Ransomware Defender Admin Guide

Eyeglass Ransomware Defender Admin Guide

Administration Guide



Abstract:

This guide covers configuration, setup and monitoring of  Ransomware Defender..  

August, 2017


.

Contents

  1. 1 Administration Guide
    1. 1.1 Abstract:
  2. 2 What's New
  3. 3 Chapter 1 - Introduction to this Guide
    1. 3.1 Overview
    2. 3.2 Supported Automated Actions
    3. 3.3 Prerequisites, Requirements or limits
    4. 3.4 Read this first
    5. 3.5 Where to go for Support
  4. 4 Abbreviations
  5. 5 Installation Guide
  6. 6 Licensing
  7. 7 Planning and Design
    1. 7.1 Overview
  8. 8 Securing Root user on Isilon
  9. 9 Ransomware Security Signal Events and Detection Overview
  10. 10 Ransomware - Signal Strengths - Summary Explanation
  11. 11 Ransomware - Signal Strengths - Detailed Explanation
  12. 12 Security Event Threat Detector Definitions
  13. 13 Threat Detection Signal Strengths in Eyeglass
    1. 13.1 Example Signal Strength walk through
    2. 13.2 Signal Strength Window Overview
    3. 13.3 How to determine threat response settings to meet your Company’s Risk Profile
    4. 13.4 Threat Response Settings
      1. 13.4.1 Automated Threat Responses Settings:
      2. 13.4.2 Recommended Threat Response Setting for Low Risk tolerance
      3. 13.4.3 Recommended Threat Response Settings for Medium Risk tolerance
      4. 13.4.4 Recommended Threat Response Settings for Medium-High Risk tolerance
  14. 14 How to Configure and Tune Ransomware Defender Threat Detection and Responses
    1. 14.1 Severity Threat Level Severity Definitions and Responses
    2. 14.2 How to Enable “Monitor Only Mode” to baseline User Behaviours
    3. 14.3 How to Tune Threat Detection Rates (Warning, Major and Critical)
    4. 14.4 How to Tune Threat Detection Rates (Warning, Major and Critical)
    5. 14.5 How to Enable Disable Critical Event Detection
    6. 14.6 Eyeglass Security Event Workflow and Operations
      1. 14.6.1 Auto Archive Warning Security Events
      2. 14.6.2 How to change the default Autoarchive timeout
    7. 14.7 Threat Detector Threshold configuration
  15. 15 How to change Threat Detection Settings
    1. 15.1 Ignored List:
      1. 15.1.1 Detected User Security Event Descriptions
      2. 15.1.2 Security Event State Descriptions
      3. 15.1.3 Security Event Possible Action Descriptions
      4. 15.1.4 How to respond to Security Events for Warning, Major or Critical events
        1. 15.1.4.1 Overview of Security Event Triage Process
        2. 15.1.4.2 If Warning
        3. 15.1.4.3 If Major
        4. 15.1.4.4 If Critical
    2. 15.2 Security Event Action State Descriptions
      1. 15.2.1 Warning State
        1. 15.2.1.1 Locked out User State (Critical Severity Threat Detection)
        2. 15.2.1.2 Access Restored State
        3. 15.2.1.3 Delayed Lockout state
        4. 15.2.1.4 Acknowledged State
        5. 15.2.1.5 Archived Event on Event History
    3. 15.3 Rapid Machine to Machine Malware Spreading Attack Defense Overview
    4. 15.4 Rapid Machine to Machine Malware Attack Auto Response Escalation Configuration
    5. 15.5 False Positive Security Event Handling and Configuration Options
      1. 15.5.1 Warning
      2. 15.5.2 Major
      3. 15.5.3 Critical
    6. 15.6 Ignore List setting Procedures
  16. 16 Eyeglass User Lockout Active Directory Planning
    1. 16.1 Scenario #1:
    2. 16.2 Scenario #2:
  17. 17 Security Guard - Automated Security Testing
    1. 17.1 Simulated Attack
    2. 17.2 Pre-Requisites
    3. 17.3 Security Guard Lockout Behavior
    4. 17.4 Configuration
  18. 18 How to Run on Demand Security Guard Penetration test
  19. 19 How to Review Security Guard Penetration test history and logs
  20. 20 Data Recovery Manager Integration with Ransomware Defender
    1. 20.1 Overview
    2. 20.2 How to launch Data Recovery Manager Request From Ransomware defender action menu
      1. 20.2.1 Prerequisites
      2. 20.2.2 Procedures


What's New


1.9.3 Offers auto snapshot feature to protect paths and shares when any Ransomware has affected a user workstation.  All shares the user has access to have a snapshot applied with a 48 hour expiry.  This is enable or disabled, with default enabled for all detection severties.  Requires SnapshotIQ license on the cluster. Full feature description in this release is available here.

1.9.2 Has new supportability enhancements and a feature to disable real-time critical lockout action and use only time delayed response for security events.  Full feature description in this release is available here.

Chapter 1 - Introduction to this Guide

Overview


This guide covers configuration, setup and monitoring of a Ransomware Defender.  The solution is deployed with a 3 VM cluster that process Isilon CEE audit files with an active active design for maximum availability to survive hardware or software failures.

The active defense solution monitors for user behaviours that are malicious, consistent with Ransomware encryption techniques of customer files.   Network attached SMB mounts on user workstations exposes Isilon critical data.

Three levels of detection are possible Warning, Major and Critical with automated defense options increasing with detection levels.

Supported Automated Actions

  1. Timed lockout (Major) - a time delayed lockout of the user account that triggered the security event.  The lockout can be stopped before the timer expiries.

  2. Immediate lockout (Critical) - User lockout begins real-time once a critical event is detected

Prerequisites, Requirements or limits


  1. Eyeglass VM installed

  2. Cluster discovery licenses (per node or per cluster) that need to be managed by

  3. Ransomware feature license and a Ransomware agent license for all writeable clusters protected by Ransomware Defender

  4. Single host for ECA (Eyeglass Clustered Agent) VM’s OR multiple hosts for high level of availability (refer to installation guide deployment topologies section)

  5. CPU limits applied to ECA cluster object in vCenter

  6. Hardware recommendation (see install guide)


Read this first


NOTE: It's assumed that all workstations and other entry points for Ransomware are running current virus malware software.   Ransomware defender is a second line of defense product.

