Pure Storage's SafeMode for Ransomware Remediation
In this blog
In the ongoing fight against ransomware and cyber attacks, a company should have multiple levels of defense to aid in the prevention and recovery process. These levels may range from firewalls to data protection and backup, to off-site copies of their data and air-gapped solutions. One of the fastest ways to get your data back up and running quickly, in the event that the volume is deleted or the data in the volume is corrupted, is by utilizing the immutable snapshots on the storage array. This is done by simply moving the metadata pointers for the blocks of data on disk to a different block that references the data before it was changed. This is an extremely fast process and doesn't require data to be copied to the array or restored from backup to the original location.
Unfortunately, the bad guys know that all modern storage arrays provide this ability for restoring data via snapshots and have focused their efforts to not only encrypt the data at the source, but to also attack the storage arrays and delete the volumes and their snapshots preventing a quick recovery. Fortunately, Pure Storage is a step ahead of the bad guys and has built natively into their FlashArray and FlashBlade solutions the ability to protect or SafeMode™ the volumes, files and snapshots on the storage array. SafeMode™ prevents everyone (both good guys and bad guys) from destroying and eradicating the data before the Eradication timer expires.
Pure Storage's SafeMode™ is a built-in feature to lock objects (volumes, files and snapshots) on a FlashArray (up to 30 days) or FlashBlade (up to 400 days) and prevents them from being manually deleted before the policy/timer expires allowing you to recover quickly in the event of a mistake or malicious activity.
Before SafeMode™ is enabled, a storage admin can Destroy an object, the object will be marked for deletion and will remain on the array for 24 hours (default) before it's fully Eradicated (aka gone forever). Within that 24 hour window, the storage admin can choose to restore the object if they realize they made a mistake or can choose to Eradicate the object now to free up space on the array if needed.
With SafeMode™ enabled and a new Eradication Timer set, now when an object is Destroyed, it will be marked for deletion but the ability to Eradicate the object now is removed and the object will stay on the array until the Eradication Timer expires where the object will be deleted. The same is true for trying to reduce an existing protection group retention policy, you are not allowed, you can only increase the retention length for how long to retain snapshots.
Keeping with Pure's all-inclusive software features - SafeMode™ is free. All you need to do is enable it. Note – Depending on the daily change rate in the environment, snapshots will consume additional capacity on your storage array. The longer a snapshot is retained will result in an increase of storage capacity required for snapshots on the array.
Step 1. Make sure all your volumes and volume groups have a snapshot policy defined.
Step 2. Contact support to have SafeMode™ enabled.
Step 3. Assign authorized contacts from your company who safely store their unique identification method received from Pure Support.
Step 4. Set the Eradication Timer to something beyond 24 hours to provide an optimal recovery window.
Unlike WORM (write once read many) solutions, SafeMode™ is flexible. All you need to do is contact Pure Support if you need to disable SafeMode™, shorten the policy retention length for snapshots or reduce the Eradication Timer.
Simply recover the objects that are marked for deletion before they are Eradicated or restore the volumes from a prior Immutable Snapshot schedule.
Although SafeMode™ by itself will not prevent attackers from getting into your network and trying to do destructive tasks, it is a no cost, built-in feature on your Pure Storage arrays that can easily be enabled to help speed the time it takes to restore your data and get back up and running in the unfortunate event that your environment is compromised.
For more information, check out the Pure Storage resources below.