What Is the Data-Centric Approach to Ransomware Protection?

Part of our governance capabilities includes constant insights into your first level of defense: file and folder level permissions. With “Data Sense” permissions analysis, enhanced filtering capabilities, and auditing, you can tighten your security and ensure the right people get access to the right data, at the right level.

Based on access permissions set across your data estate, data gets created only where it’s allowed, and that includes files encrypted by ransomware during an attack. With ONTAP’s file access notification framework (FPolicy), you can block file creation and other operations based on known ransomware file extensions. This policy can be implemented even if an attacking user or computer instance has write permissions to folders.

Using machine learning capabilities, ONTAP is able to identify, prevent, or limit sophisticated ransomware attacks by continuously analyzing workloads (available from ONTAP 9.10.1). This anti-ransomware feature uses workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that could point to a ransomware attack. When the system detects an attack, anti-ransomware creates a new Snapshot copy in addition to the ongoing protection from scheduled snapshots.

Ongoing user behavior analytics (UBA) is required to identify, prevent, or limit sophisticated ransomware attacks. NetApp’s UBA capability tracks the behavior of individual users and communities to identify typical data access patterns. It then reports when behavior differs from the normal observed pattern. In such cases, UBA can proactively respond by denying access to files and folders where suspicious activity is taking place and take further actions to protect your data using Cloud Secure and FPolicy external mode.

Data stored in ONTAP systems is protected by Snapshot, which is a point-in-time, read-only image of your data that shows exactly what your data looked like the moment the snapshot was taken. Since Snapshot images are read-only, captured data can’t be encrypted and locked by ransomware. With the FlexClone and SnapRestore features, you are able to restore an entire volume or individual files from a snapshot in the event of a ransomware attack, significantly faster than with any other possible recovery method.

Immutable backups, such as those provided by NetApp Cloud Backup, help bring your business back online without having to pay heavy ransoms in the event of an attack. With immutable backups, you can honor customer SLAs and recovery point objectives. Cloud Backup’s incremental forever backups on the block level provide faster restores that are more cost-efficient than any other backup solution on the market.

To add another layer to your data protection strategy, data can be easily and efficiently replicated to a different geographic location. These data recovery sites can be created with Cloud Volumes ONTAP or Amazon FsX for NetApp ONTAP. Since NetApp’s data replication engine replicates your immutable snapshots, your secondary copy is protected and can also be used to recover from attacks. Entire snapshots or individual files can be replicated back to the original location or, in a worst-case scenario, you can failover to your data recovery site and work on a ransomware-free copy of your data.

Air-gapped backups prevent malicious activities from accessing your additional copy of the data. By creating a WORM (Write Once Read Many) volume, SnapLock prevents your production data and snapshots from being tampered with, resulting in a logical air gap of your data that is quickly accessible, safe from deletion, and immutable.

Your Active Directory retains a lot of information and is responsible for many functionalities of your domain assets including resource allocation, authentication, authorization, and more. Therefore, it’s a “holy grail” for infiltrators who use it to gain access, escalate privileges, and collect information on your network. It’s important to constantly monitor your Active Directory with tools like Data Sense to find anomalous activities or unnecessary privilege allocations and remove possible security gaps that exist.

NetApp provides built-in tools to help detect ransomware in early stages. For ONTAP in particular, these tools include Active IQ Unified Manager and Active IQ Digital Advisor. These tools alert about abnormal Snapshot copy and volume growth rates, and loss in storage efficiency, which may indicate an ongoing ransomware attack. They also alert when there are snapshot creation failures and unconfigured security capabilities, such as FPolicy.

NetApp also offers a dedicated Ransomware Protection Dashboard in Cloud Manager that allows you to respond to threats in real time. This dashboard provides your IT teams with insights into the cyber resiliency posture of their entire on-prem and cloud data estate. The dashboard also offers a single interface to multiple ransomware protection tools. The dashboard additionally scores your system’s cyber resiliency and readiness with built-in best practice recommendations. This allows you to identify problem areas without the overhead of searching for them on your own. IT teams can use these advanced defense mechanisms to ensure your most critical data is protected and to strengthen cyber resilience.