Where to go for Support

https://support.superna.net

Abbreviations

  • CEE: Common Event Enabler - EMC Specific event protocol (xml based)

  • ECA: Ransomware Defender Application - the entire ransomware defender stack that runs in a separate VM outside of Eyeglass.

  • ECA: Eyeglass Clustered Agent



Installation Guide

The install guide covers ECA cluster installation and requirements.   See the guide here.


Licensing

Each writeable cluster requires an agent license and agent maintenance.  A cluster can be monitored by the ECA without a license when it's the cold or DR cluster.   The startup process will automatically assign licences based on the following criteria.


Registered Isilon clusters licensed for Eyeglass DR qualify to be licensed with Ransomware Defender. This licensing will happen as part of an inventory data collection and config sync jobs. Isilon clusters are licensed based on these rules:


  1. The Isilon cluster has at least one enabled SyncIQ policy.

  2. The Isilon cluster has no enabled SyncIQ policies and no other cluster replicates to it and there are shares or exports.

  3. The cluster has no enabled SyncIQ policy and is the target of a replication and it contains shares and exports not covered by the replication policy.


A system alarm will be issued in case a insufficient licenses exist and more writeable clusters are detected in the CEE event messages.



Screen Shot 2017-01-29 at 7.13.56 PM.png

Planning and Design

Overview

The Ransomware Defender solution for Isilon requires existing Eyeglass DR cluster licenses for each Isilon cluster plus an Eyeglass clustered agent license.

The Eyeglass Ransomware Defender solution is intended to be a last line of defense for critical NAS data stored on Isilon.  A best practise defense should include virus software on laptop and workstations, along with email gateway or IDS network solutions.

The intended use case for Ransomware Defender assumes malware has circumvented all existing defenses leaving critical NAS data exposed to attack.

The diagram below shows traditional approach to security with perimeter defenses with primary purpose of ensuring malware never enters your network.

The Eyeglass solution builds a new security perimeter inside your network, with active defense to threats.




Securing Root user on Isilon


Root user should never be used to access data on Isilon.  The reason this user is a high security risk is because root has access to all shares even if access has not been granted to the root user.  This security risk could allow a compromised machine using the root user to access data and could encrypt all data on the cluster.


Eyeglass Ransomware Defender offers a mode configured through igls CLI to disable SMB protocol on the Isilon clusters managed by Eyeglass. This will  ensure if a Ransomware event is detected the compromised machine does not destroy all data on all clusters.  See Eyeglass CLI command for Ransomware  at the end of this guide for instructions to enable


The root user can NOT be locked out with a deny permission which is why SMB protocol disable is the only way to protect data.


NOTE: IF YOU USE RUN AS ROOT ON SHARES YOU ARE EXPOSING DATA TO VERY HIGH SECURITY RISK SINCE NO LOCKOUT WILL BE POSSIBLE.  THIS IS BECAUSE THE USER SID THAT IS SENT WHEN AN AD USER ACCESSES DATA WITH RUN AS ROOT ENABLED IS THE ROOT USER NOT THE ACTUAL AD USER.


We recommend to NOT use run as root on shares for the reason above AND it fails all security audits of Isilon in all industry standards (PCI, HIPPA, FedRAMP, ITSG, etc…)  Remove run as root option on all shares.


The default setting is to disable the SMB Automated response on a cluster if the  root user SID has tripped a threat detector.   To enable this mode VERIFY no run as root user shares exist.


This can be done using the Eyeglass cluster configuration report

  1. Login to Eyeglass

  2. Open Reports on Demand Icon

  3. Select Create New Report

Screen Shot 2017-04-28 at 12.46.44 PM.png

  1. Wait until report is finished by viewing running jobs

  2. Select Open/Print option for the finished report from Reports on Demand after running jobs shows the report creation is completed.

  3. Click Cancel on Print option (if using Chrome).

  4. Control-F to search the page option

  5. Search for “run_as_root”

  6. If any Shares are found with this option set see below.

  7. DO NOT ENABLE LOCK ROOT FEATURE.

Ransomware Security Signal Events and Detection Overview


Ransomware defender is a per user monitoring solution that operates at Isilon Scale.  This means each user's file activity is monitored individually for user behaviours that trigger threat detection patterns.    This builds a zero day solution to identify patterns of IO that are detected and weighted without needing definition file based detection.

The weight is called “signal strength” and determines how Eyeglass will respond to the threat.  

Three threat levels are defined:

  1. Warning - No action taken only alarm email sent to administrator

  2. Major - Timed lock of user account in minutes from event

  3. Critical - Immediate lockout of user account

Eyeglass Active Responses to Threats

  1. Lockout action means deny permission on all shares the user has access across all managed Isilon clusters (not just the cluster the event was detected)

  2. Future responses are planned (example, stop syncIQ replication to preserve DR copy of the data, Or create snapshots if suspicious events are seen and snapshot all shares a user has access).



Ransomware - Signal Strengths - Summary Explanation


The Signal Strength is a number that represents the peak threat count per user per Signal Strength Threshold level (warning, major, critical).  Each Signal Strength Threshold level has its own threat threshold crossing value and time period that the threshold must be crossed within before the event is treated as a security event.

This can be viewed as threat rate per minute.  Each time a threat event is received for a given user, 3 different threat/minute rates are evaluated for this user.   Depending on the rate calculated determines if the user security response is warning, major or critical.  Each Signal Strength Threshold represents is a different rate of threats.    Each new threat event for a user triggers another calculation using the Signal Strength Threshold rates and intervals.

If this calculation results in a warning state changing to major, then the response for that Signal Strength Threshold will be applied.   In this example, moving from warning to major will result in a lockout of the user according to the lockout timer set on the Settings tab.



The above example is for illustration only and should not use these settings as shown without direction from support.   To Configure detection as per the example above.  It would look like the image below where:
Signal Strength Threshold is the number of Threats per minute.
Interval  is the period over which the threats per minute is measured.
Upgrade to Major or Critical is the number of Threats per Minute over the Interval at which the event would be upgraded to a Major or Critical and the response for that Signal Strength Threshold will be applied.


