BlueXP Blog

IT & Ransomware: IT’s Role in Ransomware Protection

Written by Semion Mazor, Product Evangelist | Jun 19, 2022 6:30:45 AM

Cyber attacks, and ransomware attacks in particular, are on the rise, driven in part by the increased vulnerabilities that come with the WFH model. In order to maintain robust security postures, organizations are adopting a zero-trust architecture (ZTA), which assumes that the environment has been breached and that internal guardrails are essential for protecting data. This approach is a critical part to effective ransomware protection.

What does this mean for IT? Ransomware attacks data, and the data is your responsibility. IT teams are part and parcel of the organization’s cybersecurity responsibility. These responsibilities go far beyond simply backing up and restoring data if an attack takes place—IT must also ensure that data management is secure by design.

In this blog post we explore how IT can embrace this role and how NetApp users can benefit from a complete set of tools for ransomware protection.

Read below as we cover:

What Does the Zero-Trust Model Mean for IT?

A successful Zero Trust Architecture places data at the center. Users (people or devices) and workloads usually consume or transform data within the corporate network where it was traditionally considered safe.

However, with today's threats and complex attacks, we know it’s not enough to blindly trust a network perimeter. With a Zero Trust approach, the cross-environment visibility and advanced analytics are essential to establish contextual baselines of normative behavior. As an example, in a software developer workstation the usage of Microsoft PowerShell would be considered normal but out of context and a possible indicator of compromise (IoC) in a machine belonging to someone from the marketing team.

In a zero trust architecture, all network requests and traffic—both ingress/egress and lateral—must be continuously monitored to ensure that only authorized users and workloads can access data and only for predefined purposes. Any anomalous behavior that is detected should set off alerts and an appropriate response.

For zero-trust environments to work at scale, they must be highly automated and orchestrated, with minimal human intervention after policies and rules have been established. In order to effectively protect data within the ZTA, it is up to IT and security teams, working together, to micro-segment networks, to enforce granular access and authorization for users (both people and devices), and to embed security throughout all application tiers and components.

Cyberstorage: IT’s Answer to Ransomware

Protecting data is integral to the IT role. This responsibility goes far beyond the traditional data protection tasks of backing up and restoring data. While that responsibility is key to maintaining business continuity should an attack take place, there is a lot that IT teams can do to stop ransomware attacks before they ever happen.

Better data governance is at the heart of IT’s role in the fight against ransomware. How does data governance fight ransomware? Consider that there is no one in a better position than a storage admin to notice when abnormal behavior takes place that might indicate an attack, such as data losing storage efficiency due to files becoming encrypted. IT teams can also map their data, so they understand where the data is located and which is the most sensitive. Plus, these teams have visibility into and control over permissions, making it possible to enact policies of least privilege.

These responsibilities align with everything that the NIST Cybersecurity Framework (CSF) core functions cover, as shown in Figure 2. below.

U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Figure 2: Cybersecurity Functions Delivered by a Cyberstorage Stack (Source: NIST)

The collective name for such capabilities is cyberstorage.

Cyberstorage solutions add an additional layer of cyber resilience to existing data protection activities for a storage system. These cyberstorage solutions have built-in and proactive capabilities for identifying, protecting against, and responding to ransomware attacks at the data level, instead of just protecting the network perimeter. They monitor and analyze user behavior and data access patterns in order to detect and block ransomware attacks as a last line of defense before data is compromised.

But until recently, there hasn’t been a unified toolset to carry out all of these tasks. Some vendors have provided standalone cyberstorage capabilities, with some products aimed for backup and others for mapping, and other for altering etc. This has made it difficult for storage teams to keep data from being siloed, and introduces multiple points of failure instead of limiting them.

NetApp has a better solution.

NetApp Ransomware Protection: The Most Complete Way for IT to Protect Data

The good news is that NetApp has leveraged its expertise and experience in enterprise data management to offer a cyberstorage solution that quickly detects ransomware and other cyber attacks and either blocks them or mitigates their blast radius. It’s called NetApp Ransomware Protection.

Ransomware Protection takes a zero-trust approach to manage and monitor storage infrastructure at scale, ensuring that best practices are in place to block ransomware attacks. But if data is breached, NetApp makes sure that recovery is quick and comprehensive.

Zero-Trust, Ransomware, and the Next Step in Protecting Your Data

With Ransomware Protection, IT teams have more tools at their disposal to protect their data and their organizations against ransomware than ever before.

For more information on ransomware and the trends that are shaping the responses to it, check out our new guidebook to using cyberstorage in the fight against ransomware.

To learn more about NetApp Ransomware Protection and how to get started, contact us today.


FAQs

What happens in a ransomware attack?

Ransomware is malicious software planted within the corporate network that continuously seeks to gain access to data resources through stolen credentials, hijacked accounts, or other attack vectors. If breached, the data is encrypted or otherwise obfuscated causing serious disruption to business activities. A ransom demand, often in cryptocurrency, promises to “free” the data if paid. A new and worrying trend is that data is exfiltrated before being made inaccessible.

Who is behind ransomware attacks?

Today it is very easy for individuals to leverage ransomware kits or ransomware-as-a-service on the Dark Web to mount ransomware attacks. There are also many ransomware gangs out there, some of which are purely criminal while others are affiliated with terrorist groups, political radicals, and rogue nation-states. Three prominent ransomware gangs are REvil, Conti, and Darkside.

Can ransomware be removed?

The key to ransomware protection is to prevent its installation altogether, or at least to detect, block and mitigate attacks as quickly as possible. Once a system has been infected or an attack has taken place, it is very difficult—and sometimes impossible—to remove the ransomware; it requires a high level of cybersecurity expertise. Depending on the type of ransomware, the removal actions include isolating the infected device, running anti-ransomware software, or manually uninstalling the ransomware executable.