Zero Trust API Admin Guide

• Overview
• What is XDR?
• The Solution
• How to Use Lock and Critical Snapshot Integration API
• How to extend Dead timer for Critical Snapshot Remote API Requests

• Zero Trust With Veeam Backup Solution and PowerScale
• Zero Trust With Commvault Backup Solution and PowerScale

Overview

The add-on license key solution to Ransomware Defender that offers an XDR or SIEM plugin that bridges the gap between the Storage security domain and traditional XDR/SIEM capabilities.

What is XDR?

Extended Detection and Response (XDR) is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies the analysis of security events across domains and detection vectors.  It should automatically correlate data across multiple security layers – email, endpoint, server, cloud workload, and network. 

What problem does Zero Trust API address?

All attackers target data but most XDR solutions are missing inputs from the storage security domain, creating a blind spot.

This blind spot prevents XDR platforms from detecting or responding to a threat by protecting the data itself.

The Solution

The Zero Trust API is a bi-directional API focused on inbound requests that bridges the intelligence gap at the storage domain.

1. Request the current threat level of file or object data 1

2. Application Server threats trigger a Zero Trust API to create immutable snapshots of critical data 1

3. Compromised User threats can request a user to be denied access to storage with AD & SMB share aware lockout executed by the Zero Trust API  1

4. User location service allows a request to locate the IP address(s) of a user 2

5. User Activity request can identify if a user has touched data and summarize which SMB shares the user had any kind of activity 2

6. User activity monitoring with a real time Wiretap that can stream user data access manipulations to the XDR as input to threat evaluation.  2

7. Suspend Data Replication to the Cyber vault after receiving inbound threat request. 1

How to Use Lock and Critical Snapshot Integration API

This api allows IPS and IDS systems to trigger user lockout or critical data snapshots.

1. The API routes are documented here on how to lockout snapshot critical application data with network security triggers.  Detailed setup guide is located here.
2. A solution guide explain the use case with Progressive Flowmon IDS.
3. Solution Brief covering multi vector detection 

How to extend Dead timer for Critical Snapshot Remote API Requests

1. This setting defaults to 1 hour.  This means multiple network layer detections within 1 hour will only generate 1 snapshot request.  this avoids many network detections trigger too many snapshots.   Follow the steps to change the timer.
2. Login to Eyeglass as admin
3. sudo -s 
4. nano /opt/superna/sca/data/system.xml
5. Locate the tag <rsware>
6. under this tag add this new tag and change X value to hours to delay before new network snapshot requests will trigger new snapshots
   1. <api_request_dead_time_hours>X</api_request_dead_time_hours>
      
7. control+x to save and exit