Sample only, example for illustration only

Screen Shot 2017-07-20 at 7.26.37 PM.png

Ransomware - Signal Strengths - Detailed Explanation


This section describes the Signal Strength calculation in Superna Eyeglass Ransomware Defender.


Security Event Threat Detector Definitions

  • File Event: a discrete CEE event published by Isilon’s CEE event stream based on a user action example open file, close file, write or read to file.

  • Threat Detectors: Logic used by Eyeglass Ransomware Defender to determine if a group of File Events is potentially associated with a Ransomware attack. There are multiple independent threat detectors used by Eyeglass Ransomware Defender during analysis that are assessed in parallel.

  • Signal: Occurrence of one or more File Events that have been flagged by one or more threat detectors as a potential Ransomware Event.

  • Signal Strength: For a given Signal, the number of threat detectors that were triggered. A higher Signal Strength has a higher probability of being a Ransomware Event.

  • Ransomware Event: A collection of signals whose combined Signal Strengths exceeds the user-set threshold in Eyeglass.


Threat Detection Signal Strengths in Eyeglass


Threat detection Signal Strength is a measure of the severity of a user's File Event behaviour.  The higher the count the higher the severity of the detection.  


The Signal Strength is displayed in the Eyeglass Ransomware Defender window Active Events or Event history tab.

Screen Shot 2017-07-20 at 7.28.10 PM.png

The numbers represent the peak of warning, major and critical signal strengths that were recorded in the entire lifetime of the ransomware event.    In addition a list of shares by cluster and access zone is listed that have lockouts applied.


Screen Shot 2017-07-20 at 7.28.58 PM.png


Example Signal Strength walk through



In the above diagram, if we have settings with the following

  • WARNING: 1 event in 30 minutes

  • MAJOR: 5 events in 10 minutes

  • CRITICAL: 8 events in 5 minutes


We would expect a signal strength of “12 / 10 / 9”, since the peak signals in the whole event’s lifetime are found in the following intervals:




Also note that the blue line counts for 2, since there are two independent threat detectors that contributed to the event.


Signal Strength Window Overview

When clicking on the Signal Strength in Eyeglass, you can see the threat detectors that contributed to the event. Note that this is not broken down by severity, and represents the total of the Threat Detector types that were tripped throughout the lifetime of the event for this user security event.


Screen Shot 2017-04-07 at 7.23.21 AM.png


Note that the sum of these values can be greater than the peak signal strengths described above, since it’s possible that the lifetime of the ransomware event is greater than the interval for the thresholds.

How to determine threat response settings to meet your Company’s Risk Profile


The Ransomware Defender product has several options to tune the detection and response to a Ransomware attack.  The more sensitive the detection the more likely a false positive can occur.  Threat response options are outlined below with business impact considerations for each option.  This section should be reviewed to determine how to configure the product in your environment.

Risk tolerance and business impact need to be assessed to determine the best settings for your environment.  The section below outlines the recommendations for each threat detection level.


Threat Level Severity

Action

Snapshot Data Protection and Recovery Enabled (all Shares a user can access has snapshot applied)

Business Impact

Warning

No action taken. Email alert is sent

X

No impact to applications or user access to data.  Snapshot is applied to protect the file system.

Major

Timed lockout of user. Email alert is sent

X

Business applications or servers write data that are not added to the ignore list can be locked out.  


Impact: application down time until restore access completed.


Recommendation: add to ignore list.

Critical

Immediate lockout of user. Email alert is sent

X

Impact: application down time until restore access completed.  No wait time from detection to lockout for administrators to determine action.


Recommendation: add to ignore list or Disable critical  actions.



Threat Response Settings

Automated Threat Responses Settings:

  1. Critical Severity - Lockout of user account -is immediate

  2. Major Severity  -A delayed lockout Grace Period is set  ( user account lockout  delayed by  X minutes)

  3. Auto Snapshot of the file system at share path  on detection of ANY severity


Recommended Threat Response Setting for Low Risk tolerance


  1. Monitor Only Mode enabled - Email Alerts

Screen Shot 2017-07-20 at 8.37.41 PM.png

Recommended Threat Response Settings for Medium Risk tolerance

NOTE: In this configuration files can be encrypted upto the Grace Period value, but a snapshot has protected the file system at the point of detection, allowing for accelerated recovery of files.  Security event lists all affected files to build a recovery list of files.

  1. “Critical on Mode” uncheck to disable immediate lockouts

  2. Set Major delayed lockout timer (Grace Period) to a value that allows an administrator to reach and determine if lockout should occur (In the Screenshot below the “Grace Period” is set to 60 Minutes)

  3. “Create Snapshot” Mode enabled

Screen Shot 2017-07-20 at 8.38.54 PM.png



Recommended Threat Response Settings for Medium-High Risk tolerance


NOTE: In this configuration files users are locked out immediately, risk of false positive with lockout is higher.

  1. “Critical on Mode” checked to enable immediate lockouts.

  2. Set Major delayed lockout timer “Grace Period” to a value that allows an administrator to reach and determine if lockout should occur. (In the Screenshot below the “Grace Period” is set to 60 Minutes)

  3. “Create Snapshot” mode enabled.

Screen Shot 2017-07-20 at 8.45.55 PM.png






Threat Level Severity

Action

Snapshot Data Protection and Recovery Enabled (all Shares a user can access has snapshot applied)

Business Impact

Warning

No action taken. Email alert is sent

X

No impact to applications or user access to data.  Snapshot is applied to protect the file system.

Major

Timed lockout of user. Email alert is sent

X

Business applications or servers write data that are not added to the ignore list can be locked out.  


Impact: application down time until restore access completed.


Recommendation: add to ignore list.

Critical

Immediate lockout of user. Email alert is sent

X

Impact: application down time until restore access completed.  No wait time from detection to lockout for administrators to determine action.


Recommendation: add to ignore list or Disable critical  actions.




