Double your defense: Protection from ransomware attacks on IBM FlashSystem using IBM Storage Insights and IBM Storage Defender
Author : Ranjith Rajagopalan Nair (ranjith.r@in.ibm.com) , Software Architect, IBM Storage Insights
Early detection is critical in stopping ransomware attacks before they can wreak havoc. By catching them early, you can isolate infected systems, prevent further encryption, and potentially restore data from backups. This minimizes downtime, financial losses, and reputational damage. This blog will explain how to combine IBM Storage Insights Pro and IBM Storage Defender to achieve early detection of ransomware attack and stop them.
IBM® Storage Insights Pro is an AI-enabled storage observability cloud service that helps you detect & respond to potential ransomware attacks. An AI-powered inline threat detection model monitors IO patterns in real-time, looking for changes that indicate a potential threat. If one is identified, Storage Insights Pro immediately sends an alert, empowering you to respond as quickly as possible, which helps limit any damage.
IBM® Storage Defender delivers end to end data resilience by combining backup and storage management solutions from across the IBM Storage portfolio with IBM Business Partner capabilities into one comprehensive package, while still providing the flexibility to choose the capabilities that are right for your enterprise.
The Powerful Partnership
With the new update of IBM Storage Insights Pro and IBM Storage Defender in June 2024, We are having an integration between the two products. The ransomware alerts generated by IBM Storage Insights Pro for a monitored IBM FlashSystem can be auto forwarded to IBM Storage Defender to trigger cyber resiliency workflows, and hence protect your systems as soon as possible. For a customer who is having a subscription for IBM Storage Insights Pro and IBM Defender, this is a great news which will enhance their protection from ransomware attacks.
The integration workflow
When a customer onboards their IBM FlashSystem, which is already monitored by IBM Storage Insights Pro, into their IBM Storage Defender tenant, IBM Storage Defender will request permission from IBM Storage Insights Pro to receive ransomware alerts. This request will appear as a notification for the IBM Storage Insights Pro administrator. The administrator is responsible for deciding whether to send the alert to IBM Storage Defender. They can either approve or decline the request.
| The above picture shows that IBM Storage Defender has sent a request for a FlashSystem, and the integration status is pending on IBM Storage Insights. The administrator can approve the request and also decide to approve any future request from IBM Storage Defender for this particular tenant. Once the request is approved, IBM Storage Insights Pro is ready to send the ransomware alerts generated for this IBM FlashSystem to IBM Storage Defender. |
 |
When a ransomware is detected on the storage system, IBM Storage Insights Pro will generate an alert. The alert will be shown on the web UI, as well as sent to the configured email address of interested parties. The same alert will also be auto forwarded to the IBM Defender via a pre-configured webhook. IBM Storage Defender will consume this alert, and acknowledge the receipt of the same back to IBM Storage Insights Pro.
When the customer log in to their IBM Defender tenant, they will see a new case opened for the ransomware attack, and they can see the affected virtual machine, the storage system providing storage to the virtual machine.
Customer can check the details and do appropriate action such as activate a recovery plan. Once the threat is neutralized the customer could close the case in Defender.
| When the storage administrator log into IBM Storage Insights Pro next time, they will see a notification that the ransomware threat has been neutralized by IBM Storage Defender. |
 |
Administrator can go to the alerts, and view that the alert has been acknowledged by IBM Storage Defender, and action is REMEDIATED.
Also, the infected volumes will be marked as non infected on IBM Storage Insights Pro. This will tell the administrator the threat is remediated, and the volume is ready for use again.
Conclusion
IBM Storage Insights Pro can detect ransomware attacks on IBM FlashSystems in near real time and promptly notify IBM Storage Defender to take immediate corrective action. By integrating these two powerful products, IBM effectively addresses the challenge of safeguarding environments from ransomware attacks, providing end to end protection for customers.
References :
IBM Storage Insights Pro : https://www.ibm.com/products/storage-insights
IBM Storage Defender : https://www.ibm.com/products/storage-defender
Storage Guru : https://www.youtube.com/@StorageGuru