Ransomware Defender

Ransomware Defender Product Specification

• Use of this document
• Overview
• Terms
• Functional Specification Description

Use of this document

This document is the functional specification definition of the product's functionality.

Overview

The Ransomware product monitors audit data on Isilon/power scale clusters running OneFS 8.x and 9.0 and 9.1 software.   This audit data is analyzed for user IO that appears to be similar to Ransomware attempting to read data and encrypt data.  It does not detect any other type of malware other than Ransomware.

Terms

1. Eyeglass GUI - User monitoring, alarms and user interface to interact with product configuration and threats raised.

2. ECA VM’s  -  These are VM that process audit data and determine threats to production data.

Functional Specification Description

1. Dependencies 

   1. Read Audit data for supported OneFs releases

      1. NFS mount of the cluster is used to read audit data

      2. If the NFS mount to the ECA software  is impacted by a network issue no audit data will be read and will impact analysis.  This condition is monitored with the health check process called security guard.   This must be used to monitor normal operations and validates if audit data is being read and processed.

   2. Cluster API is reachable

   3. NTP

   4. Disk latency below published specifications for VM’s

   5. AD is reachable via cluster API 

   6. VM disk latency is < product specification in documentation

   7. RAM is allocated without oversubscription of the memory on the host running Ransomware Defender

   8. Auditing must be enabled on any access zone that will be protected

   9. Cluster must be licensed for Ransomware Defender 

   10. Only available in vmware OVA, Hyper-v

2. Patching

   1. The product does not support hotfix patching and requires and complete upgrade of the software version or build number to apply any patch

   2. Operating system patches are not provided and must be downloaded directly from online official open suse repositories

3. Compatibility 

   1. The product does not support forward compatibility with target devices and will require a software upgrade to support a forward version of a target device.   This includes minor or build number changes of the target device.

4. Appliance Modifications

   1. Modifying the operating system packages, removing or adding packages, changing the OS configuration and support of these changes is not covered by support and customers must support OS modifications and perform necessary testing.   No support for customer modifications with the exception of applying open suse OS package patches that shipped with the original appliance or published procedure in documentation.

5. Operational Procedures

   1. If documentation does not list a procedure, it is explicitly  unsupported unless support provides a procedure. 

6. Installation

   1. This product is not customer installable and must be installed and configured by professional services for correct deployment and validation of the software integration with the cluster.

7. Use limitations

   1. Combining this product with any other product is in violation of the specification & documentation unless it is found in documentation.

8. Analyze Audit data by:

   1. NOTE:  Even when used in accordance with documentation found here https://manuals.supernaeyeglass.com/project-eyeglass-administration-guides/HTML/eyeglass-ransomware-admin-guide.html  this section still applies. 

   2. sampling audit events which by definition means building patterns based on windows of time, and the window limits the analysis of a pattern.  Dual vector detectors are used to use audit data over larger windows to mitigate this.

   3. Processing means reading sampled audit events into the threat detector module

      1. Threat detectors look for patterns over a time period or window of time to determine if a threat has been detected.

      2. Detector types

         1. File extension is a list of 2400+ extensions that have been associated with Ransomware in the past, this is not guaranteed to to be an exhaustive list  and new extensions will not be added in a timeline that this method of detection can be depended on as a primary detection vector.

         2. Honeypot files - requires customers to configure files on shares or exports that allows monitoring of a “trip wire” file that is monitored for encryption IO events.   If not configured by the customer this detection method will not function and reduces protection.   

         3. Behavior based detection -  successive user operations that appear to be reading files in bulk, encrypting the data and then handling the source unencrypted file via deletes or rename operations.  

      3. Design Specification Limitations

         1. It is expected that based on the above mathematical permutations that in some cases Ransomware behaviors may go unnoticed.  This is expected in order to reduce false positives.  This is a balance of processing time,  sampling behaviours to provide increased detections at a reduced cost but exposes gaps in detection.  To mitigate this all configuration options and detections should be used including the tripwire honeypot files. Multi vector detectors can be configured and should be set up by customers post installation.