How to Configure and Tune Ransomware Defender Threat Detection and Responses


The detection of a Ransomware event will be contained strictly to the ECA nodes. Eyeglass will be responsible for taking action against the user's access to cluster data and notifying administrators. This section identifies the behaviours that the Eyeglass appliance takes when the ECA identifies a threat and how to configure settings that align to your company security policies or risk tolerance.


Severity Threat Level Severity Definitions and Responses

There are three Signal Strength Threshold levels defined, and Eyeglass will take different action for each:


Threat Level

Eyeglass Action

WARNING

Eyeglass sends an email to notify any subscribed administrator(s) of the threat, but takes no direct action.

MAJOR

Eyeglass begins a “delayed lockout” procedure. Notify the administrator(s) that a threat has been detected, and the user will be locked out after X minutes, unless the admin logs in and explicitly cancels the action.  This grace period is configurable in the Eyeglass settings.

CRITICAL

The user lock out is immediate, and the administrator(s) are notified.


How to Enable “Monitor Only Mode” to baseline User Behaviours


Monitor mode is used after installation to disable any actions for Major and Critical events and to baseline the environment.  It can also be used to quickly disable user actions if too many false positives are detected.

  1. Open Ransomware Defender window.

  2. Select Settings tab and click the “Monitor Only Mode” check box and click save. (See screenshot below)

How to Tune Threat Detection Rates (Warning, Major and Critical)


The Monitor Only Mode feature is designed to monitor IO from users in an environment before going into production.  This allows threat detection and user behaviour to be monitored before entering into production mode.  Monitor Only Mode can be enabled or disabled at any time.

Monitor Only Mode is used to identify service accounts or applications that are writing data at a high rate that should be added to the ignore list and filter out these applications from normal user data access.


The setting is enabled from the Settings tab.  With Monitor Only Mode enabled all events detected are treated as Warning with no lockout actions. (See screenshot below)


Screen Shot 2017-07-20 at 8.37.41 PM.png



How to Tune Threat Detection Rates (Warning, Major and Critical)


The Monitor Mode feature is designed to monitor IO from users in an environment before going into production.  This allows threat detection and user behaviour to be monitored before entering into production mode.  Monitor Mode can be enabled or disabled at any time.

Monitor mode is used to identify service accounts or applications that are writing data at a high rate that should be added to the ignore list and filter out these applications from normal user data access.


The setting is enabled from the Settings tab.  With Monitor Mode enabled all events detected are treated as Warning with no lockout actions.

Screen Shot 2017-07-20 at 7.26.37 PM.png


The Statistics screen (see screenshot below) is used to monitor which user behaviours are being triggered to determine how to set detection for warning, major and critical settings.

These statistics can be submitted to support.superna.net to recommend settings for detection.


How to Enable Disable Critical Event Detection


This option will disable immediate lockout action and will only use major timed lockout option.  This is recommended if risk tolerance for a lockout on users should be reviewed by an administrator using the timed out lockout feature on Major severity detections.

  1. Open Ransomware Defender window.

  2. Select Settings tab and click the “Monitor Only Mode” checkbox and click save.

  3. Select the checkbox “Critical on Mode” and click save

  4. Done.


Screen Shot 2017-07-20 at 8.38.54 PM.pngNote: In this image Monitor Only Mode and Critical on Mode Boxes should be checked, Create Snapshot unchecked.

Eyeglass Security Event Workflow and Operations


Under normal working state it will be normal to see some user behaviours detected as warnings in the active events window.  These events will stay in active monitoring state for a period of time (settable in the settings tab), to continue to monitor this users behavior for new threat detectors and rates of detection the promote the event to Major or Critical.    

If the user's activity continues to fire threat detectors at or below the Warning rate, the security event will remain in Active monitoring state and will not be Auto Archived.


Auto Archive Warning Security Events

This feature simplies monitoring of low grade security events.  Warning security events will stay active as long as new threat detectors for this user continue to be detected during the auto archive timeout period.  This feature will auto archive the event if no new threat detectors fire for this user’s security event.   The expires column can be used to monitor which events will auto archive in X hours or minutes from the Active Events window.


How to change the default Autoarchive timeout

Use this procedure to set the time period a warning event will stay visible in the active event window before it's archived to the history tab.  Longer time period allows tracking a user's behavior for longer time period.

  1. Open the Ransomware Defender window.

  2. Select the Settings tab

  3. Change the auto archive timeout from the default of 3 hours to another value in minutes.  See screenshot for “Expiry  (minutes)” setting in the Warning section.

  4. Save changes


Screen Shot 2017-07-20 at 8.45.55 PM.png

Note: In the diagram above in the Warnings section the auto archive timeout has been changed to 60 minutes in the Expiry Box


Detection and Response Configurable Settings

Threat Detector Threshold configuration

Eyeglass allows the administrator to configure the thresholds at which the various events take place.


  • Units are in Candidate Events per user per interval: i.e. the number of files that were affected by a single user, in a given time period.

  • Different thresholds are available for the WARNING, MAJOR, and CRITICAL severities.

  • The MAJOR severity also allows the specification of the Grace Period (the time between event detection and lockout).  Timed Lockout can be stopped with action menu on an active event.


The figure below shows the settings UI.

Screen Shot 2017-07-20 at 8.45.55 PM.png


How to change Threat Detection Settings

  1. Open Ransomware Icon

  2. Click Settings tab

Screen Shot 2017-07-20 at 7.26.37 PM.png

  1. Change events per user settings in Upgrade to Major (events)  and Upgrade to Critical (events)  to trigger warning for Majo and ritical  security events.  

  2. The lower the number the more sensitive the detection will become.  Changing to a larger number can avoid false positive depending on IO patterns within your Isilon environment.

  3. The Grace Period (minutes) sets how long a Major security event detection will wait before locking out the user named in the security event.  Best practice: This should be set to a value that ensures an administrator can review the event and determine if lockout should occur or be canceled.  It is the response to review an event before the lockout occurs.

