Zero Trust API Admin Guide
- Overview
- What is XDR?
- The Solution
- How to Use Lock and Critical Snapshot Integration API
- How to extend Dead timer for Critical Snapshot Remote API Requests
- Zero Trust With Veeam Backup Solution and PowerScale
- Zero Trust With Commvault Backup Solution and PowerScale
Overview
The add-on license key solution to Ransomware Defender that offers an XDR or SIEM plugin that bridges the gap between the Storage security domain and traditional XDR/SIEM capabilities.
What is XDR?
Extended Detection and Response (XDR) is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies the analysis of security events across domains and detection vectors. It should automatically correlate data across multiple security layers – email, endpoint, server, cloud workload, and network.
What problem does Zero Trust API address?
All attackers target data but most XDR solutions are missing inputs from the storage security domain, creating a blind spot.
This blind spot prevents XDR platforms from detecting or responding to a threat by protecting the data itself.
The Solution
The Zero Trust API is a bi-directional API focused on inbound requests that bridges the intelligence gap at the storage domain.
Request the current threat level of file or object data 1
Application Server threats trigger a Zero Trust API to create immutable snapshots of critical data 1
Compromised User threats can request a user to be denied access to storage with AD & SMB share aware lockout executed by the Zero Trust API 1
User location service allows a request to locate the IP address(s) of a user 2
User Activity request can identify if a user has touched data and summarize which SMB shares the user had any kind of activity 2
User activity monitoring with a real time Wiretap that can stream user data access manipulations to the XDR as input to threat evaluation. 2
Suspend Data Replication to the Cyber vault after receiving inbound threat request. 1
How to Use Lock and Critical Snapshot Integration API
This api allows IPS and IDS systems to trigger user lockout or critical data snapshots.
- The API routes are documented here on how to lockout snapshot critical application data with network security triggers. Detailed setup guide is located here.
- A solution guide explain the use case with Progressive Flowmon IDS.
- Solution Brief covering multi vector detection
How to extend Dead timer for Critical Snapshot Remote API Requests
- This setting defaults to 1 hour. This means multiple network layer detections within 1 hour will only generate 1 snapshot request. this avoids many network detections trigger too many snapshots. Follow the steps to change the timer.
- Login to Eyeglass as admin
- sudo -s
- nano /opt/superna/sca/data/system.xml
- Locate the tag <rsware>
- under this tag add this new tag and change X value to hours to delay before new network snapshot requests will trigger new snapshots
- <api_request_dead_time_hours>X</api_request_dead_time_hours>
- control+x to save and exit