180 likes | 198 Vues
CryptoSpike. Ransomware Protection & File System Auditing. 2nd Sept. 2019. We care about your data !. 1001110110101110100111111001. protect. manage. analyze. Transparency on File System Access and Auditing. Who created , changed , copied , deleted …. data when , where ,….
E N D
CryptoSpike Ransomware Protection & File System Auditing 2nd Sept. 2019
We care aboutyourdata! 1001110110101110100111111001 protect manage analyze
Transparency on File System Access and Auditing Who created, changed, copied, deleted…. datawhen, where,…
DetailedTraceability who? what? how? when? File deleted! Comprehensivefilterpossibilities: Recogniseanomalies: SMB_DEL
Malware and Ransomware Threats WannaCry Petya CryptoLocker
2.000 User 10.000 files being manipulated Vol. 1 50 Mio. Files Vol. 1 The only option: Restoring the whole volumeto Tuesday’s Snapshot Ransomware attack • Ransomware attack: • Filename & filetypehave not changed • Last-access-dates have not changed • All files seem to be the same as before • How can GOOD files be separated from BAD files? Data SnapShots Tu Mo Th Fr We 3 days loss of data!!!
2.000 User 10.000 files being manipulated Vol. 1 50 Mio. Files Vol. 1 The Restore: ONLY the changed (damaged) files will be restored! • Active Blocking! • Anomaly detection and White- / Blacklists • Affected files are identified • Transactions are being logged • Detail overview of all users • Onlyaffectedcontentsbeingrestored! single file restore Data Tu Mo Th SnapShots Fr We All other users continue to work WITHOUT data loss!
CryptoSpike Manager Collect Blacklist form different Community Projects and Websites • License Mgmt • Add new Customers • Blacklist Updates CryptoSpike load *.*locked *.*kraken *.*crypto *.*cry *.exx *.*locked *.*kraken *.*crypto *.*cry *.exx *.*locked *.*kraken *.*crypto *.*cry *.exx manageBlacklist Blacklist Pattern Learner Pull fromserver .pdf .xls .doc .jpg .giv Whitelist CryptoSpike Portal • Setup Wizard • Blocked Users • File History /Restore • Config. / Management Fpolicy Server CryptoSpike Server
Access Blocking • As soon as ransomware is detected, access for effected user is blocked • Alert via email and in portal • Infected files are displayed in detail and are ready to be restored
Easy Restore /RestoreFolder • Choose files to be restored • Click „Restore“ button • Select Snapshot • Choose restore location • Confirm „Restore“ • Done!
Transparency on Users File Access User Actions User IOPS Location / Path
Summary • Easy Installation (.OVA / .VHDX) • Complete recording of all file activities • Transparency and traceability on file access (Auditing) • Real time Ransomware detection <0,5ms • Machine learning of access patterns • Detect anomalies • Immediate automatic blocking of affected user • Central Whitelist and Blacklist provide additional protection • One click Restore from NetApp SnapShots • Multitenant capabilities for Service Providers • Licensed per Storage Controller (ONTAP primary Systems)
Installation and Prerequisites • Download .OVA or VHD/VHDX File: http://releases.prolion.at/CryptoSpike/ • 3 VM’s and 3 IP Addresses are needed to deploy Virtual Machine • CryptoSpike Server • CryptoSpikeFPolicy Server • CryptoSpikeFPolicy Server 2 • VM based on Linux Debian 9 • Hardware Prerequisites: • 1x CryptoSpike Server: 8 vCPU, 12 GB RAM and 100 GB Disk-Space • 2x FPolicy Server: 4 vCPU, 8 GB RAM and 20 GB Disk-Space • Check Network Connectivity: • Data LIF SVM <-to-> FPolicy Server (High performance, low latency) • FPolicy Server <-to-> CryptoSpike Server (Throughput ~ 40 MB/s) • CryptoSpike Server <-to-> ONTAP (Latency and Throughput is not critical)