         2. False Positives are expected by design and may lead to excessive snapshots up to cluster limits before corrective action can be taken. A false positive may also lockout an application and is expected customers follow operating procedures to mitigate service account from lockout using ignore list or monitor lists. 

         3. Affected files list - the CSV list of files provided by the product is not an exhaustive list of affected files.  Easy auditor or 3rd party audit products should be used to report on all file touched by an affected user.  This is design intent to provide a list of some of the files that tripped the detector.

         4. Detection variables and limitations

            1. NOTE:  Even when used in accordance with documentation found here https://manuals.supernaeyeglass.com/project-eyeglass-administration-guides/HTML/eyeglass-ransomware-admin-guide.html and this specification,  the limitations in this section still apply. 

            2. The rate of the user behavior and the time window over which the sample is taken along with the sample of audit event used for analysis means a detection can be missed and this is expected that a behavior may be missed when analysing all permutations of time window and detectors and a sample of the source audit data.    

            3. User understands: Operational monitoring, and documentation procedures mitigate this customer risk by monitoring alarms, and verify security guard is operating normally along with configuration of the honeypot files within the file system.  Various configuration options also reduce protection but simplifies operations  customer choices affect the protection the product offers.     

            4. User understands: Combining all detection methods will mitigate missed detections but it will not eliminate the possibility a detection is missed. This means a variant of Ransomware may go undetected without detection or protection of the file system. Backups and snapshots are expected to exist or a cyber vault.

            5. In addition, a cyber vault or Airgap as documented in the documentation and it offers additional mitigation but must be configured to achieve the highest level or data protection.

            6. Customer configuration can be set up to alert only in monitor mode and snapshots can be disabled.  This mode reduces protection and this is documented in documentation.

            7. Monitor only mode will not attempt to disconnect  a suspect user and thereby reduce the number of files impacted in an attack.  This is a customer decision to enable enforcement mode to protect the file system.

      4. Detection processing

         1. Each user has individual learned detection settings if learning mode is used.  This mode observes IO and customizes settings to remove 80% of the false positives.

         2. Default settings are used for any user without custom settings

         3. Once a security event is detected:

            1. Send alarm about new security event

            2. Lookup user AD groups from cache

            3. Resolve SMB share access

            4. Store files in security events to CSV file

            5. Update SMB shares with deny read permission for the user involved

            6. Generate snapshots on smb shares

            7. Update log for event with timestamps throughout processing logic

            8. Done

      5. Detection processing scenarios that alters processing logic

         1. These lists alter processing based on above logic

            1. Whitelist by path, user or ip will ignore and detection that matches the filters

            2. Monitor mode path, user, or ip will skip lockout step for any detections that match the filters.

         2. Snapshot mode 

            1. Enabled will trigger snapshots, disabled will not snapshot

         3. Critical mode 

            1. Disabled means no immediate real time lockout will occur and only timed lockout

         4. File extension processing

            1. File extensions can be enabled (enforced), disabled (ignored) or monitor mode which disables lockout logic as per above.

      6.  Flag as false positive and learning mode

         1. Monitor detections and peak values seen (highest rate) and increase detectors to bump up by .3  relative to the defaults.  This process is manually triggered or automated with learning mode.  

         2. The outcome of the analysis is visible in the GUI and can be deleted by admins to relearn.  Manual detector CLI also exists to customize by hand.

      7. File banned list available as versioned file that allows customers to switch between versions. Ie. current version and switch to new version.

         1. Custom file extensions are supported allowing customers to add any extensions to the list

   4. Event data is stored as a CSV for each user and provides a sample of the affected files in the database.

      1. CSV includes file, path, detector, date and time, user ID, file extension 

9. Airgap Function

   1. This function automates syncing data using synciq between Isilon or powerscale clusters on a closed private network for the purpose of maintaining an offline copy of data. This helps ensure best practices for data protection.

   2. 2 different product options are available with outside the vault network automation of and inside the vault with a different license required for inside the vault automation.

