ST2401

More documents

Recommendations

Info

MANAGEMENT: RANSOMWARE SHIELDING YOUR FILE SERVERS: AN ESSENTIAL GUIDE ARON BRAND, CTO OF CTERA, REMINDS US THAT THE KEY LESSON TO LEARN FROM RANSOMWARE THREATS IS THAT IT IS NEVER A GOOD IDEA TO PAY THE RANSOM Ransomware has been a significant hazard in the digital world for a number of years, impacting various industries with devastating effects. Manufacturing, construction, healthcare, and financial services are especially at risk, not just due to the nature of their operations but also because of their stringent time sensitivities and compliance obligations. The disruption caused by ransomware in these areas can lead to severe consequences, affecting both operational continuity and regulatory compliance. The need for robust and effective ransomware defence strategies is urgent. To protect against ransomware attacks, organisations need to take a proactive approach, one that is more comprehensive and layered than simply updating and securing all networked devices. DOES PAYING FIX THE PROBLEM? In short, no. The risks associated with paying ransoms are considerable and often misunderstood. When organisations agree to ransom demands, they inadvertently set themselves up for future attacks. Ransomware actors don't play fair and frequently target their previous victims, not just because it's convenient but also because they know these victims are willing to pay. Paying may, in fact, increase ransom demands in subsequent attacks rather than solving the initial problem. ENDPOINT PROTECTIONS ALONE ARE NOT ENOUGH Traditional signature-based defences are often ineffective against evolving ransomware threats specifically designed to bypass static security measures. In environments with outdated operating systems or embedded IoT devices, this is further intensified as they often can't support client-based ransomware protection tools like Endpoint Detection and Response systems. Such devices, if not adequately secured or updated, can easily become vulnerable entry points for ransomware attacks. Advanced measures are the only effective way to safeguard against the sophisticated and constantly evolving nature of such attacks. NOT ALL BACKUPS ARE CREATED EQUAL Backups are a vital safety net in the event of an attack. However, their effectiveness in ransomware scenarios is heavily dependent on how they're managed and protected. By targeting backups, ransomware attackers aim to incapacitate an organisation's ability to restore data independently, thereby increasing the likelihood of a ransom being paid. That is why backups require air-gapped, immutable storage, i.e. a physical gap between the backup data and the network that blocks attempts to access or alter that data through network-based attacks. This ensures both the integrity and availability of backups, enabling organisations to recover critical data without succumbing to ransom demands, a crucial deterrent that significantly reduces the leverage ransomware attackers hold over their victims. EARLY DETECTION AND PROTECTION Adding effective early detection methods to your security workflow is key to identifying and mitigating threats at the file-server level, even before they necessitate data recovery. This is where advanced ransomware detection methods come into play. They're designed to identify suspicious activities and potential threats via three primary approaches, namely: 1. Threshold-based detection: This method involves monitoring and defining thresholds on file activities. They focus particularly on operations such as file modifications, renames, and changes in entropy, common indicators of ransomware activity. Their effectiveness lies in early detection, allowing for prompt response. It should be noted that they're sensitive to users performing atypical, non-malicious tasks, which can lead to frequent false positives. 2. Signature-based detection: A method that detects known ransomware signatures within user behaviours or files, providing a reliable line of defence against known threats and nearly zero false positives. Where this method is limited, however, is its ineffectiveness against new, unknown ransomware strains - also known as zero-day threats. 3. Behavioural AI detection: AI-driven tools in this method analyse user access patterns, matching them to known ransomware tactics, and offering a sophisticated, proactive approach to identifying potential ransomware attacks. Leveraging the adaptability of machine learning, this method continuously evolves to counteract advancing techniques used in modern ransomware. And since it detects tactics used by ransomware rather than signatures or thresholds, it reliably catches new ransomware strains and provides solid resilience against false positives. FILE SYSTEM VS. BACKUP-BASED DETECTION In the realm of ransomware defence for file servers, detection methods are broadly categorised into two variants: post-discovery tools that analyse the content of periodic backups, and real-time detection tools that monitor user behaviour and file operations. This distinction is critical in understanding the strengths and limitations of each approach in safeguarding data against ransomware attacks. POST-DISCOVERY BACKUP-BASED DETECTION This method focuses on analysing backups after they have been created, scanning for signs 32 STORAGE Jan/Feb 2024 @STMagAndAwards www.storagemagazine.co.uk MAGAZINE
