Article written by Raul Raudry, Storage Product Marketing, IBM. 

IBM Storage Defender is a purpose-built end-to-end data resilience solution designed to help businesses rapidly restart essential operations in the event of a cyberattack or other unforeseen events. It simplifies and orchestrates business recovery processes by providing a comprehensive view of data resilience and recoverability across primary and  auxiliary storage in a single interface.

IBM Storage Defender deploys AI-powered sensors to quickly detect threats and anomalies. Signals from all available sensors are aggregated by IBM Storage Defender, whether they come from hardware (IBM FlashSystem FlashCore Modules) or software (file system or backup-based detection).

IBM Storage FlashSystem with FlashCore Module 4 (FCM4) can identify threats in real-time by building into the hardware, collect and analyze stats for every single read and write operation without any performance impact. IBM Storage Defender and IBM Storage FlashSystem can seamlessly work together to produce a multilayered strategy that can drastically reduce the time needed to detect a ransomware attack.

As shown in the following diagram, the FlashCore Module reports potential threat activity to IBM Storage Insights Pro, which analyzes the data and alerts IBM Storage Defender about suspicious behaviors coming from the managed IBM Storage FlashSystem arrays.  With the information received, IBM Storage Defender proactively opens a case.  All open cases are presented in a comprehensive "Open case" screen, which provides detailed information about the type of anomaly, time and date of the event, affected virtual machines and impacted storage resources. To streamline data recovery, IBM Storage Defender provides recommended actions and built-in automation to further accelerate the return of vital operations to their normal state.

IBM Storage FlashSystem also offers protection through immutable copies of data known as Safeguarded Copies, which are isolated from production environments and cannot be modified or deleted. IBM Storage Defender can recover workloads directly from the most recent trusted Safeguarded Copy to significantly reduce the time needed to resume critical business operations, as data transfer is performed through the SAN (FC or iSCSI) rather than over the network.  In addition, workloads can be restored in an isolated "Clean Room" environment to be analyzed and validated before being recovered to production systems. This verification allows you to know with certainty that the data is clean and business operations can be safely reestablished. This is shown in the following diagram.

When a potential threat is detected, IBM Storage Defender correlates the specific volume in the IBM Storage FlashSystem associated with the virtual machine under attack and proactively takes a Safeguarded Copy to create a protected backup of the affected volume for offline investigation and follow-up recovery operations. When time is crucial, this rapid, automatic action can significantly reduce the time between receiving the alert, containing the attack and subsequent recovery. This proactive action is shown in the following diagram.

Ensuring business continuity is essential to build operational resilience and trust, IBM Storage Defender and IBM Storage FlashSystem can be seamlessly integrated to achieve this goal by combining advanced capabilities that complement each other to build a robust data resilience strategy across primary and auxiliary storage. By working together, IBM Storage Defender and IBM Storage FlashSystem effectively combat cyberattacks and other unforeseen threats.

Learn more about Primary Storage & IBM Contact a WWT Expert 

Technologies