Ransomware Defender Admin Guide

Eyeglass Ransomware Defender Admin Guide



Product Name - Superna Eyeglass Ransomware Defender


Abstract:

This guide covers configuration, setup and monitoring of  Ransomware Defender.

Revision Changes to this Document - March, 2018


Contents

  1. 1 Product Name - Superna Eyeglass Ransomware Defender
    1. 1.1 Abstract:
    2. 1.2 Revision Changes to this Document - March, 2018
  2. 2 Introduction to this Guide
    1. 2.1 Overview
    2. 2.2 Abbreviations
    3. 2.3 Prerequisites, Requirements and Feature Limitations
      1. 2.3.1 Prerequisite
      2. 2.3.2 ECA Installation Requirement
      3. 2.3.3 Licensing Requirement
      4. 2.3.4 Additional Requirements
      5. 2.3.5 Feature limitations
    4. 2.4 Where to go for Support
  3. 3 Planning and Design
    1. 3.1 Overview
    2. 3.2 Automated Ransomware Defense Actions
    3. 3.3 Securing Root user on Isilon
  4. 4 NFS Lockout Feature
  5. 5 File Extension Whitelist
  6. 6 How to login and Manage Ransomware Defender
    1. 6.1 How to login
  7. 7 Ransomware Security Signal Events and Detection Overview
  8. 8 Ransomware - Signal Strengths - Summary Explanation
  9. 9 Ransomware - Signal Strengths - Detailed Explanation
    1. 9.1 Security Event Threat Detector Definitions
    2. 9.2 Threat Detection Signal Strengths in Eyeglass
    3. 9.3 Example Signal Strength walk through
    4. 9.4 Signal Strength Window Overview
  10. 10 How to determine threat response settings to meet your Company’s Risk Profile
    1. 10.1 Threat Response Settings
      1. 10.1.1 Automated Threat Responses Settings
      2. 10.1.2 Recommended Threat Response Setting for Low Risk tolerance
      3. 10.1.3 Recommended Threat Response Settings for Medium Risk tolerance
      4. 10.1.4 Recommended Threat Response Settings for Medium-High Risk tolerance
  11. 11 How to Configure and Tune Ransomware Defender Threat Detection and Responses
    1. 11.1 Severity Threat Level Severity Definitions and Responses
    2. 11.2 How to Enable “Monitor Only Mode” to baseline User Behaviours
    3. 11.3 How to Tune Threat Detection Rates (Warning, Major and Critical)
    4. 11.4 How to Enable/Disable Critical Event Detection
    5. 11.5 Eyeglass Security Event Workflow and Operations
      1. 11.5.1 Auto Archive Warning Security Events
      2. 11.5.2 How to change the default Auto Archive timeout
  12. 12 Detection and Response Configurable Settings
    1. 12.1 Threat Detector Threshold configuration
    2. 12.2 How to change Threat Detection Settings
    3. 12.3 Ignored List
  13. 13 Security Event Descriptions
    1. 13.1 Detected User Security Event Descriptions
    2. 13.2 Security Event State Descriptions
    3. 13.3 Security Event Possible Action Descriptions
  14. 14 How to respond to Security Events for Warning, Major or Critical Events
    1. 14.1 Overview of Security Event Triage Process
      1. 14.1.1 If Warning:
        1. 14.1.1.1 If Major:
        2. 14.1.1.2 If Critical:
    2. 14.2 Security Event Action State Descriptions
      1. 14.2.1 Warning State
        1. 14.2.1.1 Locked out User State (Critical Severity Threat Detection)
        2. 14.2.1.2 Access Restored State
        3. 14.2.1.3 Delayed Lockout state
        4. 14.2.1.4 Acknowledged State
        5. 14.2.1.5 Archived Event on Event History
        6. 14.2.1.6 Error State
  15. 15 Rapid Machine to Machine Malware Spreading Attack Defense
    1. 15.1 Overview
    2. 15.2 Rapid Machine to Machine Malware Attack Auto Response Escalation Configuration
  16. 16 False Positive Security Event Handling and Configuration Options
    1. 16.1 How to teach Ransomware Defender about false positives
    2. 16.2 How to manually configure per user Threat level settings with IGLS CLI
    3. 16.3 Warning
    4. 16.4 Major
    5. 16.5 Critical
    6. 16.6 Ignore List setting Procedures
  17. 17 Eyeglass User Lockout Active Directory Planning
    1. 17.1 Scenario #1
    2. 17.2 Scenario #2
  18. 18 Security Guard - Automated Security Testing
    1. 18.1 Simulated Attack
    2. 18.2 Prerequisites
    3. 18.3 Security Guard Lockout Behavior
    4. 18.4 Configuration
    5. 18.5 Advanced Configuration
    6. 18.6 How to Run on Demand Security Guard Penetration test
    7. 18.7 How to Review Security Guard Penetration test history and logs
  19. 19 Data Recovery Manager Integration with Ransomware Defender
    1. 19.1 Overview
    2. 19.2 How to launch Data Recovery Manager Request From Ransomware Defender Action Menu
      1. 19.2.1 Prerequisites
      2. 19.2.2 Procedures

