AWS Partner Network (APN) Blog
Ransomware and Insider Threat Protection for Amazon FSx for NetApp ONTAP
By Joshua Moore, Principal Technologist Cloud Observability – NetApp
By Eric Yuen, Sr. Storage Partner Solutions Architect – AWS
 |
| NetApp |
 |
Nowadays, insider threat protection is a must-have capability for storage services, and for good reason – data breaches continue to make headlines and malware groups have proven to be resilient despite increasing pressure from law enforcement.
NetApp Cloud Insights is an observability service that give I.T. Operations (ITOps) teams visibility, threat detection, and user data access auditing into Amazon FSx for NetApp ONTAP, compute, and containerized workloads – this includes all you would expect from an observability service: monitoring, reporting, capacity planning and troubleshooting.
Insider Threats
Ransomware is the insider threat that most frequently turns up in headlines, but it’s far from the only danger to the integrity and security of sensitive corporate data. The term ‘insider threat’ usually describes an attack vector that leverages compromised systems or credentials to masquerade as an authorized user to gain access to data, however it could also describe an authorized user with nefarious intentions.
The challenge for organizations is that users need access to data to perform their roles, and being overly restrictive in this access can get in the way of productivity. Finding the right balance in permissions is critical, but an additional line of defense is needed if this access is compromised, for instance through a misguided click in a malicious, but seemingly innocuous email. The most well-defined corporate security policies are only as strong as the least security-savvy user on a bad day, and before their morning coffee.
NetApp Cloud Insights is designed to detect unusual behavior at the user and file access layer, and automatically take action to protect the data and stop the threat. This is valuable because anomalies in file access patterns stand a high chance of being undesirable from a security standpoint.
This provides robust protection and is fully integrated for Amazon FSx for NetApp ONTAP against a variety of insider threats:
Ransomware
NetApp Cloud Insights detects an unusual spike in file renames or overwrites, and because it operates at the user activity layer, can automatically block a user when such activity is detected to stop the attack in its tracks. NetApp Cloud Insights detection mechanisms do not rely solely on identifying know ransomware extensions and file naming because signature-based detection is unreliable and can be easily subverted by modern malware toolkits.
Figure 1: Potential ransomware attack detected by Cloud Insights
Instead, NetApp Cloud Insights keeps records of all file activity in scope of the attack. Detailed audit logs can be used to determine which data is impacted for the purposes of restoration and recovery efforts, also reporting the attack to the relevant authorities.
Figure 2: Comprehensive access auditing with filters & finders for reporting and recovery
Data Theft
Many malicious actors with a previous affinity to ransomware have changed tactics to simply focus on stealing the data to extort money from business. This gives them a similar outcome without the extra steps of encrypting data and delivering a decryption toolkit on payment.
Data exfiltration isn’t always the result of an orchestrated external attack. A user with access to sensitive intellectual property, such as a sales representative downloading customer and install base information to take to a competitor, can be just as damaging to any business. It’s also very difficult to detect using conventional means. Members of sales team are simply “doing their job” when accessing customer information occasionally as part of their day-to-day tasks. NetApp Cloud Insights’ anomaly detection can differentiate this business-as-usual access, from a sudden interest in hundreds of records within a short period of time.
Figure 3: The Infosec team might want to have a discussion with Cade in this example
Not only that, NetApp Cloud Insights can also help identify other indicators of these types of attacks, such as an excess of access denied events where users may be exploring the boundaries of just what they can access.
Mass file deletion or destruction
Mass data destruction is a particularly concerning threat for organizations responsible for critical infrastructure, such as utilities providers or air traffic control, as millions of people rely upon them every day. Malicious actors may target these organizations with the goal of maximum disruption, rather than financial gains. And because there’s no ‘phase 2’ of the attack like the collection of funds, the attacks can be comparatively simple to execute once access is gained.