  4. NOTE: Recommended to consult support before making any changes.

Ignored List:


Eyeglass allows the administrator to specify paths, users, and client or server ip address to exclude from ransomware processing. The UI Ignore list is shown below:

Screen Shot 2017-05-03 at 7.55.36 AM.png

  1. Using the button next to the title, the administrator can add new Paths (fullpath is required example /ifs/data/xxx), Active Directory Users (domain\userid or user@domainname) and Ignored client IP in the Sources column.

  2. Sources can be specified in ip/subnet notation to ignore ranges.  Example 10.0.0.0/8  will ignore all ip addresses in the 10.x range.

  3. NOTE: each ignore column is an OR meaning if ANY of the listed ignore values is found in an audit message it will be dropped before processing.  The first matched ignore list will drop the audit event.




Detected User Security Event Descriptions


Once a user security event appears in the active events the following table outlines the column definitions and descriptions of each state of the security event.


Screen Shot 2017-07-27 at 4.23.40 PM.png



Column Name

Description

State

Warning Threat rate threshold crossed

Delayed Lockout - Major Threat rate threshold crossed

Locked Out Critical Threat rate threshold crossed

Severity

Warning - Threat detector peak rate threshold for this event was crossed

Major - Threat detector peak rate threshold for this event was crossed

Critical Threat detector peak rate threshold for this event was crossed

Files

A count of files that tripped the threat detectors for this event.  Click to browse the file system path to see the location on disk that the user was accessing.   

  • Two tabs are shown one is a list of files that user was accessing within the last hour since the event was detected (All Files)

  • Affected Files is list of files that tripped the threat detectors.

  • All files should be inspected to verify integrity

Signal Strengths

Each number from left to right is warning peak/ major peak /  critical peak threat rate file count.  This indicates the highest count seen for each severity configured in the settings tab.  The metric is a count per minute.   The higher the number for each severity indicates a higher security risk detected for the user behaviour.  It indicates more files were involved in the threat detection security event.  When comparing two different security events higher numbers indicates more files tripped the threat detector.

User

The domain and user account of the affected user

Detected

Date and time representing the beginning of the security event.   This event will stay until it is auto archived or is updated as resolved, or unresolved status.

Protected  Shares

Lists the cluster, share name and access one of a share that had a lockout applied.  Expanding will display the deny permission and existing ACL applied to the share

Snapshots

Lists the snapshot name, time and path that was protected by data protection and recovery snapshot.  

Expires

This will show the time remaining before autoarchive as unresolved is applied to the event.  The autoarchive feature will only apply to events detected as warning and will monitor the event for this time period before archive the event as unresolved.


OR


If a timed lockout is active the time remaining until a lockout will occur.

Clients

This has a popup link to list the source ip address of the client machine the user was logged into when the signal event was detected.  This assists in finding the client on routers and switches in the environment.     Multiple ip’s can be listed for a client if they are logged into more than one machine.

Actions

Click to bring up the security event history of the event, all previous actions taken and menu to select available actions depending on the state of the security event.



Security Event State Descriptions


A Ransomware event in Eyeglass can be in one of the following states:  


State

Description

WARNING

New Ransomware events with a WARNING severity initially have a WARNING state.

DELAYED_LOCKOUT

New Ransomware events with a MAJOR severity initially have a DELAYED_LOCKOUT state. This implies that the user has not yet been locked out, but will be if the event is not acknowledged.

LOCKED_OUT

New Ransomware events with a CRITICAL severity initially have a LOCKED_OUT state.


MAJOR severity events that are not acknowledged before the grace period elapses also have a LOCKED_OUT state.  


WARNING severity events have a LOCKED_OUT state if the Administrator explicitly locks out the user.

ACKNOWLEDGED

A WARNING severity event can be acknowledged to indicate that the admin has seen the event and is monitoring the situation.


MAJOR severity events change to ACKNOWLEDGED when the admin intervenes before the grace period has elapsed.


CRITICAL severity events can never be ACKNOWLEDGED.

ACCESS_RESTORED

An event is in RESOLVED state when the Administrator has restored access to a locked out user

SELF_RECOVERY

An event is in SELF_RECOVERY state when the Administrator has initiated a workflow for the user to recover the affected files.  See Data Recovery section in this guide.

RECOVERED

An event is in RECOVERED state when the user file recovery process is complete.


RECOVERED state events are not listed in the Active Events tab on eyeglass. They are listed in the Event History tab.

UNRESOLVED

An event is in UNRESOLVED state when the Administrator has archived the event, but not explicitly restored access to the user.  


UNRECOVERED state events will are not listed in the Active Events tab on eyeglass. They are listed in the Event History tab.

ERROR

An event is in ERROR state when Eyeglass has attempted to initiate an action on the Administrator’s behalf, but that action has failed.


Security Event Possible Action Descriptions


The following actions are available to the Administrator at different stages of the Ransomware event lifecycle. The Required States column lists the state that the event must be in for the action to be available. Whenever an action is submitted, a new record is added to the event’s history.


Action

Required States

Result

Comment

ANY

Adds a comment to the event history

Acknowledge

WARNING

Changes the event to ACKNOWLEDGED state.

Stop Lockout Timer

DELAYED_LOCKOUT


Changes the event to ACKNOWLEDGED state. Disables any countdown for the grace period on MAJOR severity events.

Lockout

WARNING,

DELAYED_LOCKOUT

Initiates the procedure on Eyeglass to revoke access to the user’s shares. Changes the event to the LOCKED_OUT state.

Restore User Access

LOCKED_OUT

Initiates the procedure on Eyeglass to restore access to any shares where access was revoked in the lockout step. Changes the event to ACCESS_RESTORED state.

Initiate Self Recovery

ACKNOWLEDGED,

ACCESS_RESTORED

Launches the Eyeglass workflow to allow the user to recover all files associated with this event. This procedure will put the event into the RECOVERED state when it is complete.


Events in the RECOVERED state.  


See Data Recovery section in this guide.

Mark as recovered

ACKNOWLEDGED,

ACCESS_RESTORED,

SELF_RECOVERY

Allows the admin to manually mark an event as having been recovered. This can happen if the administrator manually restores files, or the user decides that they do not need the encrypted files.