What's New

1.9.2 Has new supportability enhancements and a feature to disable real-time critical lockout action and use only time delayed response for security events.  Full feature description in this release is available here.

1.9.3 Offers auto snapshot feature to protect paths and shares when any Ransomware has affected a user workstation.  All shares the user has access to have a snapshot applied with a 48 hour expiry.  This is enabled or disabled, with default enabled for all detection severties.  Requires SnapshotIQ license on the cluster. Full feature description in this release is available here.

1.9.5

  • ECA cluster now uses fluentd to collect logs and send to Eyeglass over syslog on port 5514 udp,   cluster startup enhanced to debug HDFS configuration and provide validation errors.  

  • IGLS commands expanded for settings

  • Ability to set snapshot expiry default from 48 hours to another value with IGLS command

  • Ability to set security guard event timer to wait for events that are delayed by Isilon forwarding rates. IGLS command.

  • Ability to set security guard restore permissions timer to ensure restore permissions action has time to complete. IGLS command.

  • NFS host lockout supported (enabled with IGLS command, disabled by default).  This feature will remove the IP address from the client list(s) and re-save the export definition.

NOTE: DNS to IP resolution to will not be done for client lists that use FQDN.  The feature requires client list to use ip address to successfully lockout.  

    • Default disabled since this can lead to stale mounts for NFS hosts.

NOTE: Admin guide has all IGLS commands for all products.

1.9.6

  • Security guard delay IGLS command to delay how long Security guard waits for events to appear from the simulated attack.  This solution accommodates variation in CEE forwarding rates from the cluster to the ECA cluster.

2.0

  • Mark as false positive on security events allows AI teaching feature of user behaviours with per user behaviour learning

  • File extension whitelist feature to allow well known bad file extension to be ignored if used in your organization (IGLS commands)

  • Builtin role and user for managing ransomware defender

Introduction to this Guide

Overview

This guide covers configuration, setup and monitoring of a Ransomware Defender.  The solution is deployed with a 3 VM cluster that process Isilon CEE audit files with an active active design for maximum availability to survive hardware or software failures.

The active defense solution monitors for user behaviours that are malicious, consistent with Ransomware encryption techniques of customer files.   Network attached SMB mounts on user workstations exposes Isilon critical data.

Three levels of detection are possible Warning, Major and Critical with automated defense options increasing with detection levels.

Abbreviations

  • CEE: Common Event Enabler - EMC Specific event protocol (xml based)

  • ECA: Ransomware Defender Application - the entire Ransomware defender stack that runs in a separate VM outside of Eyeglass.

  • ECA: Eyeglass Clustered Agent


Prerequisites, Requirements and Feature Limitations

Prerequisite

Read this first:

It's assumed that all workstations and other entry points for Ransomware are running current virus malware software.   Ransomware defender is a second line of defense product.

ECA Installation Requirement

The Superna Eyeglass Clustered Agent (ECA)  vAPP used by Ransomware Defender therefore a Single host for ECA VM’s OR multiple hosts for high level of availability is required  (See the Eyeglass Clustered Agent vAPP Install Guide.)

Licensing Requirement

Registered Isilon clusters licensed for Eyeglass DR qualify to be licensed with Ransomware Defender. Each writeable cluster requires an agent license and agent maintenance. This licensing will happen as part of an inventory data collection and config sync jobs. The startup process will automatically assign licenses. Isilon clusters are licensed based on these rules:

  1. The Isilon cluster has at least one enabled SyncIQ policy.

  2. The Isilon cluster has no enabled SyncIQ policies and no other cluster replicates to it and there are shares or exports.

