The Blessing (or Curse) of DNA
Have you ever noticed that some of your favorite sports or music heroes grow up, have children, and before you know it, their kids are the sports or music stars of a new generation? That’s DNA baby, and it’s a powerful thing to be wired with a skill from day 1. The same is true in technology and specifically IT infrastructure. The DNA – the architecture – of application infrastructure matters, and when it comes to ransomware protection, architecture definitely matters.
Ransomware has made a lot of headlines in recent years with variants that encrypt files on infected systems, a.k.a. cryptographic ransomware, as well as strains that erase files or block access to the system, a.k.a. locker ransomware. Regardless of the method used, the damage is severe. As the digital landscape evolves, so do the tactics of cybercriminals—really, cyberterrorists. The high volume and rapid evolution of these attacks makes it inevitable that some malicious programs will penetrate your defenses and infiltrate your systems—sadly it’s not a question of if, but a question of when ransomware will breach your networks.
No doubt you have considered various ransomware protection solutions for your organization’s application infrastructure to stay ahead of these growing threats. However, the best place to start is with the DNA of the application infrastructure itself—and whether cybersecurity was designed into the architecture, or a spur-of-the-moment afterthought. Just like in sports and music, DNA matters in IT infrastructure in a big way.
Infrastructure-Level Ransomware Detection Begins with Good DNA
On that point, I am excited to share some big news of important additions to Nebulon smartInfrastructure: TripLine, the first combined server-storage threat detection for cryptographic ransomware; and smartDefense, a cybersecurity solution to protect, detect, and recover from a ransomware attack. Let’s unpack these new capabilities.
While a variety of solutions are available to detect patterns of cryptographic ransomware attacks, unfortunately they may not provide comprehensive coverage for attacks deep within the server-storage infrastructure. For example, hyperconverged infrastructure (HCI) relies on software running on servers to safeguard data. In some cases, HCI’s software-defined storage (SDS) is integrated into the hypervisor, while in other cases, it runs as separate software on the server. In either scenario, a sophisticated ransomware attack on the hypervisor layer can encrypt the physical drives that HCI requires to operate, leading to data loss—including all snapshots. This creates a challenge for HCI and other server-based solutions to detect and recover from ransomware.
Nebulon smartInfrastructure takes a different approach to cybersecurity and cyber-resilience. Any Nebulon-equipped server (available from Dell, HPE, Lenovo, or SuperMicro) leverages a PCIe-based Nebulon Services Processing Unit (SPU) to effectively establish secure isolation of infrastructure services within the server itself. This isolated domain includes server lights-out management, data services, boot and data volumes, and attached SSDs. We call this domain the Nebulon Secure Enclave, which forms a security barrier between the server’s application domain that has been attacked, and the physical drives that store important data such as snapshots, the operating system, configuration information, and application data. Therefore, even if the server is compromised, the boot image and data on the physical drives remains protected from being encrypted.
All application data within a server is written to the Secure Enclave where Nebulon’s data services are located. These services include robust features such as data compression, deduplication, erasure coding, encryption, mirroring, and snapshots, among others. With the recent addition of TripLine threat detection, the Secure Enclave now can monitor millions of data points each day and use machine learning to identify patterns of potential cryptographic ransomware on the host. These patterns are then sent to the Nebulon ON cloud and further analyzed to determine the likelihood of a ransomware attack. Now, when the worst happens and you have been infected, Nebulon ON can inform you of the exact time and location of an attack on your infrastructure…within minutes.
Sounds cool, right? But if you run a Google search on ‘server storage ransomware detection,’ you will get 21.4 million results…really! So how unique is TripLine you ask? We have already established the limitations of HCI, which lacks any kind of secure isolation between application and infrastructure domains. But what about other solutions? It turns out there are infrastructure-level ransomware detection capabilities available from several backup vendors. While helpful, these are limited to data volumes only, so they miss the operating system and application software attack surfaces entirely.
Early Detection of a Ransomware Breach is Key
These solutions also are not real-time. Once ransomware is inside your firewall, the goal is to detect and isolate it before it encrypts too much data. The earlier you detect signs of any type of cyberattack, the better your odds are of preventing damage and limiting the blast radius. This rule is especially true for cryptographic ransomware, given the consequences of this attack are often severe and irreversible. By the time backup software reports an attack, the spread may already be pervasive.
Because Nebulon maintains the boot and data volumes as a part of the Secure Enclave, TripLine can detect cryptographic ransomware in the operating system, application software and application data in real time, as data is being written. Equally important, when it is time to recover, having a snapshot of the boot image, configuration settings, application binaries AND data—all protected within the secure enclave—means recovery can be achieved in minutes. These are powerful features, but impossible without good DNA—i.e. an architecture that incorporates secure isolation of infrastructure services from the start.
A New Solution for Protection, Detection & Recovery
smartDefense is a new smartInfrastructure solution for narrowing threat vectors, detecting breaches and accelerating recovery. It is intended to complement what you have in place for your cybersecurity framework (Identify-Protect-Detect-Respond-Recover) with a solution for the deep server-storage application infrastructure.
smartDefense protection leverages Nebulon ImmutableBoot, which maintains a known good version of the operating system and application stack within the Secure Enclave of every server. Every time the server reboots, it reverts back to this known good software instance, eliminating errant firmware updates or dormant malware in the process. Said simply, ‘Reboot to Recover.’
In addition to ImmutableBoot, we have built in a variety of additional protection features into the foundation of the platform, including: Zero-Trust Authentication, Hardware Root of Trust on the SPU, Always-On Encryption in-flight & at-rest, Single Sign-On integration with Azure AD and 2-Person Commit for destructive administrative actions.
smartDefense detection leverages TripLine which we have just covered, so let’s talk briefly about ‘Recovery’ for the full picture of the solution. smartDefense recovery relies on Nebulon TimeJump which can rapidly recover operating systems, application configurations, and data, reducing recovery time from days to less than 4 minutes for multiple clusters simultaneously. With the addition of Nebulon TripLine to the smartDefense solution, customers can now pinpoint the exact point of attack within their infrastructure and TimeJump to a point in time prior, leading to a significant reduction in overall threat response and recovery time.
DNA (the Architecture) Defines Capability
Comprehensive protection, detection, and recovery services are a part of the DNA of smartInfrastructure—it’s an architectural attribute that you cannot bolt-on after the fact to an HCI platform. With the challenges of ransomware only growing, it’s time that all modern application infrastructure has cybersecurity and cyber-resilience built in.