NetApp Cyber ResilienceBlogNetApp StoragePrimary StorageNetAppData Center
Blog • • 6 minute read

Modern Attack Methods Require Modern Data Protection

NetApp Autonomous Ransomware Protection with AI

In this blog

  1. SE Labs ARP evaluation
  2. WWT point of view

We see explosive growth in NAS (CIFS, NFS) data. Unfortunately, signature-based threat detection is ineffective against modern attack methods. ARP with AI utilizes machine learning to detect threats, all while being transparent to your end-users.

NetApp ONTAP is the only enterprise storage vendor validated to store top-secret data everywhere. ONTAP has received certification from Commercial Solutions for Classified Component (CSfC) List, Department of Defense Approved Product List (DoDIN APL), Federal Information Processing Standard (FIPS) and Common Criteria.  ARP is the first on-box, AI-powered real-time ransomware detection and response for NAS (NFS and SMB) data.

The built-in, advanced data protection capabilities of ONTAP can provide the following:

  • Protection with fPolicy, tamper-proof snapshots, multi-admin verification and encryption
  • Detection with the NEW ARP with AI
  • Recovery with Snapshots, SnapCenter and SnapRestore

NetApp ARP shields against denial-of-service attacks where data is held hostage until a ransom is paid. ARP ensures real-time detection of ransomware with the following capabilities:

  • Identification of the incoming data as encrypted or plaintext.
  • Analytics, which detects
    • Entropy: an evaluation of the randomness of data in a file
    • File extension types: An extension that does not conform to the expected extension type
    • File IOPS: A surge in abnormal volume activity with data encryption

ARP can detect the spread of most ransomware attacks after only a few files are encrypted, act automatically to protect data and alert you that a suspected attack is happening.

When you enable ARP, it starts in Learning Mode. In this phase, the ONTAP system formulates an alert profile by analyzing entropy, file extension types, and file IOPS. Learning Mode is a dry-run mode only in that no actions are taken. Once ARP has sufficient time to learn the workload characteristics, you can switch to Active Mode to start data protection. In Active Mode, ARP creates ONTAP Snapshot copies to safeguard data if a threat is identified.

When a suspect attack occurs, the system takes a volume Snapshot copy at that point in time and then locks that snapshot copy. If an attack is confirmed, the volume can be restored using the ARP Snapshot copy. Knowing the affected files and the attack time, you can selectively recover the impacted files from multiple Snapshot copies.

Locked Snapshot copies are immune to standard deletion methods. However, the locked copy can be removed if you later classify the attack as a false positive.

Once in Active Mode, ARP evaluates threat probability by comparing incoming data with its learned analytics. When ARP identifies a threat, it assigns a measurement of Low or Moderate

Low is the earliest detection of abnormal file behavior in a volume. In a low-threat scenario, ONTAP identifies an abnormality and generates a Snapshot copy of the volume to establish an optimal recovery point. It labels the ARP Snapshot copy with "Anti-ransomware-backup" for easy identification, such as Anti_ransomware_backup.2024-10-04_1456. Low-level threats are logged to System Manager Events.

The threat level rises to Moderate once ONTAP generates an analytics report to evaluate whether the abnormality aligns with a ransomware profile. As with a low-level threat, a snapshot copy is created. Additionally, a Moderate threat prompts you to assess the threat.

 SE Labs ARP evaluation

SE Labs® evaluated NetApp ONTAP Autonomous Ransomware Protection with AI against a range of realistic ransomware attacks. Testers, simulating real-world ransomware group behavior, targeted systems protected by NetApp ONTAP ARP. Attacks began at the start of the attack chain, using methods like phishing email links and attachments. Each attack was carried out from initiation to conclusion, aiming to steal, encrypt, and destroy sensitive data on the target systems.

The report examines the efficacy of NetApp ONTAP ARP with AI in safeguarding against ransomware attacks. The report highlights the following:

  • The growing threat of ransomware disrupts business operations and results in financial losses due to system paralysis and ransom demands.
  • The attacks targeted systems protected by NetApp ARP.
  • The testing involved various attack vectors, including phishing emails and attachments, to initiate the attack chain.
  • NetApp's solution focuses on monitoring data integrity on NetApp storage, aiming to detect and counter unwanted changes made by ransomware. It addresses the vulnerability of business data even on secure endpoints.
  • The tests involved various ransomware variants, including known versions and new, similar variations, to evaluate the solution's ability to detect existing and emerging threats.
  • The testing methodology involved replicating real-world attack chains observed in threat intelligence, ensuring the attacks used in the assessment were relevant and reflected actual threats faced by organizations.

 Results and conclusions

  • NetApp ONTAP Autonomous Ransomware Protection with AI demonstrated a 99% detection rate for destructive ransomware behavior, showcasing its effectiveness in identifying and mitigating ransomware threats.
  • The solution achieved a 100% accuracy rating in handling legitimate operations, indicating it does not raise false alarms for benign activities.
  • NetApp ONTAP Autonomous Ransomware Protection with AI earned a AAA award for its performance in the tests.

The report concludes that NetApp ONTAP Autonomous Ransomware Protection with AI offers robust protection against a diverse range of ransomware attacks by effectively detecting and mitigating threats while accurately distinguishing between malicious and legitimate activities.

 WWT point of view

No solution can entirely safeguard against a ransomware attack. Therefore, it's crucial to adopt a multilayered approach to security. For instance, securing identities, physical locations, networks, endpoints, and applications are all vital steps in your overall security posture. ONTAP ARP can play a critical role in your overall data security strategy to protect, detect, and recover from ransomware attacks.

ARP is included with an ONTAP One license. For existing customers without an ONTAP One license, an Anti ransomware license is available for purchase. ARP can be enabled on a volume-by-volume basis for new or existing volumes. Note that if you enable ARP on an existing volume, only newly written data is monitored.

ARP can be easily enabled in the Security tab of the Volumes overview window in System Manager. When enabling ARP, we recommend that you leave ARP in Learning Mode for about 30 days. As of ONTAP 9.13.1, ARP will automatically determine the learning period (30 days or less) and automatically switch to Active Mode.

In today's digital landscape, ransomware attacks pose a significant threat to organizations, disrupting operations and causing financial losses. Implementing robust cyber resilience strategies is crucial to safeguard data and ensure business continuity. By leveraging advanced AI capabilities, autonomous ransomware protection systems offer real-time detection and response, effectively mitigating the impact of ransomware attacks. These systems provide comprehensive protection, detection, and recovery features, ensuring that data remains secure and accessible.

Reach out to your WWT sales team to engage our experts in storage, data protection and security to learn more about enhancing your cyber resilience strategy.

Technologies