  3. The cluster has no enabled SyncIQ policy and is the target of a replication and it contains shares and exports not covered by the replication policy.

A system alarm will be issued in the case of insufficient licenses and more writeable clusters are detected in the CEE event messages.

Note:  A cluster can be monitored by the ECA without a license when it's the cold or DR cluster.  

Screen Shot 2017-01-29 at 7.13.56 PM.png

Additional Requirements

  1. Eyeglass VM installed

  2. Cluster discovery licenses (per node or per cluster) that need to be managed by

  3. Ransomware feature license and a Ransomware agent license for all writeable clusters protected by Ransomware Defender

  4. CPU limits applied to ECA cluster object in vCenter

  5. Hardware recommendation (see install guide)

Feature limitations

  1. SMB shares created with variable expansion will only support %U for snapshot creation

  2. NFS lockout is supported but disabled by default unless IGLS to enable

  3. NFS lockout requires licence lists to use ip address to correctly lockout.

Where to go for Support

https://support.superna.net

Planning and Design

Overview

The Ransomware Defender solution for Isilon requires existing Eyeglass DR cluster licenses for each Isilon cluster plus an Eyeglass clustered agent license.

The Eyeglass Ransomware Defender solution is intended to be a last line of defense for critical NAS data stored on Isilon.  A best practise defense should include virus software on laptop and workstations, along with email gateway or IDS network solutions.

The intended use case for Ransomware Defender assumes malware has circumvented all existing defenses leaving critical NAS data exposed to attack.

The diagram below shows the traditional approach to security with perimeter defenses with the primary purpose of ensuring malware never enters your network.

The Eyeglass solution builds a new security perimeter inside your network, with active defense to threats.





Automated Ransomware Defense Actions

  1. Warning - Send an alert (email, snmp, syslog), no enforcement taken

  2. Timed lockout (Major) - a time delayed lockout of the user account that triggered the security event.  The lockout can be stopped before the timer expiries.

  3. Immediate lockout (Critical) - User lockout begins real-time once a critical event is detected

  4. Snapshot the file system (all severities) using snapshotIQ on all affected share paths.



Securing Root user on Isilon

Root user should never be used to access data on Isilon.  The reason this user is a high security risk is because root has access to all shares even if access has not been granted to the root user.  This security risk could allow a compromised machine using the root user to access data and could encrypt all data on the cluster.

Eyeglass Ransomware Defender offers a mode configured through IGLS CLI to disable SMB protocol on the Isilon clusters managed by Eyeglass. This will  ensure if a Ransomware event is detected the compromised machine does not destroy all data on all clusters.  See Eyeglass CLI command for Ransomware .

The root user can NOT be locked out with a deny permission which is why SMB protocol disable is the only way to protect data.

NOTE: IF YOU USE RUN AS ROOT ON SHARES YOU ARE EXPOSING DATA TO VERY HIGH SECURITY RISK SINCE NO LOCKOUT WILL BE POSSIBLE.  THIS IS BECAUSE THE USER SID THAT IS SENT WHEN AN AD USER ACCESSES DATA WITH RUN AS ROOT ENABLED IS THE ROOT USER NOT THE ACTUAL AD USER.


We recommend to NOT use run as root on shares for the reason above AND it fails all security audits of Isilon in all industry standards (PCI, HIPPA, FedRAMP, ITSG, etc…)  Remove run as root option on all shares.

The default setting is to disable the SMB Automated response on a cluster if the  root user SID has tripped a threat detector.   To enable this mode VERIFY no run as root user shares exist.

This can be done using the Eyeglass cluster configuration report

  1. Login to Eyeglass

  2. Open Reports on Demand Icon

  3. Select Create New Report

Screen Shot 2017-04-28 at 12.46.44 PM.png

  1. Wait until report is finished by viewing running jobs

  2. Select Open/Print option for the finished report from Reports on Demand after running jobs shows the report creation is completed.

