Boost Your Defense with IBM Storage Insights: AI-Driven Ransomware Protection with Advanced Volume Snapshots Management
Author - Ramakrishna Vadla, STSM, IBM Storage Insights
IBM Storage Insights is now a crucial component of your cyber resilience strategy, working seamlessly with IBM Storage FlashSystem products to detect potential ransomware attacks in less than a minute. The latest release enhances protection from ransomware threats by managing volume snapshots, integrating with IBM Storage Defender, simplifying storage management with IBM Flash Grid technology, and offering new workload placement advice. The following sections explain the feature of managing volume snapshots from ransomware threats, introduced in June 2024.
Ransomware threat detection and data protection
Earlier this year, IBM released fourth generation of FlashCore Module (FCM4) technology introduces advanced artificial intelligence (AI) capabilities to the IBM Storage Flash System family. The IBM Storage Flash FCM4 drives analyse every IO for multiple threat vectors and send signals to IBM Storage Insights Pro.
IBM Storage Insights manages the ransomware threats to protect the data from infected volumes and recover the applications within minutes in the following way,
- Label ransomware infected volumes and volume snapshots as compromised - IBM Storage Insights marks volume snapshots created after a ransomware threat is detected as 'Compromised' and updates the infected volumes status as 'Threat Detected' to enable rapid response to security threats. This feature helps storage administrators avoid using ‘Compromised’ volume snapshots for recovering infected applications, ensuring a more secure and effective recovery process.
- · Notify Security Ecosystem Services and administrator users – IBM Storage Insights automatically notifies IBM Storage Defender and IBM Cloud Paks for Security (IBM QRadar) of ransomware threats, ensuring data protection and rapid application recovery from the latest snapshot copies of volumes. Ransomware threat alerts are also forwarded to ServiceNow to generate incidents for ServiceNow users, enabling swift action against security threats and data protection measures. Furthermore, alerts are sent via email and displayed in the IBM Storage Insights web console to storage and security administrators whose email addresses are configured in the alert configuration policy.
Real-time Ransomware Threat Alerts
Immediate notification of ransomware threats to storage and security administrators is crucial. The following sections elucidate the diverse navigational pathways within IBM Storage Insights that aid users in effectively managing these ransomware threats.
The modernized IBM Storage Insights graphical user interface (GUI) prominently displays ransomware threat detection notifications below the menu bar. It highlights the storage system's health status with ransomware threat errors and prominently features these alerts on the overview page, ensuring users give immediate attention to addressing ransomware threats.
The ransomware alerts are labelled as "Potential Ransomware Detected" in the alert list. Each alert includes details such as the storage system name, infected volume, timestamp of detection, the email address of the notified user, and a performance graph illustrating fluctuations during the ransomware threat's propagation across the systems. It is essential to acknowledge ransomware threat alerts when storage users initiate ransomware threat assessments. This involves isolating affected volumes and recovering infected applications using the latest available snapshots of the volumes.
Manage Volume Snapshots
IBM Storage Insights promptly updates the volume status to "Threat Detected" on the volumes page to prompt action and prevent data loss or application disruptions. The volumes table includes a timestamp indicating when the threat was detected under the "Threat Detection Timestamp" column. Once remediation of the ransomware threat is successfully carried out, the volume status should be marked as "Acknowledged."
IBM Storage Insights immediately designates the "Security Status" of volume snapshots created after detecting a ransomware threat as "Compromised." These compromised snapshots are not suitable for application recovery. Once ransomware threat remediation is successfully completed, the volume snapshots will transition to being marked as valid ("good copies") for recovery purposes.
References,