Administration Guides

Security Guard - Automated Security Testing

Home


Overview


Ransomware Defender monitors cluster IO for suspicious user behavior.  Under normal day to day conditions, no actions are required since alerts are sent in the event of a Warning, Major or Critical security event.

The Security Guard feature simulates a Ransomware attack on a daily basis to validate all components are functioning, including alerting and lockout of user sessions.  Once configured administrators get daily updates that Ransomware Defender is actively monitoring and responding to Ransomware events.

This offers you the highest level of confidence that your environment is ready in the event a malicious virus is inside your network and finds shares to attack data.

The feature will create a “honeypot share with name igls-securityguard” in the System Zone of each cluster managed by a Ransomware agent license key.   The feature can simulate an attack on demand, or on a scheduled interval.

Simulated Attack

  1. Creates share automatically secured to the service account.
  2. Share name igls-securityguard. (Isilon)
  3. ECS Bucket name xxx (ECS)
  4. Cleans up old files from the last execution.
  5. Creates test files using a well-known extension to trigger a simulated attack response from Ransomware Defender Clustered agent.
  6. Verifies the user lockout occurs by checking that files cannot be written to the share.
  7. Initiates the recovery of the user and verifies access to the share again.
  8. Reports success and failure per step.
  9. Emails administrator results.

Prerequisites (Isilon Powerscale and ECS)  

  1. Service Account Test User (Isilon Powerscale)
    1. A local PowerScale user created in the system zone local provider example igls-securityguard 
    2. Use an Active Directory service user only if multiple clusters are licensed for security guard.  Best practise for a single cluster is a local account.
    3. System Zone must be enabled in the audit configuration on the PowerScale cluster.
  2. Security guard Service Account Test User (ECS)
    1. Create a bucket object user 
    2.  
    3. Click next to add passwords
    4. Use the Generate and add keys button
    5. Record the secret key to enter into the security guard configuration.
  3. Repeat the steps above to create the Bucket version service account user that is used to enable bucket versioning to protect buckets that are under an attack. Bucket versioning will protect objects using version feature on the ECS cluster. 
    1. Create the bucket version user eyeglassversions
    2. save the secret key to update to the ECS cluster.
    3. Open the Inventory Icon
    4. Right click the ECS cluster
    5. click add to and fill in the name space, user and secret key and click Submit to save.  See the bucket version configuration inn the ECS section of the guide.

Security Guard Lockout Behavior (Isilon Powerscale)

  1. The user does not need to be added to any shares. The Security Guard will create its own share in System Zone called igls-securityguard , and add the service account user to the share.
  2. If you add the service account user to other shares, only the igls-securityguard share will have files written during the execution of a simulated attack.
  3. Additional shares that have the service account add to the share permissions WILL  have the service account access locked out during simulated attacks.

Configuration (Isilon PowerScale)

  1. Open the Ransomware Defender window on the desktop and select the Security Guard.
  1. For local PowerScale user enter username@clustername
    1. NOTE: for multi cluster set up with AD user enter the user with user@domain.com (replace with your AD domain)
  2. Settings:
    1. Enable Security Guard Tasks.
    2. Interval Between Runs - Set interval to schedule simulated attacks.
  1. Select the checkbox of each cluster to simulate the attack.
  2. Submit -  Saves settings.
  3. Run Now -  Tests Security guard on demand.


How to Run on Demand Security Guard Penetration test (Isilon Powerscale)

  1. Open the Ransomware Defender window (see screenshot below).
  2. Select Security Guard tab.
  3. Select each licensed cluster to test.
  4. Select Run Now (see screenshot below).

  1. Open Jobs window.
  2. Running Jobs tab to monitor progress (see screenshot below).

How to Review Security Guard Penetration test history and logs (Isilon Powerscale) 

  1. Open the Ransomware Defender window.
  2. Select Security Guard tab.
  3. Select each licensed cluster to test
  4. Select Run Now (see screenshot below).

  1. Click Open link to review results.

  


How to test Ransomware Defender with your own Custom File Extension (Isilon Powerscale) 

  1. Use this feature to test with your own file extension to allow testing complete user lockout and recovery.
  2. Requirements:
    1. 2.5.7 or later release
  3. Configuration
    1. Open the Ransomware Defender Icon
    2. Click File Filters tab
    3. Click Add file extension button
    4. Add a customer file extension that is unique for testing and not used in your environment. (This is important step). Select the Enable option to add the extension.
    5. Now check your critical threshold values on the Thresholds tab record this value.
  4. How to test
    1. Mount a smart connect name and share in an access zone with auditing enabled.  example \\fqdn\smb-share-name
    2. Create more files with your custom file extension than the Critical Threshold value to trigger a lockout
    3. You can now test creating files with this extension to trigger a lockout action and restore workflow.  This can also be used to test alarm creation for integration with SEIM tools.


Configuration (ECS) 


  1. Requirements
    1. Release 2.5.8 or later
    2. ECS added to inventory
    3. securityguard object user service account is created  
  2. Open the Security Guard tab and scroll to the bottom
  3. Fill in the fields for ECS cluster, name space for the bucket and object user and secret key

  4. Click Submit
  5. Now select the ECS cluster in the job settings area and click Enable Task and set the security guard interval to 24 hours and click the submit button to save settings.
    1.    



Security Guard Lockout Behavior (ECS)

  1. The bucket is created automatically and the object user is added to the bucket for testing
  2. The object user should not be used for any other purpose and the user should not be assigned to any other buckets

How to Run on Demand Security Guard Penetration test (ECS)

  1. Open the Ransomware Defender window (see screenshot below).
  2. Select Security Guard tab.
  3. Select the licensed ECS cluster to test in the Job settings section.
  4. Select Run Now (see screenshot below).
  5.  
  1. Open Jobs icon window
  2. View the Running Jobs tab to monitor progress (see screenshot below).
    1.  






Advanced Configuration Security Guard CLI Commands (Isilon Powerscale)  

In some environments, audit events are delayed before they are sent to the ECA for processing.  The security feature writes 100 files, one per second.  If the detection of events does not occur before this 100 seconds, the Security Guard will fail the test.  

The second phase of Security Guard will restore user permissions and test write access again to the share.  This can also have a timer applied to extend the time between the lockout and restore step, to allow authentication and share settings to replicate to the cluster.

These advanced settings can be configured from the CLI to check the timers and set new higher values.

Consult the Ransomware CLI guide.



© Superna LLC