  3. Click Cancel on Print option (if using Chrome).

  4. Control-F to search the page option

  5. Search for “run_as_root”

  6. If any Shares are found with this option set see below.

  7. DO NOT ENABLE LOCK ROOT FEATURE.

NFS Lockout Feature

This is now supported and enabled with IGLS command.  Default is disabled.  Once enabled NFS source IP in the audit message is used to find exports that list this on a client list.   The IP is removed from the export and re-saved.   This will lockout the NFS host mount.  NOTE: This can cause stale mount issue on the hosts.

See Eyeglass Ransomware CLI section in this guide  for configuration


File Extension Whitelist

Ransomware Defender maintains a dynamic list of well known bad file extensions that are suspicious.  This list is over 1000 extensions.   It is common for some applications or enterprises to use a file extension on this list.    This feature allows whitelisting the extension in use that will trigger security detections.

The whitelist is maintained with igls commands in the admin guide igls section.  The command allow adding, listing and removing extensions from the list.



NOTE: The exact extension syntax to use must match this file exactly as found in this document.  You can search this document with a browswer https://storage.googleapis.com/rwdefender.superna.net/supernaRansomwareFilters.json


Example below.  See guide for all commands note single quotes

igls rsw allowedfiles add --extensions=’*.ext1’



How to login and Manage Ransomware Defender


A builtin role and user account exists to separate management of Ransomware settings and event monitoring.  See the RBAC guide for more details.

  1. rwdefend

    1. Assigned the builtin role Ransomware Defender with ability to manage and monitor Ransomware Defender product

    2. Default password 3y3gl4ss


How to login

  1. Login to Eyeglass appliance and enter either admin or rwdefend user with default password

  2. Click on Ransomware Defender Icon



Ransomware Security Signal Events and Detection Overview

Ransomware Defender is a per user monitoring solution that operates at Isilon Scale.  This means each user's file activity is monitored individually for user behaviours that trigger threat detection patterns.    This builds a zero day solution to identify patterns of IO that are detected and weighted without needing definition file based detection.

The weight is called “signal strength” and determines how Eyeglass will respond to the threat.  

Three threat levels are defined:

  1. Warning - No action taken only alarm email sent to administrator

  2. Major - Timed lock of user account in minutes from event

  3. Critical - Immediate lockout of user account

Eyeglass Active Responses to Threats

  1. Lockout action means deny permission on all shares the user has access across all managed Isilon clusters (not just the cluster the event was detected)

  2. Create snapshots if suspicious events are seen and snapshot all shares a user has access.  This feature is enabled or disabled and applies to Warning, Major and Critical event types.

    1. It protects share paths with uniquely named snapshot, one per share detected for the user and defaults to 48 hour expiry

    2. In a multi user infection scenario, this can protect the 2nd, 3rd etc.. user’s data on groups shares that were snapshoted by user one infection.  This offers maximum data protection.

    3. IGLS command available to change the default expiry on snapshots. See Eyeglass Ransomware defender CLI in this guide.



Ransomware - Signal Strengths - Summary Explanation

The Signal Strength is a number that represents the peak threat count per user per Signal Strength Threshold level (Warning, Major, Critical).  Each Signal Strength Threshold level has its own threat threshold crossing value and time period that the threshold must be crossed within before the event is treated as a security event.

This can be viewed as threat rate per minute.  Each time a threat event is received for a given user, 3 different threat/minute rates are evaluated for this user.   Depending on the rate calculated determines if the user security response is Warning, Major or Critical.  Each Signal Strength Threshold represents is a different rate of threats.    Each new threat event for a user triggers another calculation using the Signal Strength Threshold rates and intervals.

If this calculation results in a Warning state changing to Major, then the response for that Signal Strength Threshold will be applied.   In this example, moving from Warning to Major will result in a lockout of the user according to the lockout timer set on the Settings tab.


The above example is for illustration only and should not use these settings as shown without direction from support.   To Configure detection as per the example above.  It would look like the image below where:
Signal Strength Threshold is the number of Threats per minute.
Interval  is the period over which the threats per minute is measured.
Upgrade to Major or Critical is the number of Threats per minute over the Interval at which the event would be upgraded to a Major or Critical and the response for that Signal Strength Threshold will be applied.

Sample only, example for illustration only

Screen Shot 2017-07-20 at 7.26.37 PM.png

Ransomware - Signal Strengths - Detailed Explanation

This section describes the Signal Strength calculation in Superna Eyeglass Ransomware Defender.