Similar to data theft, there’s an alternative insider scenario: Disgruntled employees that decide they want to inflict as much damage as possible. When mass deletion activities are detected, NetApp Cloud Insights can block the source and trigger alerts so security teams can investigate.
Innocent accidents
A less nefarious but no less damaging insider threat is the misconfiguration of scripts and automated processes, or even simple typos. An example of this is a data clean-up script that may be designed to run against a file repository for QA, is mistakenly run in Production.
Figure 4: Activity rates by file type, path, and location
The NetApp Cloud Insights algorithm distinguishes between QA and Production repos’ expected activity and can block the anomaly in Production before the damage is done and trigger an alert for attention.
Evolution of attacks
Threats are always evolving, and so too must our methods of detection. Just as ransomware toolkits have already evolved to signature-based detection, or to prioritizing data exfiltration over encryption, attacks are also evolving to hit organizations at their most vulnerable times.
To that end, the concept of seasonality has been introduced to the detection algorithms in NetApp Cloud Insights.
Attacks targeted according to an organization’s operational calendar can maximize effectiveness and minimize chances of early detection – understanding seasonality helps by detecting these attacks more accurately and minimizing false positives.
- Timing of Attacks: Cybercriminals often launch campaigns during specific times when they believe organizations are most vulnerable. For example, during holiday seasons, when I.T. staff might be limited, malicious actors anticipate a slower response to security breaches. In learning seasonality, NetApp Cloud Insights algorithm would naturally expect less file activity during these periods, and as such have a heightened sensitivity to these threats.
- Predictable Business Cycles: Many businesses experience predictable cycles of high activity, such as financial organizations at the end of fiscal periods. Malicious actors also target these high-stakes periods, aiming to maximize the impact of their attack and the likelihood of a pay-out. NetApp Cloud Insights takes account for these cycles to ensure that attacks are not dismissed as typical peak season, to identify and block unexpected sources of activity.
- User Behavior Modeling: Within an organization, user behavior exhibits patterns: working days, weekends, or a specific day user may designate to specific activities. NetApp Cloud Insights workload security can adjust its alerting and blocking behavior based on learning these expected times, unique to each user inside an organization. For example, we can effectively reduce false-positives when there is an expected spike in activity as users will login in the morning on a normal work day, but the algorithm knows to raise an alert if the same happens in the middle of the night.
In understanding workloads, activities, and trends, the NetApp Cloud Insights detection algorithm adapts with continually updated threat intelligence – this means that organization, and the individuals administering the system don’t need to maintain and adjust policies frequently, and can instead focus on work that can return higher value to the business.
How to get started
Organizations can’t afford for security to be a chore, setting up NetApp Cloud Insights for Amazon FSx for NetApp ONTAP is easier than ever. Navigate to NetApp Cloud Insights listing on AWS Marketplace and click the “Try for free” button to get started. After following the few easy steps to deploy, the detection algorithm in NetApp Cloud Insights gets to work. After a short period of learning your data is protected against these insider threats. No policies, thresholds or rules to configure means no toil to get in the way of protecting your data.
Conclusion
Protecting your Amazon FSx for NetApp ONTAP is not an option, but a requirement. It is about having a proactive and comprehensive approach to security. By leveraging the capabilities of NetApp Cloud Insights, you can enhance the security of your Amazon FSx for NetApp ONTAP workloads, ensuring that your data remains safe and your operations stay compliant. In the world of cloud storage, vigilance is the key to maintaining the integrity and confidentiality of your critical data assets.
.
.
NetApp – AWS Partner Spotlight
NetApp is an AWS Advanced Technology Partner and AWS Competency Partner that delivers enterprise-grade storage for hundreds of use cases to run file shares and block-level storage serving NAS and SAN protocols (NFS, SMB, iSCSI), Disaster Recovery, Microsoft Workloads, DevOps, Databases, or any other enterprise workload. Optimize infrastructure costs with guaranteed SLAs for performance, durability, and availability.