In the first entry of this series, we showed how Qumulo’s software stack was engineered to minimize the potential for a malware attack, thereby reducing risk to your organization at the same time. This second installment will focus on best practices for detecting and responding to a ransomware attack in real time.
While every security recommendation and established best practice out there can help minimize the risk of a ransomware attack, there’s no way to eliminate the possibility altogether. Qumulo recognizes the reality that despite the most rigorous security measures and diligent monitoring of your environment, ransomware attacks can and will continue to put enterprise systems, data, and revenue at risk. That’s why we recommend not only that you take precautions to prevent attacks from happening, but that you also have the necessary policies and mechanisms in place to detect attacks in real time, and alert key stakeholders quickly in order to contain the impact when an attack does occur.
Just as there’s no fail-safe guarantee that’s 100% effective against malware, there’s also no one single solution that minimizes risk. The best security strategies recognize that there are multiple points of vulnerability to attack, and implement a comprehensive, multi-layered approach that secures network and compute resources, protects user and enterprise devices and appliances, and monitors system, application, and security logs throughout the enterprise.
The remainder of this post will outline the recommended components of a holistic strategy to detect malware outbreaks effectively.
Antivirus scanning
The first line of antivirus (AV) prevention should be the data center security infrastructure. This can include firewalls, network scanning, email servers and desktop clients. It is essential to understand that if malware reaches the storage system, the data can be compromised.
Qumulo suggests adopting a next-generation antivirus engine, based on AI and binary fingerprinting rather than signatures that can be modified easily by advanced attackers. For optimal overall security and performance, AV software should be installed and active on every client that touches data on the Qumulo file system, especially if those systems also have email and internet access. If necessary, scheduled scans of the Qumulo file system should be performed during off-peak hours
Qumulo also recommends a proper patch-management strategy for client systems and for antivirus signature updates, using a whitelisting approach that allows only legitimate, IT-controlled software to execute.
Ransomware detection
While a ransomware attack can come from anywhere, most of them originate via user negligence rather than brute-force external attacks, e.g.:
- Spear-phishing emails (the most common)
- Trojanized software
- Web server exploits and watering-hole websites
- Domain spoofing
- Exploitation of unpatched operating-system vulnerabilities
- Man-in-the-middle attacks
- Cross-site scripting
- SQL injection attacks
These can be minimized through a combination of user training, an active antivirus engine, and system maintenance, but they can’t be completely eliminated.
Detecting and containing ransomware
In order to optimize the potential responses to an intrusive event, it’s important to identify the different phases of an attack, and to plan out potential responses at each phase.
When they do occur, ransomware attacks typically play out in the following order1:
- Delivery – compromise the network by gaining access to at least one internal system
- Command and control – once inside, establish a connection with the attacker’s command-and-control server to receive instructions
- Credential access – under stealth, obtain credentials and gain access to more accounts across the network
- Canvas – search for files to encrypt, both on the local compromised system and on any networks and services to which it has gained access through lateral movement
- Extortion – attacker exfiltrates and/or encrypts local and network files, then demands payment to either decrypt files or return exfiltrated data
A comprehensive prevention strategy should focus primarily on the Delivery phase of the outbreak. Considering the most common vectors of an attack, the most effective prevention steps involve securing the likeliest entry points for malware: desktop computers, email servers, and network devices – all the more reason for installing antivirus software on end-user devices and systems.
Security Information and Event Management
Since some enterprise nodes (e.g. IoT systems, cameras, printers) within the data center environment can’t be secured using local antivirus software, the next layer of security from malware/ransomware should be a robust security information system and event management (SIEM) solution.
SIEM platforms capture and compile event- and security-log data from enterprise systems. When an enterprise SIEM solution is paired with an Intrusion Detection System (IDS), administrators can identify traffic and activity patterns that indicate potential and actual threats: anomalies in network traffic and server behavior, as well as unusual data read and write activities on enterprise file services.
Many organizations are also using intrusion prevention systems (IPS) that have advanced firewalling and exploit-detection capabilities that can help to fence off some categories of attacks.
Auditing Qumulo storage events
Audit logging provides a mechanism for tracking Qumulo file-system events as well as management operations. As connected clients issue requests to the cluster, event-log messages are generated for each attempted operation. These log messages are then sent over the network to the remote syslog instance – i.e. the designated SIEM target.
Qumulo uses an industry-standard syslog format, meaning that all event log data, including audit logs, can be read, parsed, and indexed by any enterprise SIEM solution. Centralizing this log data on a SIEM platform enables greater flexibility in detecting and responding to suspicious events on the Qumulo file system.
Among others, Qumulo-validated SIEM solutions include Splunk, Elasticsearch and AWS Cloudwatch. For Intrusion Detection solutions, Qumulo integrates with Superna, Varonis, and Netwrix, among others. Qumulo also supports the OpenMetrics API standard for syslog exports, enabling integration with Prometheus-based monitoring solutions as well.
Automating responses to security events
Once a suspicious event or malicious activity has been detected on the storage system, the SIEM and Qumulo systems can be configured to trigger one or more automated actions in response. As with other event types, such as platform or service outages and network issues, the SIEM platform can be configured for certain automated actions. These might include an administrator alert tree (email and/or text messages), disabling an AD user account, or shutting off network ports when suspicious activity is detected, etc.
Leveraging the Qumulo API
There a number of ways to leverage the Qumulo API for automated responses to security events:
- Direct API calls
- Use the Qumulo-provided Python libraries to simplify API script development
- Use the Qumulo CLI
Activating automated Qumulo responses
Qumulo’s API-first development model means that literally any action on the storage cluster can be initiated and managed via API. Some examples of automated actions that can be triggered in the event of a security breach, malware detection, or other forms of cyber attack include:
- Immediately apply a 0-quota policy – applicable to a single directory, directory tree (including whole shares and/or exports, or the entire file system – that blocks all further write activity (although overwrites might still be possible)
- Set any targeted exports to read-only
- Set an IP address restriction policy to any share or export
- Remove access privileges for a user or group
- Initiate an on-demand snapshot of any suspected
- Lock one or more existing snapshots
Automating responses on other enterprise platforms
While there are many first-response actions that can be initiated on the affected Qumulo system, other platforms within the enterprise space can be leveraged to secure critical systems and data in the event of a malware attack, e.g.:
- Active Directory – disable any compromised user or service accounts as soon as hostile activity has been detected and the offending accounts have been identified
- Antivirus software – launch an on-demand antivirus scan of any and all systems, including the Qumulo cluster, which are known or suspected to be under attack
For specific information on these and other actions to third-party platforms, please refer to the appropriate vendor-provided documentation.
This blog post has provided a high-level overview of Qumulo’s own features, and its interoperability with 3rd-party tools to enable enterprises to detect malware outbreaks in real time. A holistic protection strategy needs additional strategies and practices to ensure that any attack that occurs can be quickly discovered and contained, and that any lost data or impacted services can be quickly restored.
Learn more
- Part 1: How to Use Qumulo’s Built-in Security Controls for Data Protection
- Part 3: Recovering from Ransomware Attacks
- Download the latest Security Architecture and Practices white paper
Contact us
- Click here to schedule a meeting.
- Subscribe to the Qumulo blog for customer stories, technical insights, and product news