Security Event Threat Detector Definitions

  • File Event: a discrete CEE event published by Isilon’s CEE event stream based on a user action example open file, close file, write or read to file.

  • Threat Detectors: Logic used by Eyeglass Ransomware Defender to determine if a group of File Events is potentially associated with a Ransomware attack. There are multiple independent threat detectors used by Eyeglass Ransomware Defender during analysis that are assessed in parallel.

  • Signal: Occurrence of one or more File Events that have been flagged by one or more threat detectors as a potential Ransomware Event.

  • Signal Strength: For a given Signal, the number of threat detectors that were triggered. A higher Signal Strength has a higher probability of being a Ransomware Event.

  • Ransomware Event: A collection of signals whose combined Signal Strengths exceeds the user-set threshold in Eyeglass.

Threat Detection Signal Strengths in Eyeglass

Threat detection Signal Strength is a measure of the severity of a user's File Event behaviour.  The higher the count the higher the severity of the detection.  

The Signal Strength is displayed in the Eyeglass Ransomware Defender window Active Events or Event history tab.

Screen Shot 2017-07-20 at 7.28.10 PM.png

The numbers represent the peak of Warning, Major and Critical signal strengths that were recorded in the entire lifetime of the Ransomware event.    In addition a list of shares by cluster and access zone is listed that have lockouts applied.


Screen Shot 2017-07-20 at 7.28.58 PM.png


Example Signal Strength walk through



In the above diagram, if we have settings with the following

  • WARNING: 1 event in 30 minutes

  • MAJOR: 5 events in 10 minutes

  • CRITICAL: 8 events in 5 minutes

We would expect a signal strength of “12 / 10 / 9”, since the peak signals in the whole event’s lifetime are found in the following intervals:




Also note that the blue line counts for 2, since there are two independent threat detectors that contributed to the event.

Signal Strength Window Overview

When clicking on the Signal Strength in Eyeglass, you can see the threat detectors that contributed to the event. Note that this is not broken down by severity, and represents the total of the Threat Detector types that were tripped throughout the lifetime of the event for this user security event.


Screen Shot 2017-04-07 at 7.23.21 AM.png


Note that the sum of these values can be greater than the peak signal strengths described above, since it’s possible that the lifetime of the Ransomware event is greater than the interval for the thresholds.

How to determine threat response settings to meet your Company’s Risk Profile

The Ransomware Defender product has several options to tune the detection and response to a Ransomware attack.  The more sensitive the detection the more likely a false positive can occur.  Threat response options are outlined below with business impact considerations for each option.  This section should be reviewed to determine how to configure the product in your environment.

Risk tolerance and business impact need to be assessed to determine the best settings for your environment.  The section below outlines the recommendations for each threat detection level.

Threat Level Severity

Action

Snapshot Data Protection and Recovery Enabled (all Shares a user can access has snapshot applied)

Business Impact

Warning

No action taken. Email alert is sent

X

No impact to applications or user access to data.  Snapshot is applied to protect the file system.

Major

Timed lockout of user. Email alert is sent

X

Business applications or servers write data that are not added to the ignore list can be locked out.  


Impact: application down time until restore access completed.

Recommendation: add to ignore list.

Critical

Immediate lockout of user. Email alert is sent

X

Impact: application down time until restore access completed.  No wait time from detection to lockout for administrators to determine action.

Recommendation: add to ignore list or Disable critical  actions.


Threat Response Settings

Automated Threat Responses Settings

  1. Critical Severity - Lockout of user account -is immediate

  2. Major Severity  - A delayed lockout Grace Period is set  ( user account lockout  delayed by  X minutes)

  3. Auto Snapshot of the file system at share path  on detection of ANY severity

Recommended Threat Response Setting for Low Risk tolerance

Monitor Only Mode enabled - Email Alerts

Screen Shot 2017-07-20 at 8.37.41 PM.png

Recommended Threat Response Settings for Medium Risk tolerance

NOTE: In this configuration files can be encrypted up to the Grace Period value, but a snapshot has protected the file system at the point of detection, allowing for accelerated recovery of files.  Security event lists all affected files to build a recovery list of files.

