Administration Guides
Ransomware - Threat Detection Settings Summary Explanation

Ransomware - Threat Detection Summary Explanation 

Ransomware Defender uses threat detectors to create detection signals.  Four detection vectors execute in real-time 1) User behavior detection 2) Honey pot file (trip wire) detection 3) banned file extension and 4) If signals are being tripped for multiple users, Ransomware Defender will escalate the severity of all security events more quickly than just considering the individual users in isolation. 

A security event will be raised when the criteria for Warning, Major or Critical have been met.   The criteria used to evaluate the severity of the security event requires:

  1. The cumulative total number of signals for a single user has crossed the signal strength threshold values defined for Warning or Major or Critical  within a sliding window evaluated over the time Intervals configured for Warning, Major or Critical.  See image below for recommended settings. (NOTE:  These settings should not be changed without consulting support)
  2. NOTE: Each new signal received will trigger a calculation to determine if it is a Warning, Major or Critical.  A security event will match only the highest severity after all three calculations are completed.
  3. NOTE: A security event can be upgraded to the next highest severity based on the cumulative signal count crossing the next highest threshold.   The  corresponding user action will apply Warning alert only, Major timed lockout, Critical immediate lockout, snapshots are used for all Severities.


Dual Vector Warning Detection in 2.5.7 or later

A new behavioral detection option looks for different behaviors within the Warning severity. This new option will add one additional pattern of suspicious user activity that is designed to ignore spikes in user detection signals and provides a new analysis vector on user IO behavior to generate warnings.   This allows analysis of signals against a single and dual vector detection function.   One vector may not trip a warning but the dual vector logic can detect and raise a warning.

This feature also allows customization to add N dual vector  detection settings by clicking the add button to add a new dual vector setting.      The product defaults to a single and dual vector setting.   NOTE: Warnings trigger proactive snapshots on all shares accessible to the user.

In the screenshot example below

  1. Single Vector  Warning is default from < 2.5.7 release setting.  80 signals or more in a 5 minute time window will trigger a warning but it does not matter when the 80 signals appear in the 5 minute window. This is a single vector detection.
  2. Dual Vector Warning is 30 signals in a 30 minute window but the 15 signals must persist over a time period > than 10 minutes from the first signal timestamp to the last signal timestamp.  This 2nd vector will only raise a warning if both conditions are true.   This second vector operates within the first window, in this example 30 minutes.
    1. Additional Dual vector triggers can be added 


Ransomware Security Signal Events and Detection Overview

Ransomware Defender is a per-user monitoring solution that operates at PowerScale and Dell ECS Scale.  This means each user's file activity is monitored individually for user behaviors that trigger threat detection patterns.    This builds a zero day solution to identify patterns of IO, that are detected and weighted, without needing definition file-based detection.

The weight is called “signal strength” and determines how Eyeglass will respond to the threat.  

Three threat levels are defined:

  1. Warning - No action taken only alarm email sent to the administrator
  2. Major - Timed lock of the user account in minutes from the event
  3. Critical - Immediate lockout of the user account

Eyeglass Active Responses to Threats 

  1. Lockout action means deny permission on all shares the user has access across all managed PowerScale clusters (not just the cluster where the event was detected)
  2. (Isilon/Powerscale only) Create snapshots if suspicious events are seen, and snapshot all shares a user has access.  This feature is enabled or disabled and applies to Warning, Major, and Critical event types.
    1. It protects share paths with uniquely named snapshot, one per share detected for the user and defaults to 48 hour expiry
    2. In a multi-user infection scenario, this can protect the 2nd, 3rd, etc.. user’s data on group shares that were snapshoted by user one infection.  This offers maximum data protection.
    3. IGLS command is available to change the default expiry on snapshots. See Eyeglass Ransomware defender CLI in this guide.
© Superna LLC