Zero Trust API Integration Use Case

• Overview
• What is XDR?
• The Zero Trust Capability Summary
• How to Use Lock and Critical Snapshot Integration API
• How to extend Dead timer for Critical Snapshot Remote API Requests

Overview

The add-on license key solution to Ransomware Defender that offers an XDR or SIEM plugin that bridges the gap between the Storage security domain and traditional XDR/SIEM capabilities.

What is XDR?

Extended Detection and Response (XDR) is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies the analysis of security events across domains and detection vectors.  It should automatically correlate data across multiple security layers – email, endpoint, server, cloud workload, and network. 

What problem does Zero Trust API address?

All attackers target data but most XDR solutions are missing inputs from the storage security domain, creating a blind spot.

This blind spot prevents XDR platforms from detecting or responding to a threat by protecting the data itself.

The Zero Trust Capability Summary

The Zero Trust API is a bi-directional API focused on inbound requests that bridges the intelligence gap at the storage domain.

1. Request the current threat level of file or object data

2. Application Server threats trigger a Zero Trust API to create immutable snapshots of critical data

3. Compromised User threats can request a user to be denied access to storage with AD & SMB share aware lockout executed by the Zero Trust API 

4. Next Scheduled Data Replications are blocked until the threat is cleared.

How to Use Lock and Critical Snapshot Integration API

This api allows IPS and IDS systems to trigger user lockout or critical data snapshots.

1. The API routes are documented here on how to lockout snapshot critical application data with network security triggers.  Detailed setup guide is located here.
2. A solution guide explain the use case with Progressive Flowmon IDS.
3. Solution Brief covering multi vector detection 

How to extend Dead timer for Critical Snapshot Remote API Requests

1. This setting defaults to 1 hour.  This means multiple network layer detections within 1 hour will only generate 1 snapshot request.  this avoids many network detections trigger too many snapshots.   Follow the steps to change the timer.
2. Login to Eyeglass as admin
3. sudo -s 
4. nano /opt/superna/sca/data/system.xml
5. Locate the tag <rsware>
6. under this tag add this new tag and change X value to hours to delay before new network snapshot requests will trigger new snapshots
   1. <api_request_dead_time_hours>X</api_request_dead_time_hours>
      
7. control+x to save and exit