  1. “Critical on Mode” uncheck to disable immediate lockouts

  2. Set Major delayed lockout timer (Grace Period) to a value that allows an administrator to reach and determine if lockout should occur (In the Screenshot below the “Grace Period” is set to 60 Minutes)

  3. “Create Snapshot” Mode enabled

Screen Shot 2017-07-20 at 8.38.54 PM.png



Recommended Threat Response Settings for Medium-High Risk tolerance

NOTE: In this configuration files users are locked out immediately, risk of false positive with lockout is higher.

  1. “Critical on Mode” checked to enable immediate lockouts.

  2. Set Major delayed lockout timer “Grace Period” to a value that allows an administrator to reach and determine if lockout should occur. (In the Screenshot below the “Grace Period” is set to 60 Minutes)

  3. “Create Snapshot” mode enabled.

Screen Shot 2017-07-20 at 8.45.55 PM.png


How to Configure and Tune Ransomware Defender Threat Detection and Responses

The detection of a Ransomware event will be contained strictly to the ECA nodes. Eyeglass will be responsible for taking action against the user's access to cluster data and notifying administrators. This section identifies the behaviours that the Eyeglass appliance takes when the ECA identifies a threat and how to configure settings that align to your company security policies or risk tolerance.

Severity Threat Level Severity Definitions and Responses

There are three Signal Strength Threshold levels defined, and Eyeglass will take different action for each:

Threat Level

Eyeglass Action

WARNING

Eyeglass sends an email to notify any subscribed administrator(s) of the threat, but takes no direct action.

MAJOR

Eyeglass begins a “delayed lockout” procedure. Notify the administrator(s) that a threat has been detected, and the user will be locked out after X minutes, unless the admin logs in and explicitly cancels the action.  This grace period is configurable in the Eyeglass settings.

CRITICAL

The user lock out is immediate, and the administrator(s) are notified.


How to Enable “Monitor Only Mode” to baseline User Behaviours

Monitor mode is used after installation to disable any actions for Major and Critical events and to baseline the environment.  It can also be used to quickly disable user actions if too many false positives are detected.

  1. Open Ransomware Defender window.

  2. Select Settings tab and click the “Monitor Only Mode” check box and click save. (See screenshot below)

How to Tune Threat Detection Rates (Warning, Major and Critical)

The Monitor Only Mode is a feature designed to monitor IO from users prior to  production mode. This mode  will monitor user behaviour and  allow detection of  threats before entering into production.  Monitor Only Mode can be enabled or disabled at any time.

Monitor Only Mode is used to identify service accounts or applications that are writing data at a high rate that should be added to the ignore list and filter out these applications from normal user data access.

The setting is enabled from the Settings tab.  With Monitor Only Mode enabled, all events detected are treated as Warning with no lockout actions. (See screenshot below)


Screen Shot 2017-07-20 at 8.37.41 PM.png

The Statistics screen (see screenshot below) is used to monitor which user behaviours are being triggered to determine how to set detection for warning, major and critical settings.

These statistics can be submitted to support.superna.net to recommend settings for detection.

How to Enable/Disable Critical Event Detection

This option will disable immediate lockout action and will only use the major timed lockout option.  This is recommended if risk tolerance for a lockout on users should be reviewed by an administrator using the timed out lockout feature on Major severity detection.

  1. Open Ransomware Defender window.

  2. Select Settings tab and click the “Monitor Only Mode” checkbox and click save.

  3. Select the checkbox “Critical on Mode” and click save

  4. Done.


Screen Shot 2017-07-20 at 8.38.54 PM.pngNote: In this image Monitor Only Mode and Critical on Mode Boxes should be checked, Create Snapshot unchecked.

Eyeglass Security Event Workflow and Operations


Under normal working state it will be normal to see some user behaviours detected as warnings in the active events window.  These events will stay in active monitoring state for a period of time (settable in the settings tab), to continue to monitor this user behavior for new threat detectors and rates of detection, promote the event to Major or Critical.    

If the user's activity continues to fire threat detectors at or below the Warning rate, the security event will remain in Active monitoring state and will not be Auto Archived.

Auto Archive Warning Security Events

This feature simplies monitoring of low grade security events.  Warning security events will stay active as long as new threat detectors for this user continue to be detected during the auto archive timeout period.  This feature will auto archive the event if no new threat detectors fire for this user’s security event.   The expires column can be used to monitor which events will auto archive in X hours or minutes from the Active Events window.