      1. Licenses

         1. Airgap Enterprise

            1. License required for vault agent VM deployment inside the vault

   3. Enterprise airgap operates inside the vault on the vault cluster management network secured and closed network. The cluster IP interfaces are added or deleted to allow synciq to reach the vault cluster

   4. Management

      1. During airgap sync operations alarms are retrieved from the vault cluster from an ssh session on the production protected cluster and requires the PAPI to be reachable to collect alarms using a vault minimum permissions user that is allowed to collect alarms. These alarms are proxied to users through Eyeglass email or syslog alarm subsystem.

      2. Enterprise vault agent VM will push logs during airgap sync operations to Eyeglass VM using SSH and API to store logs on eyeglass for support purposes

      3. Scheduled airgap maintenance can be requested from eyeglass on an interval of eery 2 hours (enterprise airgap) or on demand with basic airgap. This uses a heart beat process that checks for maintenance requests created using a CLI command on eyeglass. Maintenance activities would include debugging or software upgrades

   5. Reporting

      1. Both versions offer reporting that tracks synciq replication using the reports to summarize success or failures and includes other metrics such as throughput, sync duration, quantity of data replicated. This report is scheduled daily and reports are visible in the airgap Icon management interface.

   6. Monitoring

      1. Both versions offer monitoring of airgap job steps from the airgap management interface showing previous executions and access to reports that summarize replication status

      2. Proxy alarms from the vault hardware are viewable in the alarm icon interface

   7. Smart Airgap

      1. This feature checks threat level determined by Ransomware Defender or Easy Auditor , if an active threat is raised in either product any scheduled sync to the vault is paused to keep the vault cluster offline. The administrator must clear the active alarms before normal sync operations will continue

   8. Configuration

      1. Adding the static route, and service user to get alarms from the vault cluster and the schedule of data sync to the vault cluster

      2. Enterprise version also requires control of the schedules and must be enabled for Enterprise version

   9. Data Security

      1. The solution adds significant protection to maintain an offline copy of data. The solution requires that operational step are followed and all devices used in the airgap , including switches, routers, firewalls,, vault cluster are patched regularly for security related patches, including the OS on all eyeglass VM's.

      2. The solution reduces the potential of the data in the vault from being compromised but does not eliminate all possible attacks or threats to the data inn the vault. Physical threat or insider threats or other threat risk is not reduced to zero percent possibility. The solution reduces this potential if all operational guidelines are followed. No guarantee or warranty is made about the threat reduction to zero or the possibility of comprising the vault data.

10. Installation Knowledge Transfer post installation

    1. The product installation process informs customers of the decisions they own to determine the protection and activation of protection features.

    2. The default product installation requires customer action to enter enforcement.

11. Operational Expectations for all deployments

    1. Ransomware Defender is a component of an overall security solution that must include the following best practices in order to correctly deploy a security solution.  The operational steps below are expected to be followed for correctly using and integrating Ransomware Defender into a security solution.

       1. A data security plan should include multiple layers of security including endpoint protection and a backup system to recover data.  Ransomware Defender is not intended to replace other security solutions or backups of your data.

       2. Backup data should be stored off line so that it is not connected to the network.  An offline backup is a requirement in all scenarios.

       3. Network monitoring tools, SIEM tools with logging and monitoring of all key components and high risk systems, including the storage environment.

       4. The specification and operational management of this product Requires:

          1. May not detect or prevent any or all malicious code or that use of the licensed program and related updates or upgrades will keep company’s network or computer systems free from viruses or other malicious or unwanted content or safe from intrusions or other security breaches

          2. Product usage assumes endpoint protection Anti-virus software is in place on all operating systems, devices, computers.

          3. All computers with operating systems are patched regularly

          4. All CVE's are acted upon with patches and remediation applied to all devices within the IT infrastructure.

          5. All firewalls, security devices are running current versions and configured correctly to protect networks

          6. The compute infrastructure is maintained and provides minimum product requirements for cpu, memory, disk latency.

          7. The end users and IT are trained to respond to a Ransomware attack and have a run book to respond to an incident.

          8. End users are trained regularly for phishing attacks and social attacks intended to compromise computers with Malware/Ransomware

          9. All product alerts are acted on in a timely manner to ensure processing of audit data is protecting the file system.

          10. Security guard product is monitored daily for proper product functionality

          11. Honeypot feature is implemented fully to offer maximum security level of protection.