Archive as Unresolved

WARNING,

ACKNOWLEDGED,

LOCKED_OUT,

ACCESS_RESTORED,

SELF_RECOVERY,

ERROR


The administrator can archive an event in nearly any state. The event gets put into event history, and is no longer shown on the active events screen.

Create Snapshot

Manually apply a snapshot to shares in the security event

Run this action if auto snapshot was disabled.  It allows manual apply of snapshots to shares.

Delete  Snapshot

Manually delete snapshots applied to share path security events.

Run this action if snapshots were applied and you want to manually delete BEFORE the auto expiry set on the snapshot.





How to respond to Security Events for Warning, Major or Critical events


Overview of Security Event Triage Process


Upon a security event being detected the following steps to review and take actions should be followed.


  1. Review the severity (Warning, Major and Critical).  

    1. If Warning

      1. Review the list of files affected for user account ip address by selecting the link in the Files column.

      2. The file list view shows files that triggered the security event and the last hour of files accessed by the user that should be reviewed for possible compromise or data recovery.

Screen Shot 2017-04-20 at 8.55.50 AM.png

      1. If the affected files are the result of normal file operations and not a malicious event, the event can be marked as resolved with the actions menu.(See Action Menu Security Event Actions table below.).

      2. Security event closed and moved to Event history tab.

    1. If Major

      1. Review affected files, user name and IP address to locate user in AD and your organization

      2. Review time to lockout timer in Active Events tab which is the time until the lockout will be issued.

        1. If you determine this is a false alarm by contacting the user along with an assessment of the affected files, use the Action Menu to Stop the Lockout timer and then mark security event as Resolved (See Action Menu Security Event Actions table below)

.

      1. If you determine it is a malicious security event, you can accelerate the lockout timer by using the Action menu to select Lockout Now. (See Action Menu Security Event Actions table below.)

      2. Recovery: Re-image machine or other recovery procedures that your policies require.  Determine which files to be recovered on the Isilon by selecting the files option on the security event.  From this screen you can download a CSV file of trigger files AND files from the last 1 hour of activity.

      3. Restore User Access:  Take this step after it has been determined it is safe to restore access to the user.  The actions menu can be used to remove the lockout from the user account to all cluster shares the user had access too.  Using the Actions menu restore user access. (See Action Menu Security Event Actions table below)

      4. The security event will now be in Restored state and can be archived to the Event History tab.  Using the actions menu submit a Mark As resolved action. (See Action Menu Security Event Actions table below.)

      5. Done.

    1. If Critical

      1. The security event will have a lockout applied immediately since it is a critical detection.

      2. Recovery: Re-image machine or other recovery procedures that your policies require.  Determine which files to be recovered on the Isilon by selecting the files option on the security event.  From this screen you can download a CSV file of trigger files AND files from the last 1 hour of activity.

      3. Restore User Access:  After it has been determined it is safe to restore access to the user.  The actions menu can be used to remove the lockout from the user account to all cluster shares the user had access too.  Using the Actions menu restore user access. (See Action Menu Security Event Actions table below).

      4. The security event will now be in Restored state and can be archived to the Event History tab.  Using the actions menu submit a Mark As resolved action (See Action Menu Security Event Actions table below)

      5. Done.




Security Event Action State Descriptions

Once a user security event appears in the active events tab the following operations are possible by clicking the Actions icon. Each state has several possible actions.  The table below describes the options available for each state of a security event.



State of Event

Possible Actions

Warning State

Screen Shot 2017-04-02 at 1.16.27 PM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Archive as Unsolved - Moves event to the History tab.  

  3. Lockout -  From the Access Restored state it's possible to re-lockout the user again from the action menu.  This applies deny permission to all shares stored within the lockout event.

  4. Acknowledged State - An administrator has acknowledged this event but has not marked as resolved.  In this state the user is not locked out or in timed lockout states.

  5. Create Snapshot -  Manual snapshot create on all share paths in the security event.

  6. Delete Snapshot - Manual snapshot delete on all share paths in the security event.



Locked out User State (Critical Severity Threat Detection)

Screen Shot 2017-04-02 at 11.45.48 AM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Restore User Access - This will reverse the lockout and grant access to the shares that were locked out.  Review the lockout details for a full list of shares and clusters that lockout was applied.

    1. Once Restore User Access  is launched, this will start a restore access job (running jobs window) and real-time restore access to the share last that was locked out.

    2. Verify user has access

    3. Verify a cluster share to confirm restore access was successful

  3. Archive as Unsolved - Leaves the lockout applied and moves event to the History tab.  Not recommended unless user access is permanently revoked.

  4. Create Snapshot -  Manual snapshot create on all share paths in the security event.

  5. Delete Snapshot - Manual snapshot delete on all share paths in the security event.


Access Restored State

Screen Shot 2017-04-02 at 12.58.43 PM.png

  1. Mark as Recovered - This option appears to allow archiving the security event to the history tab.

  2. Lockout -  From the Access Restored state it's possible to re-lockout the user again from the action menu.  This applies deny permission to all shares stored within the lockout event.

  3. Initiate Self Recovery -  This option will only function of the Cluster Storage Monitor addon is purchased.  It integrates with the Backup Recovery User portal to create secured shares to snapshots and DR data that allow the user to recover data from snapshots.  The temporary shares will have a time to live of 2 days by default, after which they will be deleted.  The shares are secured only to the user involved in the lockout.  The data recovery request will require approval in the Data Recovery Manager Icon. See Data Recovery section in this guide.  (If licensed)

  4. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  5. Restore User Access - (Allows to re-run this job in the event a share or update failed) This will reverse the lockout and grant access to the shares that were locked out.  Review the lockout details for a full list of shares and clusters that lockout was applied.

    1. Once Restore User Access  is launched, this will start a restore access job (running jobs window) and real-time restore access to the share last that was locked out.

    2. Verify user has access

    3. Verify a cluster share to confirm restore access was successful

  6. Archive as Unsolved - Leaves the lockout applied and moves event to the History tab.  Note recommended unless user access is permanently revoked.

  7. Create Snapshot -  Manual snapshot create on all share paths in the security event.

  8. Delete Snapshot - Manual snapshot delete on all share paths in the security event.

Delayed Lockout state

Screen Shot 2017-04-02 at 1.07.57 PM.png

  1. Lockout -  From the Access Restored state it's possible to re-lockout the user again from the action menu.  This applies deny permission to all shares stored within the lockout event.