How to change the default Auto Archive timeout

Use this procedure to set the time period a warning event will stay visible in the active event window before it's archived to the history tab.  A longer time period allows tracking a user's behavior for a longer time period.

  1. Open the Ransomware Defender window.

  2. Select the Settings tab

  3. Change the auto archive timeout from the default of 3 hours to another value in minutes.  See screenshot below (Ransomware Defender> Settings > Warning  > Expiry  (minutes) box).

  4. Save changes


Screen Shot 2017-07-20 at 8.45.55 PM.png

Note: In the diagram above in the Warnings section the auto archive timeout has been changed to 60 minutes in the Expiry Box

Detection and Response Configurable Settings

Threat Detector Threshold configuration

Eyeglass Ransomware allows the administrator to configure the thresholds at which the various events take place in the settings tab.

  • Signal Strength Threshold units are in candidate events per user per interval: i.e. the number of files that were affected by a single user, in a given time period.

  • Different thresholds are available for the WARNING, MAJOR, and CRITICAL severities.

  • The MAJOR severity also allows the specification of the Grace Period (the time between event detection and lockout).  Timed Lockout can be stopped with action menu on an active event.

The figure below shows the settings UI.

Screen Shot 2017-07-20 at 8.45.55 PM.png


How to change Threat Detection Settings

  1. Open Ransomware Icon

  2. Click Settings tab

Screen Shot 2017-07-20 at 7.26.37 PM.png

  1. Upgrade to Major (events)

This setting will advance an event from Warning to Major for the case where the number of users configured here have an active Warning event even though the Major Signal Strength Threshold has not been crossed.


For example based on the above settings, if there were 8 Active Events at the Warning threshold for different users those events would be advanced to Major severity even though the Signal Strength for any of those events had not met the 8 Signals in 5 minutes Major Threshold configuration.

Upgrade to Critical (events)

This setting will advance an event from Major to Critical for the case where the number of users configured here have an active Major event even though the Critical Signal Strength Threshold has not been crossed.

For example based on the above settings, if there were 10 Active Events at the Major threshold for different users, those events would be advanced to Critical severity even though the Signal Strength for any of those events had not met the 5 Signals in 1 minutes Critical Threshold configuration.

  1. The lower the Signal Strength Threshold the more sensitive the detection will become.  Changing to a larger number can avoid false positive depending on IO patterns within your Isilon environment.

  2. The Grace Period (minutes) sets how long a Major security event detection will wait before locking out the user named in the security event.  Best practice: This should be set to a value that ensures an administrator can review the event and determine if lockout should occur or be canceled.  It is the response to review an event before the lockout occurs.

  3. NOTE: Recommended to consult support before making any changes.

Ignored List

Eyeglass allows the administrator to specify paths, users, and client or server IP address to exclude from Ransomware processing. The UI Ignore list is shown below:

Screen Shot 2017-05-03 at 7.55.36 AM.png

  1. Using the button next to the title, the administrator can add new Paths (fullpath is required example /ifs/data/xxx), Active Directory Users (domain\userid or user@domainname) and Ignored client IP in the Sources column.

  2. Sources can be specified in ip/subnet notation to ignore ranges.  Example 10.0.0.0/8  will ignore all IP addresses in the 10.x range.

  3. NOTE: each ignore column is an OR meaning if ANY of the listed ignore values is found in an audit message it will be dropped before processing.  The first matched ignore list will drop the audit event.

Security Event Descriptions

Detected User Security Event Descriptions

Once a user security event appears in the active events the following table outlines the column definitions and descriptions of each state of the security event.


Screen Shot 2017-07-27 at 4.23.40 PM.png


Column Name

Description

State

Warning Threat rate threshold crossed

Delayed Lockout - Major Threat rate threshold crossed

Locked Out Critical Threat rate threshold crossed

Severity

Warning - Threat detector peak rate threshold for this event was crossed

Major - Threat detector peak rate threshold for this event was crossed

Critical Threat detector peak rate threshold for this event was crossed

Files

A count of files that tripped the threat detectors for this event.  Click to browse the file system path to see the location on disk that the user was accessing.   