MANAGEMENT: RANSOMWARE "Backups are a vital safety net in the event of an attack. However, their effectiveness in ransomware scenarios is heavily dependent on how they're managed and protected. By targeting backups, ransomware attackers aim to incapacitate an organisation's ability to restore data independently, thereby increasing the likelihood of a ransom being paid. That is why backups require air-gapped, immutable storage, i.e. a physical gap between the backup data and the network that blocks attempts to access or alter that data through network-based attacks." of ransomware. The main advantage of postdiscovery backup-based detection is its integration within existing backup software, making it a non-intrusive addition to data protection strategies. But its retrospective nature makes it somewhat limited. Since it relies on periodic snapshots of the system and lacks visibility into actual file operations, for example, being completely blind to read operations, backup-based detection can miss nuanced details of file operations and changes. This oversight can lead to missing early signs of an attack, potentially rendering it insufficient in preventing significant data loss, especially in the case of fast-moving ransomware strains. REAL-TIME FILE SYSTEM-BASED DETECTION In contrast, real-time detection methods operate directly on the live file system. They continuously monitor file operations, user behaviours, and system changes, offering a more dynamic and immediate response. The advantages of this approach are many: Immediate threat identification: Real-time monitoring allows for the rapid detection of suspicious activities, crucial in intercepting ransomware before it spreads extensively. Blocking suspicious activities: This method proactively blocks users or machines performing suspicious activity, preventing the ransomware from executing its payload. Granular data for machine learning: By monitoring each file operation in real-time, this approach provides a wealth of detailed data, which is invaluable for AI-driven models, enhancing their accuracy and ability to adapt to new ransomware tactics. Comprehensive coverage: Real-time monitoring ensures protection for all files, including those excluded from backup. While backup-based detection plays a crucial role in identifying ransomware post-attack, realtime file system-based detection offers a more proactive and comprehensive defence. By enabling immediate identification and response to ransomware activities, and by providing high quality, detailed data for advanced AI models, file system-based detection stands as a more robust and effective solution for protecting file servers against the evolving threat of ransomware. NEVER PAY THE RANSOM Ransomware is a continuously escalating threat that demands a multi-layered approach. It's critical to focus on early detection, integrate reactive and preventative measures, and implement air-gapped, immutable backups - a robust safety net in case of an attack. The stand-out solution in the current cybersecurity landscape is the adoption of realtime file system-based detection. Unlike its backup-based counterpart, real-time detection immediately identifies threats and blocks suspicious activities as they happen. The granular activity data gathered by this method enhances the efficacy of AI-driven models, leading to more accurate and adaptive ransomware defence strategies. The fight against ransomware is an ongoing battle that requires vigilance, innovation, and adaptation. organisations must stay ahead of potential attackers by employing a combination of backup strategies, real-time detection methods, and continuous evolution of their cybersecurity practices. But if you take only one thing from this guide, it should be this: never pay the ransom. More info: www.ctera.com www.storagemagazine.co.uk @STMagAndAwards Jan/Feb 2024 STORAGE MAGAZINE 33
Page 1 and 2: STORAGE MAGAZINE The UK’s number
Page 3 and 4: The UK’s number one in IT Storage
Page 5 and 6: DON’T SaaSSS GET YOUR KICKED! ! T
Page 7 and 8: STRATEGY: STRATEGY: DATA MANAGEMENT
Page 9 and 10: CASE CASE STUDY: BRITVIC "Moving to
Page 11 and 12: FEATURE: FEATURE: 2024 PREDICTIONS
Page 13 and 14: FEATURE: FEATURE: 2024 PREDICTIONS
Page 15 and 16: REGISTER FOR YOUR FREE TICKET WWW.D
Page 17 and 18: TECHNOLOGY: RDMA "The secret to boo
Page 19 and 20: Hybrid storage architecture, optimi
Page 21 and 22: CASE STUDY: CASE STUDY: CANCER RESE
Page 23 and 24: The future is here. Tiered Backup S
Page 25 and 26: ROUNDTABLE: SOFTWARE "Convenience a
Page 27 and 28: ROUNDTABLE: SOFTWARE "For vendors,
Page 29 and 30: INDUSTRY FOCUS: MEDIA FOCUS: & ENTE
Page 31: Case Study Object Archive and Tape

ST2401

Create successful ePaper yourself

Delete template?

Save as template?