In my previous post, I discussed how snapshots are a feature, and not a solution. Snapshots, in conjunction with RestoreManager, can enable NetApp users to have a valid data protection solution. In this post, I’m going to discuss how snapshots are an important feature to recovering data effectively and efficiently in the event of a ransomware attack.
Sadly, we live in a day and age whereby ransomware is the “go-to method of attack” for Cybercriminals. According to Cyber Security Ventures, it’s estimated that every 14 seconds a business falls victim to a ransomware attack. We see details of the impact of attacks in the news on almost a daily basis, and it’s severely impacting the ability of all business types to generate revenue and function normally. The damage of these attacks is costing billions globally, with the estimated cost predicted to reach over $20 Billion by 2021.
Due to this, a question frequently asked at Catalogic is, "how can I ensure my content within my NetApp environment is fully protected from the threat of ransomware, and more importantly, enable the ability to only recover potentially infected files of ransomware hits?”
Our simple answer: CryptoSpike
CryptoSpike delivers real-time detection of ransomware on NetApp file systems. It enables protection through 3 key elements:
We can setup granularity, as well as, all SMB transactions to be monitored for clusters, SVMs, volumes, and shares.
The impact of the monitoring being made active is very minimal. Generally, you can expect up to 0.3ms increase in latency due to the TCP packets being sent between ONTAP and the F-Policy servers.
All this sounds great, but what about the ability to recover data in the event of a ransomware attack?
One of the key differentiators of CryptoSpike is we provide the ability to quickly restore individual files from snapshots - meaning in the event of a ransomware attack or data breach, you only recover the impacted data. Enabling NetApp users to use Snapshots as a valid ransomware protection solution.
Data recovery can be quickly and easily identified via file activity reporting. This is because CryptoSpike monitors and logs all user file access (reads, writes, opens, etc). This means you can identify who was infected, who accessed which files, who has made changes to files, and who has deleted files. You are then able to make quick business orientated decisions to ensure the businesses data is quickly recovered and available again to ensure continued normal business operations.
Additionally, CryptoSpike is incredibly simple to deploy with minimal resources required for 1x CryptoSpike Server and 2x F-Policy Servers.
The requirements for these are as follows:
All can be deployed via OVA files into VMware vSphere environments. An example of the architecture of a typical CryptoSpike setup is shown below:
We understand that companies are hesitant to deploy CryptoSpike based on the potential impact it has in blocking user access to critical file data. To ease those doubts and ensure no actions are taken at the start of proof of concept, we recommend you put CryptoSpike into asynchronous mode. In asynchronous mode, Cryptospike will not block anything. The user will appear in “Blocked Users”, but an email notification will be sent to ensure the user has not been blocked. After a period of 7+ days, you can then switch from asynchronous mode to synchronous mode making CryptoSpike live, and your environment protected.
If you want to learn more, get a no obligation quote or run a proof of concept, feel free to get in contact with us to quickly provide you with what you are looking for.