Reference Architecture – Varonis Integration with ANQ

Qumulo and Varonis have partnered to provide an end-to-end solution that protects Qumulo customers from ransomware attacks against SMB workloads in cloud and on-premises environments. This article describes a real-time solution for detecting and responding to malware and unauthorized data access on an Azure Native Qumulo Scalable File Service (ANQ) deployment, using Varonis SaaS to provide a robust security defense against bad actors.

Architecture

An Azure Native Qumulo cluster’s audit logs track user-driven actions such as file access and modification, data sharing and permissions management, and system configuration changes.

In this solution, Qumulo audit logs are streamed to an Azure-based Varonis instance, where they are analyzed using proprietary pattern recognition algorithms to detect anomalous activity. The combined solution operates across three key dimensions to protect against bad actors’ attempts to inject ransomware and malware: prevention through permissions hardening and ongoing analysis, detection of anomalous activity across the storage and data layers, and recovery of data in the event of a successful attack.

Solution Architecture

Download a Visio file of this architecture.

Process Flow

As shown above, the integration process involves the Qumulo cluster sending audit logs to the Qumulo Broker, which converts the logs into the necessary format and forwards them to the Varonis Collector. The Qumulo Broker also provides an API service for RabbitMQ message traffic, which is the service that forwards the events to the Varonis Collector.

The Varonis collector connects to ANQ, scans folders, classifies file contents, and extracts access events. The extracted metadata — folder and file permissions, classification labels, and access events —are uploaded to the Varonis Data Security Platform cloud.

This architecture focuses on safeguarding against ransomware and malware through three main dimensions:

Prevention: The Varonis Data Security Platform plays a crucial role in ransomware prevention by continuously monitoring audit logs sent from the Qumulo cluster to the Varonis SaaS application. Varonis analyzes these logs to understand user permissions and assess access levels. It recommends removing unused permissions and alerts administrators if suspicious or anomalous permission changes are detected. Users can then take corrective actions within the Varonis SaaS application.
Detection: Varonis employs threat intelligence, including threat feeds and blacklists, to identify known ransomware and attack patterns. Machine learning is applied to Qumulo audit logs for new or novel attack methods to detect unusual behavior that might indicate malicious activity. This includes monitoring changes in file activity, access permissions, and access patterns, triggering alerts when abnormalities are detected.

Recovery: In the event of an attack, it’s crucial to have a recovery plan in place. Qumulo allows administrators to create snapshot policies that retain multiple copies of data over time. Even if an attacker gains elevated permissions and attempts to encrypt data, Qumulo’s snapshot locking prevents them from deleting or encrypting existing snapshots. This approach isolates the attack, enabling administrators to revert to uncompromised data and resume normal operations when necessary.

Components

Solution Benefits

The integration of Qumulo and Varonis SaaS offers several benefits to organizations, including:

Comprehensive data security: The Varonis SaaS provides advanced threat detection, data classification, and access control features that complement ANQ’s data protection capabilities. This integration ensures that data is protected at all times and any potential threats are detected and mitigated quickly.
Improved data management: With Qumulo’s real-time analytics and Varonis’ data classification features, organizations can have better visibility and control over their data. They can identify sensitive data, track its usage, and manage it more efficiently.
Compliance readiness: Varonis’ compliance features enable organizations to comply with various data protection regulations such as GDPR, CCPA, and HIPAA. The integration with Qumulo ensures that data is stored and managed in a compliant manner.

Potential Use Cases

Access Control Management: Varonis SaaS provides granular access control capabilities, allowing administrators to manage user access based on their roles and responsibilities. This complements Qumulo’s support for multiple protocols, ensuring that data is only accessible to authorized users.

Varonis employs advanced techniques like proximity-matching, negative keywords, and algorithmic verification to identify sensitive data within Qumulo file shares. This goes beyond regular expressions, providing high-precision results.

Threat Detection and Risk Management: Varonis employs behavioral-based threat models to identify abnormal data activity in real-time, proactively preventing data breaches.

Varonis offers customizable dashboards that provide a real-time view of your data security status. Users can drill down into specific users or groups to see their data access permissions and activities, helping manage and mitigate risks effectively.

Considerations

The integration of ANQ with Varonis provides organizations with a comprehensive data protection and management solution. It offers advanced threat detection, data classification, and access control features complementing Qumulo’s data protection capabilities. This integration ensures that data is protected, managed efficiently, and compliant with various data protection regulations.

Scalability and Performance

The Qumulo Broker middleware layer is crucial in integrating ANQ with Varonis, and it was built on top of the standard Rsyslog service capabilities and Docker. You can use your preferred Linux distribution for this integration. Audit logs are stored in computer memory for fast conversion, and Rsyslog can increase the number of threads automatically according to the receiving log numbers.

Its default design allows it to easily process heavy workloads from the one or more ANQ services. However, if there is a bottleneck regarding its performance, the first approach should be to increase the CPU and memory resources of the Qumulo Broker machine.

The Varonis SaaS is a scalable data security platform in nature. It can scale according to performance and capacity needs.

Security

The Azure Native Qumulo Scalable File Service connects to your Azure environment using VNet Injection, which is fully routable, secure, and visible only to your resources. No IP space coordination between your environment and the ANQ cluster is required.

Qumulo’s snapshot locking prevents modification to existing snapshots. This capability empowers storage administrators to isolate and contain an attack, enabling them to revert to unaffected data for regular operations.

Qumulo is compliant with multiple standard security frameworks and protocols, including HIPAA, SOC 2 Type II, and FIPS 140-2 Level 1. For more information, see Qumulo Compliance Posture in the Qumulo Core Administrator Guide.

Availability

The solution has different components that can be considered individually and provide availability scenarios according to the business policies. For further discussion, please reach out to your Qumulo or Varonis representatives.