  2. Stop Lockout Timer-  This option can be used to stop the timed lockout.  This would be used when investigation determines the user account should not be locked out.  Run the stop lock option.

  3. The status changes to Acknowledged and not lock out will occur.

  4. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  5. Create Snapshot -  Manual snapshot create on all share paths in the security event.

  6. Delete Snapshot - Manual snapshot delete on all share paths in the security event.


Acknowledged State


Screen Shot 2017-04-02 at 1.12.57 PM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Archive as Unsolved - Leaves the lockout applied and moves event to the History tab.  Note recommended unless user access is permanently revoked.

  3. Initiate Self Recovery -  This option will only function of the Cluster Storage Monitor addon is purchased.  It integrates with the Backup Recovery User portal to create secured shares to snapshots and DR data that allow the user to recover data from snapshots.  The temporary shares will have a time to live of 2 days by default, after which they will be deleted.  The shares are secured only to the user involved in the lockout.  The data recovery request will require approval in the Data Recovery Manager Icon.  (If licensed)

  4. Mark as Recovered - This option appears to allow archiving the security event to the history tab.

  5. Create Snapshot -  Manual snapshot create on all share paths in the security event.

  6. Delete Snapshot - Manual snapshot delete on all share paths in the security event.

Archived Event on Event History

Screen Shot 2017-04-02 at 1.06.01 PM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Create Snapshot -  Manual snapshot create on all share paths in the security event.

  3. Delete Snapshot - Manual snapshot delete on all share paths in the security event.








Rapid Machine to Machine Malware Spreading Attack Defense Overview


Ransomware Defender can use multiple cluster detections to elevate the automated response due to the severity of the detection and number of concurrent security events.  Refer to the diagram below






Rapid Machine to Machine Malware Attack Auto Response Escalation Configuration


This feature is designed to protect against a multi user scenario where malware affects many machines in a short period of time and when malware is spreading from machine to machine.  The goal in this scenario is to escalate the response automatically based on the number of concurrent events.   The example below walks through how warning → major → critical response escalation will occur based on settings.  


Best Practise: Set the warning to major to a higher number example 30 and major to critical to half of the warning example 15.

  1. Major and Upgrade to Critical events are set to upgrade the severity to this level when a lower severity detection event matches or exceeds the number entered.

  2. Example (A) if Upgrade Major is set to 8 this means 8 separate Warning events are detected and will be auto upgraded to Major and timed lockout started. E screenshot below)

  3. Example (B) if Upgrade Critical is set to10 this means 10 separate Major events are detected and will be auto upgraded to Critical and immediate lockout response activated.  (See screenshot below)

Screen Shot 2017-07-20 at 7.26.37 PM.png


False Positive Security Event Handling and Configuration Options


This section documents how to react to false positive security events.  


Warning

  1. Small number or occasional warning events are detected no action is needed since no end user action is taken.  Each warning will survive for 8 hours default and is continuously monitored each user file action to determine if the warning should be promoted to a Major or Critical event. Actions: No action is needed the events will automatically expire after a typical working day and move to the Event history tab.  This ensures a record of the event.

  2. High number of warning events  The thresholds for threat detectors should be increased.  Action: Open a case with support (support.superna.net) to get recommended threat detector values to be changed on the settings tab of the Ransomware Defender window.  Support logs will be required.

    1. Disable Critical on Mode - Enable Snapshots

Screen Shot 2017-07-20 at 7.26.37 PM.png

Major

  1. Small number of Major events. User is locked out after delay timer and it's determined the detection was false.  If the user or application workflow is triggering a lockout an ignore list is recommended.

  2. Verify snapshot mode is enabled (default)

  3. Follow steps in “Ignore List setting Procedures

  4. High number of Major events.   

    1. Follow steps in “Enabling Monitor only Mode

    2. NOTE: In this release existing locked out users will need to be restored using action menu and then archived using Action Mark as resolved.

    3. Contact Support with support logs to get adjusted threat detector settings.

    4. Verify Enable Snapshots is enabled

    5. Increase the delayed lockout in minutes to a value that you can respond to alerts to issue manual lockout.

Critical

  1. Small number of critical events. Same as Major.  Add to Ignore list and save.

    1. Follow steps in “Ignore List setting Procedures

  2. High number of critical events.

    1. Follow steps in “Enabling Monitor only Mode”   This will disable user actions quickly in the event many users are detected and locked out.

    2. NOTE: In this release existing locked out users will need to be restored using action menu and then archived using Action Mark as resolved.

    3. Click Critical on Mode to disabled (unchecked).  This disables immediate lockouts.

    4. Verify snapshot mode is enabled (default)

    5. Set Major delayed lockout timer to a value (in minutes) that would alert you to issue a manual lockout.

    6. Contact Support with support logs to get adjusted threat detector settings.



Ignore List setting Procedures


Follow the steps below to add ignore list of paths, uses or server/client source ip.


  1. Open Ransomware Defender window.

    1. Select Ignored List tab

Screen Shot 2017-04-20 at 8.32.53 PM.png

    1. Enter a path, AD user domain\userid, or server or client ip address and save.



Eyeglass User Lockout Active Directory Planning

The lockout process identifies all shares the user has access permissions based on searching all shares in all access zones on all clusters managed by Eyeglass.  This list of shares will have a real-time deny permission added to the share for the affected user.

A special case is handled for the “Everyone” well known group which should be understood how it operates in multi-domain Active Directory configurations.

Two scenarios can exist with AD domains on Isilon clusters.  


Scenario #1:

  • The first is parent and child AD domains that are members of the same forest and a trust relationship exists.

Scenario #2:

  • The second scenario covers two domains that are not members of the same forest and no trust relationship exists between the domains


The “Everyone” well known group if applied to a share in each scenario is shown below and a lockout permission applied regardless of which domain the user is located.  This is required since Eyeglass has no way to know if the domains trust each other or not.  This solution ensures all everyone shares are locked out, which is more secure than skipping some shares.

