Since ransomware is a crucial topic, phase 3 of our Data Protection Coverage report delves into anti-ransomware technologies. The disaster recovery and business continuity software used within an enterprise is in a unique position, one that allows easy detection of ransomware. There are several approaches to detection, and often more than one approach needs to be taken. While the security team works on prevention and detection, the data protection team has that capability as well.
In fact, the data protection team has the best chance of detecting ransomware. It is not enough to monitor CPU utilization, for example. That will often lead to false positives as applications ramp up. It is not enough to look at CPU primitives in use, such as AES-NI. That also leads to false positives, as encryption is used legitimately. So, we need something more. We could prevent the use of whitelisting; however, prevention without detection could lead to unknown zero-day attacks.
CPU is not enough, so what is? We could look for canary files, and probably should. These are juicy targets that live on file shares, desktops, and the like. Once they’ve been encrypted, we pretty much know that someone did something they shouldn’t have. But what if the canary file has been detected by ransomware, or ignored as not juicy enough?
Data protection tools have a unique location to which they back up, copy, or replicate every byte that has changed on a system. A first-order solution could just look at the rate of change of data. A second-order solution would check that rate of change against the rate of change for every other similar weekday, time, etc., over a wider swath of time. This second-order check is enough to rule out expected behavior. Another secondary approach would be to check if the data can be read, which can only happen if the data protection tool knows the file system and data types involved.
Anti-ransomware can be very complex. We need to also hold known-good data until another known-good copy or replicate is made. So now, we are getting into the area of legal hold for ransomware potential. This can mean there may be more copies of data around than we expected. Therefore, we have a need for integration with copy data solutions.
However, there is just more basic functionality. You can view the report on your own, and below are some of the details rolled up into the report.
|Ransomware Detection||Veeam ONE CPU Monitor||Windows|
|Ransomware Kill Chain||Windows|
|Static Agents (no DLL injection)||Windows|
|Mark Recover Point Not to Delete|
|Block Chain or whatever for Change Tracking|
|eDoc w/Digital Signatures via Backup Repo|
This is just a snippet of all the possible vendors and components that make up possible coverage reports. The state of the art in anti-ransomware is being developed daily. The changes are around prevention, detection, and recovery. Data protection fully understands recovery. Prevention is in the realm of security tools. That leaves detection. Data protection is just one of the places to do detection. It seems a logical place.
These are the basic requirements, where we really leave the type of detection up to the vendor; however, as discussed, some approaches are better than others.
Please review our coverage report and let us know your thoughts.