Data Protection Software

 View Only

How ransomware is changing the Storage industry

By Erin Farr posted Wed August 23, 2023 06:08 PM

IBM TechXchange Conference 2023

If you are attending TechXchange in September, 2023, we have an upcoming session where we'll discuss these trends: TechXchange:  IBM Storage Defender; Executive Keynote, Resiliency Strategy and Future vision  [2846].

It's no secret that ransomware and exfiltration attacks are on the rise. The target of these attacks is your data, which is housed by your storage. Beyond basic prevention controls and facilitating recovery, what else can storage software and hardware do to defend against these attacks?

Well, as it turns out, there is more that Storage can do. We are already seeing signs of that in the industry. For example, threat detection and response are being added to storage software and hardware at such a rate that Gartner has coined the term "Cyberstorage" to represent this trend in its Hype Cycle.

A parallel movement has been happening in the Security industry. Security monitoring tooling is generally known as SIEM, or Security Information and Event Management.  It ingests, normalizes, and correlates log and network flow data in order to spot malicious activity in real-time. This includes activity from devices, servers, network, data and applications, configurations, and even vulnerability information and threat intelligence. You may have noticed I mentioned data. So why do we need threat detection in storage if detection already exists as part of your SIEM? For example, some SIEMs have capabilities to look at data accesses for exfiltration detection, which is when a bad actor siphons data off your system.  But what we've seen happen is: people don't turn it on. This is because too much data gets sent to the SIEM to do that analysis. A large organization can collect 2 billion events per day, so imagine if they are also collecting each and every file access. A SIEM uses data that's high volume and low accuracy. There became a need for better alert quality and a more automated response. That lead, in part, to eXtended Detection and Response, or XDR.

XDR is an evolution of security monitoring tooling that focuses on receiving higher fidelity alerts by moving some of the currently centralized analytics down into various domains, like endpoints (EDR), networks (NDR) and in our case, storage. This enables a more automated and decentralized response at the point of interaction.  Note that XDR doesn't replace SIEM but can be thought of as a layer above a number of security tools to specifically focus on the use case of threat detection and response.

In summary, ransomware and exfiltration attacks along with Security industry trends are driving changes in the Storage industry. Storage consumers need to be prepared to think about how to integrate this technology with security tools, teams and processes.

If you would like a deeper dive on what to consider when looking at Cyberstorage solutions, see my SNIA session here.

If you want more information on Cyberstorage and other trends that are evolving storage from focusing on speeds and feeds to meeting your data needs, especially around Cybersecurity and Cyber Resiliency, please join us at our upcoming session at TechXchange: IBM Storage Defender; Executive Keynote, Resiliency Strategy and Future vision [2846].