Reference the diagram below.



Security Guard - Automated Security Testing


Ransomware Defender monitors cluster IO for suspicious user behaviour.  Under normal day to day conditions no actions are required since alerts are sent in the event of a Warning, Major or Critical security event.

The Security Guard feature simulates a Ransomware attack on a daily bases to validate all components are functioning including alerting and lockout of user sessions.  Once configured administrators get daily updates that Ransomware Defender is actively monitoring and responding to Ransomware events.


This offers you the highest level of confidence that your environment is ready in the event a malicious virus is inside your network and finds shares to attack data.


The feature will create a “honeypot share with name igls-honeypot” in the System Zone of each cluster managed by a Ransomware agent license key.   The feature can simulate an attack on demand or on a scheduled interval

Simulated Attack

  1. Creates share automatically secured to the service account.

  2. Share name igls-honeypot

  3. Creates test files using a well known extension to trigger a simulated attack response from Ransomware Defender Clustered agent

  4. Verifies the user lockout occurs by checking that files cannot be written to the share

  5. Initiates recovery of the user and verifies access to the share again

  6. Reports success and failure per step

  7. Emails administrator results


Pre-Requisites

  1. System zone must have an AD provider

  2. A user account created in Active Directory within the System zone AD provider. This user is not a special user in any way and should be a normal user created, Home directory does not matter.

  3. System zone must be enabled in the audit configuration on the Isilon cluster


Security Guard Lockout Behavior


  1. The user does not need to be added to any shares. The Security guard will create its own share in system zone called igls-honeypot and add the service account user to the share.

  2. If you add the service account user to other shares, only the igls-honeypot share will have files written during the execution of a simulated attack.

  3. Additional shares that have the service account add to the share permissions WILL  have the service account access locked out during simulated attacks.



Configuration

  1. Open the Ransomware Defender window on the desktop and select the Security guard

Screen Shot 2017-03-30 at 8.51.49 PM.png

Ransomware Defender Security Guard Configuration


  1. Active Directory User - Enter User Name (active directory service account) and Password from system zone authentication provider. Example domain\userid or user@domain.

  2. Settings:

    1. Enable Security Guard Tasks

    2. Interval Between Runs - Set interval to schedule simulated attacks

  3. Select check box of each cluster to simulate the attack

  4. Submit -  Saves settings

  5. Run Now -  Tests Security guard on demand.


How to Run on Demand Security Guard Penetration test


  1. (see image below) Open the Ransomware Icon

  2. Select Security Guard tab

  3. Select each licensed cluster to test

  4. Select Run Now (see screenshot below)

Screen Shot 2017-03-31 at 5.36.50 PM.png


  1. Open Jobs icon

  2. Running jobs tab to monitor progress (see screenshot below)

Screen Shot 2017-03-31 at 5.32.38 PM.png



How to Review Security Guard Penetration test history and logs


  1. Open the Ransomware Defender window

  2. Select Security Guard tab

  3. Select each licensed cluster to test

  4. Select run now (see screenshot below)

Screen Shot 2017-03-31 at 5.36.50 PM.png

  1. Click Open link to review results



Data Recovery Manager Integration with Ransomware Defender


Overview

This feature integrates data recovery manager feature that is part of the Cluster Storage Monitor addon licensed product.   It allows a end user recovery of files that were compromised by a security event by triggering a data recovery job that is customized to the users shares that stored the compromised files.


How to launch Data Recovery Manager Request From Ransomware defender action menu


Prerequisites


  1. Cluster Storage Monitor license key

  2. For detailed configuration and setup of Data Recovery Management portal and integration requirements review the Cluster Storage Monitor admin guide.

Procedures

  1. Initiate File Recovery: From the actions menu of a security event select Self Recovery

    1. Screen Shot 2017-04-22 at 12.49.10 PM.png

  2. Complete Version Selection of share(s): When the Data Recovery Management window appears, it lists versions of the shares detected for this user.  The versions are based on snapshots and DR copies of the listed share on the local or remote cluster.  NOTE: You can select one or more share to add to the request.

Screen Shot 2017-04-22 at 10.02.20 AM.png

  1.  After selecting the versions using the checkbox for each SmartConnect name (NOTE: each SmartConnect name and list of shares is a separate request, only select the shares that require data recovery requests).  Click the Request Access button.

Screen Shot 2017-04-22 at 10.01.48 AM.png

    1. Enter the users AD login using syntax domain\userid (Reference the Security event UserID in the Ransomware Active Events tab).  

      1. Enter UPN AD login credentials

      2. Enter the user's email address

      3. Add a comment to be sent to the user’s email and Click Request.

  1. Monitor and Approve Pending Data Recovery Requests: The request has been submitted to the Data Recovery Management Pending Requests tab to be approved.  (NOTE: Role based access allows separate admin user to review and approve data recovery requests, consult Cluster Storage Monitor documentation)

Screen Shot 2017-04-22 at 10.02.34 AM.png

    1. Approving Data Recovery: Click the Approve icon to have the request processed and generate temporary share secured to the User affected by the security event.   This will create a temporary on the selected version of the share(s) with a time to live of 2 days (default setting), and email the user the UNC path to access the recovery share(s).

Screen Shot 2017-04-22 at 10.09.07 AM.png

  1. Temporary Share: The share created has a syntax of share name - UserID@domain name-#  (where # is the number of the share created for this request).

Screen Shot 2017-04-22 at 10.06.34 AM.png

    1. You can see in the screenshot above the share is created on a snapshot path and secured to the user in the request.

  1. User Access: User can access the read-only version of data on the temporary share to retrieve files that were compromised by the security event.

Screen Shot 2017-04-22 at 10.14.29 AM.png

  1. NOTE:  You can wait for expiry of the recovery to auto delete the shares or using the Data Recovery management icon Select the Requests History tab.

  2. Click the Alarm Clock Icon Screen Shot 2017-04-22 at 7.33.38 PM.png to complete the Recovery before the expiry.  This action will delete the temporary shares created for this ser recovery.

Screen Shot 2017-04-22 at 7.31.45 PM.png

  1. Recovery Process Completed.