Security Blogs

The world is constantly changing and ever evolving, and therefore there are always intriguing topics and discussions to be had. As security continues to be top of mind for the world abound, and here at NetApp we are tasked with managing and protecting one of the world’s most precious resources, “data”. That said, stay tuned to the various discussions and key topics to come….


Ransomware: 2018 and the Saga Continues

Fresh off the heels of 2017, some things still remain, top of mind - Ransomware. As the industry trends, and our customers are echoing, the threat of ransomware is more than prevalent; it’s real and the impacts are ever more dire as we continue to see its evolution while the world continues to march toward a climate where data is truly EVERYWHERE.

As I’ve often stated in NetApp Insight and briefing sessions, if an organization is unable to pinpoint who has access to a random file, how will they be able to understand the environment enough to thwart an attack such as Ransomware?

The reality is 2017 provided the industry a number of wake up calls around the threat of ransomware. Not just the nature of the threat itself, but the ramifications, net effects, and sheer impacts amonst the world we all live. In 2017, our customers saw, heard, and in some cases even experienced one of the most crippling ransomware attacks on record. Fortunately, the NetApp portfolio of solutions was not impacted/affected, but realizing our customer’s data is mission critical, it’s important that we help guide our customers through this challenge.

When it comes to challenges and threats, unfortunately all too often once we mitigate a threat, it’s rare that we circle back and take the time to understand what happened post mortem and truly address the issues of yesteryear…. This can be summed up as understanding the exploit vs the threat. You see one must understand the exploit, but focus on providing mitigations/solutions basedon the threat so that said mitigations/solutions are holistic.

Back in May of 2017 we saw the “WannaCry” ransomware variant (also known as WannaCrypt, WanaCrypt0r 2.0, or Wanna Decryptor) rare it’s head, impacting organizations around the globe, infecting hundreds of thousands of hosts in over 150 countries in the span of three days, with figures that continued to grow. Be it WannaCry, Petya, etc… what we saw was a proliferation of exploits and variants doing what they do best… expose weaknesses/gaps. In this case the target was version 1 of the Microsoft Server Message Block (SMB) protocol. The most disheartening element to these attacks which is ironically the case for so many other attacks, is the fact that the exploits already had fixes/resolutions prior to exposure, if only we would learn to patch…….

For additional details regarding the attack, including vectors, analysis, IOCs, filenames, etc.. see the Talos Security Portal: Talos Security - WannaCry

While there are certain many elements to addressing security threats and exploits, overarchingly security professionals settle on a variation of the following: -Prevention - Visibility -Active - Mitigation/Remediation -Post - How do we get better?

As it applies to ransomware it’s not much different. Be it addressing prevention and mitigation through patching efforts, disabling protocols such as SMBv1, or filtering/blocking unsafe or unecessary protocools at a network or end host level, the key element will always come down to remediation as in security it’s never a question of if, but one of “when”.

When it comes to remediation, specifically with ransomware, we have you covered as that’s our sweet spot, Snapshots anyone!…..

The NetApp Solution for Ransomware NetApp TR-4572 outlines the industry best practice of ensuring backups exist in the form of “Snapshots”. Leveraging Snapshots is the most effective restoration solution for Ransomware to date.

In addition, the NetApp Fpolicy solution leveraged natively or augmented with key partner solutions such as Cleondris (SnapGuard) and Varonis (DatAlert) allows the ability to filter and block access to unwanted file extensions while verifying configurations, policies, and file activities in real-time. Moreover, such capabilities allow organizations to monitor and track user behavior/interaction with data including how and when they access files. This type of information results in a proactive monitoring tool and dashboard that provides alerting and intelligence which notifies administrator and operators of potential rogue activities such as when a user accesses known bad sites, or when they begin encrypting files. Lastly, these partner oriented solutions provide preventative/actionable measures by leveraging the NetApp Fpolicy function to perform filtering and access controls for file systems which provides visibility, understanding, and reporting.