Administration Guides
How to determine threat response settings to meet your Company’s Risk Profile
Home



Ransomware Defender Protection Modes

The 3 different modes all protect the file system and each mode determines how you should respond to alarms.  The target events per day should be < 1 per day and see the process below to achieve this with learning mode.



How Ransomware Defender Protects your Data

  1. 8 methods protect the file system as outlined below.
    1. User Behaviour based detection proven technology based on independent 3rd party testing of live Ransomware attacks https://www.av-comparatives.org/?s=superna
    2. Dynamic Realtime Learning of Behaviours
    3. Honey Pot tripwire 
    4. Crowd Sourced file extensions (> 2500 updated monthly)
    5. Slow attack detection
    6. Burst attack detection
    7. Automated Escalation response
    8. Inbound API from external detection engines (IDS, IPS, Endpoint, XDR , SIEM)

How to determine threat response settings to meet your Company’s Risk Profile

The Ransomware Defender product has several options to tune the detection and response to a Ransomware attack.  The more sensitive the detection the more likely a false positive can occur.  Threat response options are outlined below with business impact considerations for each option.  This section should be reviewed to determine how to configure the product in your environment.

Risk tolerance and business impact need to be assessed to determine the best settings for your environment.  The section below outlines the recommendations for each threat detection level.

Threat Level Severity ActionSnapshot Data Protection and Recovery Enabled (all Shares a user can access has snapshot applied)Business Impact
WarningNo action taken. Email alert is sentXNo impact on applications or user access to data.  Snapshot is applied to protect the file system.
MajorTimed lockout of user. Email alert is sentX

Business applications or servers write data that are not added to the ignore list, can be locked out.  

Impact: application downtime until restore access completed.

Recommendation: add to ignore list.

CriticalImmediate lockout of user. Email alert is sentX

Impact: application downtime until restore access completed.  No wait time from detection to lockout for administrators to determine action.

Recommendation: add to ignore list or Disable critical actions.

Threat Response Settings

Automated Threat Responses Settings

  1. Critical Severity - Lockout of user account - is immediate
  2. Major Severity  - A delayed lockout Grace Period is set  ( user account lockout  delayed by  X minutes)
  3. Auto Snapshot of the file system at share path - on detection of ANY severity

Recommended Threat Response Setting for Low Risk tolerance

Monitor Only Mode enabled - Email Alerts

Recommended Threat Response Settings for Medium Risk tolerance

NOTE: In this configuration files can be encrypted up to the Grace Period value, but a snapshot has protected the file system at the point of detection allowing for accelerated recovery of files.  The security event lists all affected files to build a recovery list of files.

  1. “Critical on Mode” uncheck to disable immediate lockouts
  2. Set Major delayed lockout timer (Grace Period) to a value that allows an administrator to reach and determine if lockout should occur (In the Screenshot below the “Grace Period” is set to 60 Minutes)
  3. “Create Snapshot” Mode enabled

Recommended Threat Response Settings for Medium-High Risk tolerance

NOTE: In this configuration files users are locked out immediately, the risk of false-positive with a lockout is higher.

  1. “Critical on Mode” checked to enable immediate lockouts.
  2. Set Major delayed lockout timer “Grace Period” to a value that allows an administrator to reach and determine if lockout should occur. (In the Screenshot below the “Grace Period” is set to 60 Minutes)
  3. “Create Snapshot” mode enabled.

© Superna Inc