on your data.
- You can take a snapshot of your data as soon as the unusual activity is detected, ensuring you are protected and can easily recover from a point-in-time snapshot. This also helps with false-positive limitations as you can review the activity and quickly restore should the activity be legitimate.
- You can enable the response policy to restrict a user's access to the data by either blocking or changing the user's permissions to read-only. This can be configured and triggered per abnormal user behavior or upon file deletion behavior.
- As an administrator of Cloud Secure, you have the ability to follow a full audit trail for any user, so should data become compromised, you can trace the attack to the source and provide full remediation and recovery, along with root cause analysis.
The newest feature of Cloud Secure was added to help stop attacks in progress. By restricting user access automatically, you have the ability to cut off access as soon as unusual or malicious behavior is observed. This process can be enabled inside of an Automated Response Policy or enabled manually through the alert user details section inside of the platform.
As with any automated feature, there are a few additional steps to configure inside of ONTAP and inside of Cloud Secure in order for the feature to operate effectively. You can view the feature details and extra configuration steps here. Also, should a user's access be restricted as part of a false-positive, you have full control over how long the user is restricted, which IPs are restricted, a full history of all users and IPs that have been restricted, and manual intervention steps to re-enable access for the user and their IP address.
Using our Advanced Technology Center (ATC) and the Cloud Secure tenant we have internally, we have documented how Cloud Secure operates with all of the features mentioned. Get a first-hand look at how effective Cloud Secure can be inside of a production environment and how easy it is to add a level of prevented action to your Zero Trust Ransomware Protection strategy.