Storage Management and Reporting

Intelligent threat detection for Cyber Security and Business Resilience during pandemic times

By JULIO (Juls) HERNANDEZ posted Wed July 08, 2020 07:38 PM


Early this year, I was appointed as WW Offering Manager for IBM Storage Cyber Resilience solutions. I was filled with expectations for 2020; nobody could have ever imagined that such changes in economics, politics, finances, and society were brewing. The effects of the before mentioned events during the pandemic and post-pandemic times will endure for months (and maybe years). It will drive complex and challenging scenarios for organizations, impacting their viability to remain in the market; some of them will not survive. 

During these months, I have witnessed that cyber threats are a latent risk that does not rest during the COVID-19 times; to the contrary, they exacerbated and intensified while the System's Administrators are focusing on maintaining operation-critical processes with minimal resources on-site or at customer's locations. Cybercriminal organizations are looking for innovative ways to damage your systems, your data, and your reputation for lucrative reasons -or in some cases-, for "machiavellian" playful purposes.

As a former Tape Offering Manager for more than 11 years, I have a clear understanding of what the words "the last line of the defense" really mean to organizations. When it comes down to recovering your data in the event of ransomware or cyber attack, dozens of well-documented cases have been brought to my attention; bad actors do not discriminate by the size of the business, industry, or geographical location. Tape infrastructure and its long-term data protection case were able to help when critical systems were corrupted or inaccessible. Companies were able to recover their business operations because "thank god" they have protected data using tape cartridges; of course, the above represented a happy ending. Although it is gratifying to see that the data-protection use case and the technology behind it met its objective, a substantial question started to resonate inside of me; why do companies and organizations need to go through this painful process? There must be a smarter strategy that allows organizations to stay ahead of the curve of potential cyber-attacks.
Figure 1

As I understand more of the anatomy of a cyber-attack, threat prevention must be at the top of C-Level’s mind. According to NIST's (National Institute of Standards and Technology)1 framework, there are five dimensions of computer security guidance that contemplate the following functions: "Identify, Protect, and Detect" three aspects related to the "left of the BooM" spectrum. While the "Right of the BooM" has more to do with "Respond and Recover," representing the remaining two functions. (a BooM event is defined when a cyber incident erupted).  

In my opinion, here's where the Cyber-Resilience concept comes into play. The traditional methods (HA, DR, BU) of protection are no longer enough. Organizations need to be Cyber Resilient. Cyber Resilience is defined as “an organization's ability to continue delivering the intended outcomes despite adverse cyber incidents.”

For enterprises in the 21st century, the question of cyberattack is not if - but when 

   Figure 2

Early in April this year, the IBM Systems Storage Cyber Resilience solutions team announced a new blueprint and a solution brief showcasing a security-premier product QRadar (Security Information and Event Management (SIEM)) along with a market-leading filesystem Spectrum Scale (a component of the software-defined Storage portfolio). Initially, I considered this document just another roadmap line item, I was wrong. I didn't realize how much impact this solution would have within the storage and security seller’s community. And more importantly, the significance for customers looking to improve their storage proactive threat detection capabilities, as well as a Security System's Administrator looking to safeguard system's logs for long-term retention needs in a secure and reliable storage medium.

I quickly started to recognize that the mentioned solution brief closes a gap in the market with a robust offering. A solution that covers both sides of the BooM spectrum, "the Left side" Identify, Detect and Protect, and "the Right side" Respond and Recover. In sum, a solution that covers the five dimensions of the NIST framework with an approved/certified IBM on-prem solution.
From a high-level overview, the solution consists of the ability to send Spectrum Scale "File Audit logs" (FAL) to QRadar's threat detection engine for an early intelligent system's intrusion detection. The cyber resiliency workflow is automatically triggered via Snapshot protecting the entire File System or File set, exposing a storage pool behind the Scale's file system to the intuitive/cognitive policy-based management capabilities of the number one security appliance in the market.
Users can identify strange or incorrect access to critical backup or archive instances. Also, it can leverage the machine-learning features of the QRadar boxes for cognitive threat detection that are presented in multiple packages: On-prem, VM, SaaS, or with IBM Cloud.

However, the value proposition of the solution does not stop there. QRadar's users can also benefit from this new relationship in the case companies that require to keep logs for longer periods due to the company's internal mandates or government compliance regulations requirements, alternate site (DR), or license cost optimization. The records can be shared or sent to secure storage instances by the Spectrum Scale server through NFS connectivity, leveraging multiple storage tiers, addressing customer's Service Level Agreements (SLAs) by performing Information Life-cycle Management (ILM) capabilities. Customers can rest assured that the system's logs are protected by the top security capabilities in the Storage industry. Security features like Encryption, WORM (Write Once Read Many), Safeguard copy (DS8000 only), and even immutable copies that can be offloaded to Cloud or Tape instances for physical air-gap protection. 

IBM realizes that Cyber Resilience and Security assessments are not trivial and should not be conducted by companies alone. For professional assistance, IBM has created a Storage Cyber Incident Response (CIR) initiative, an effort led by the Storage Lab Services organization to provide professional consultant support for three phases defined as:

- Advise: Cyber Resilience storage assessment.

- Configure and Review: Implementation services.

- Review: Post-deploy and health checks 


A self-assessment tool is also available to any customer or business partner to help to map  security/resilient features and gaps identification based on the NIST framework and the professional cyber resilience assessment; IBM can help organizations to close those gaps with specific Storage solutions (hardware, software, or managed services) and best practice guidance.
In the post-pandemic world, organizations ought to look for means to stay ahead of the curve with security systems and a cyber-resilient strategy; regardless of its size, global cyber-criminal organizations will not stop, and bad actors inside your company might also catch you with your guard down.

Mission-critical data access cannot be compromised; an organization must be equipped with automated, cognitive, and early threat detection. In the event of a cyber incident, a resilient infrastructure must be in place to help organizations get back to business in the least possible time and with the least likely impact on business continuity.
 IBM can help organizations to implement a state-of-the-art infrastructure powering both cyber secure and cyber-resilient perspectives. 







Figure 1 and Figure 2
Source: Forrester, The Real Costs of Planned and Unplanned Downtime, Aug 2019,





Mon July 13, 2020 05:00 AM

Nice Blog.
It represents the power of integration of two leading IBM products, IBM Spectrum Scale and IBM QRadar to provide cyber threat detection and safeguarding of data against cyber attacks without manual intervention.

Sat July 11, 2020 12:17 AM

For CIO and CSO , need for cyber resiliency has become their prime requirement . Solutions that integrate threat detection along with Cyber resiliency at storage level are most effective in safeguarding your data which is the prime purpose for its adoption. Good article!