How Pure Storage Helps Customers Protect Against Ransomware – Blocks and Files


Paid function Ransomware is one of the great scourges of our time. And it’s getting worse and worse. We spoke with Shawn Rosemarin, Global Vice President of Emerging Technology Solutions Sales at Pure Storage, about how the company can help customers protect themselves

Blocks and Files: What happens if a Pure customer discovers to their chagrin that they have been hit by a ransomware attack? What is the best result they can hope for?

Shawn Rosemarin: In the ideal scenario, the customer has prepared and secured their infrastructure to detect and discover ransomware attacks as early as possible. It is the residence time that affects the difficulty of restoration. The sooner you know someone is doing something they shouldn’t, the faster and easier recovery will be. It is the time and the amount of data that needs to be restored that directly determines how long and complex it will take you to get to that restore point.

The other assumption is that there is no panic because the organization has reliably prepared for the event. Everyone knows what their roles and tasks are. They also know which applications are critical to business operation and how long they can be out of service without impacting operations. That would be the recovery time goals, how long can they be down? How much data can they afford to lose? Can they afford to waste an hour, a minute, a second, and depending on their industry, it would come down to this RPO.

Can Pure Storage software or services detect ransomware and alert customers?

In Pure storage arrays, we take a look at what’s going on. We work closely with industry partners in log analytics, such as Splunk or Elastic, to power security incident and event management architectures.

So we look at what’s going on, for things that are deemed different or strange. Like someone suddenly spending a lot of time in shares they have access to, but usually wouldn’t go there.

The thing to think about with dwell time is that the longer I stay in the system, the more I can access other credentials. If I happen to catch a set of admin credentials I might go and create some trouble, but I’m not going to do that yet, I’m going to use the credentials to access some other systems, look where the backups are. What would be my attack vector that would give me the most leverage or cause the most pain for this organization to just pay the ransom?

How can Pure help customers recover if their data begins to be compromised?

So the first thing that happens is we know there’s a breach, and we have a plan or we’re coming up with a plan very quickly. Then the organization will usually go to their insurance company and declare a ransomware attack, the insurance company would then involve a third party forensic security team like Mandiant to come and find out what really happened. What did they have access to? What kind of data was compromised? Are there any backdoors that have been put in place?

That’s a big part of it, because I have to decide how clean I can restore, assuming I have infrastructure to restore. If the dwell time was 30 days, if I come back 31 days ago, I can be clean, but can I really protect myself against their immediate return?

But the most important piece is this: do I have an unencrypted backup to recover? Where should I recover unencrypted snapshots? Snapshots are easy to restore, but in many cases businesses can’t afford to keep 30, 45, or 60 days of snapshots, so now you’re thinking about going back from backup. And that’s where you get into big volumes of data that needs to be restored quickly. And our experience is that with a traditional backup to tape or disk, we’re looking at about a terabyte, two terabytes per hour.

With our Pure Storage FlashArray//C we see retrieval speeds of eight terabytes per hour, and in FlashBlade retrieval speeds of 40 to 270 terabytes per hour. So there are orders of magnitude of restore times here that are very different from what has traditionally been thought of as some sort of backup.

Because the paradigm has changed, hasn’t it? We’re thinking about backup speeds and how quickly it could be backed up, so how fast could we complete the SQL database so that the performance hit isn’t there? However, nowadays it is recovery time, how fast can we restore data from these critical applications?

Would people generally restore from snapshots, for example on FlashArray, and backups on FlashBlade?

Here’s how I would say we see it: basic protection would be to use snaps to restore. I will enable SafeMode on my primary array so snapshots are written to a volume that cannot be encrypted, it is immutable.

If we get a little better, we’re not just running snapshots, we’re actually taking backup volumes. We are now putting the backup volumes in these repositories into safe mode. And now, in case we can’t restore with snaps, we can actually fetch an immutable backup.

Ideally, we would have a FlashArray//X connected to a FlashBlade so that we have all of our most recent backup volumes ready to restore incredibly quickly. So during an event, we can mount from the FlashBlade and then move the FlashBlade volumes back to our main array.

Is there a difference between how SafeMode works on FlashArray//X, FlashArray//C, and FlashBlade?

SafeMode works the same in both scenarios. It is an immutable volume. And that’s interesting because we’ve seen a lot of vendors say that unless you’re the system administrator, you can’t change or modify the array. SafeMode is different, we actually assume anyone could do the damage and your credentials could be compromised or stolen.

Because once a ransomware attack has occurred, you can no longer trust the credentials of anyone in the attacked organization?

It’s true. It’s called zero trust, so I should only give each employee access to what they absolutely need. But we should always assume that any set of credentials can be compromised.

What’s happening from a SafeMode point of view, I have something called “Eradication Timer”. So let’s say I have admin credentials and delete a backup. With SafeMode, there’s an eradication timer, and whoever deletes it doesn’t delete it for 30 days, 45 days, or 60 days. So if it’s deleted, no problem, it’s actually not deleted, it’s sitting on a timer that has been preset.

Now if you want to change that or reconfigure it, you have to call support and you have to be one of the few people named. You must therefore identify yourself by your name and indicate your PIN code, which only you know. And only then would support on our end come in and actually reset or change the eradication timer and SafeMode settings.

Security protection companies imply that ransomware recovery is getting easier and easier. What’s your answer to that?

If you asked me if you could easily restore from snapshots, I would say yes, snapshots are incredibly easy. And I think in case you restore data, or even a user file that they accidentally deleted, it would be easy. The hardest part is, as I said earlier, understanding how we got here. We have seen firsthand what is needed to restore work with various organizations. It is not an easy task. I would love to put on a marketing veneer and say, you know it’s a click away. That’s not how it works.

Sponsored by Pure Storage.


About Author

Comments are closed.