  • Two tabs are shown one is a list of files that user was accessing within the last hour since the event was detected (All Files)

  • Affected Files is list of files that tripped the threat detectors.

  • All files should be inspected to verify integrity

Signal Strengths

Each number from left to right is warning peak/ major peak /  critical peak threat rate file count.  This indicates the highest count seen for each severity configured in the settings tab.  The metric is a count per minute.   The higher the number for each severity indicates a higher security risk detected for the user behaviour.  It indicates more files were involved in the threat detection security event.  When comparing two different security events higher numbers indicates more files tripped the threat detector.

User

The domain and user account of the affected user

Detected

Date and time representing the beginning of the security event.   This event will stay until it is auto archived or is updated as resolved, or unresolved status.

Protected  Shares

Lists the cluster, share name and access one of a share that had a lockout applied.  Expanding will display the deny permission and existing ACL applied to the share.

Snapshots

Lists the snapshot name, time and path that was protected by data protection and recovery snapshot.  

Expires

This will show the time remaining before autoarchive as unresolved is applied to the event.  The autoarchive feature will only apply to events detected as warning and will monitor the event for this time period before archive the event as unresolved.

OR

If a timed lockout is active the time remaining until a lockout will occur.

Clients

This has a popup link to list the source ip address of the client machine the user was logged into when the signal event was detected.  This assists in finding the client on routers and switches in the environment.     Multiple ip’s can be listed for a client if they are logged into more than one machine.

Actions

Click to bring up the security event history of the event, all previous actions taken and menu to select available actions depending on the state of the security event.


Security Event State Descriptions

A Ransomware event in Eyeglass can be in one of the following states:  

State

Description

WARNING

New Ransomware events with a WARNING severity initially have a WARNING state.

DELAYED_LOCKOUT

New Ransomware events with a MAJOR severity initially have a DELAYED_LOCKOUT state. This implies that the user has not yet been locked out, but will be if the event is not acknowledged.

LOCKED_OUT

New Ransomware events with a CRITICAL severity initially have a LOCKED_OUT state.

MAJOR severity events that are not acknowledged before the grace period elapses also have a LOCKED_OUT state.  

WARNING severity events have a LOCKED_OUT state if the Administrator explicitly locks out the user.

ACKNOWLEDGED

A WARNING severity event can be acknowledged to indicate that the admin has seen the event and is monitoring the situation.

MAJOR severity events change to ACKNOWLEDGE when the admin intervenes before the grace period has elapsed.

CRITICAL severity events can never be ACKNOWLEDGED.

ACCESS_RESTORED

An event is in RESOLVED state when the Administrator has restored access to a locked out user

SELF_RECOVERY

An event is in SELF_RECOVERY state when the Administrator has initiated a workflow for the user to recover the affected files.  See Data Recovery section in this guide.

RECOVERED

An event is in RECOVERED state when the user file recovery process is complete.

RECOVERED state events are not listed in the Active Events tab on eyeglass. They are listed in the Event History tab.

UNRESOLVED

An event is in UNRESOLVED state when the Administrator has archived the event, but not explicitly restored access to the user.  

UNRECOVERED state events will are not listed in the Active Events tab on eyeglass. They are listed in the Event History tab.

ERROR

An event is in ERROR state when Eyeglass has attempted to initiate an action on the Administrator’s behalf, but that action has failed.

Security Event Possible Action Descriptions

The following actions are available to the Administrator at different stages of the Ransomware event lifecycle. The Required States column lists the state that the event must be in for the action to be available. Whenever an action is submitted, a new record is added to the event’s history.

Action

Required States

Result

Comment

ANY

Adds a comment to the event history

Acknowledge

WARNING

Changes the event to ACKNOWLEDGED state.

Stop Lockout Timer

DELAYED_LOCKOUT


Changes the event to ACKNOWLEDGED state. Disables any countdown for the grace period on MAJOR severity events.

Lockout

WARNING,

DELAYED_LOCKOUT

Initiates the procedure on Eyeglass to revoke access to the user’s shares. Changes the event to the LOCKED_OUT state.

Restore User Access

LOCKED_OUT

Initiates the procedure on Eyeglass to restore access to any shares where access was revoked in the lockout step. Changes the event to ACCESS_RESTORED state.

Initiate Self Recovery

ACKNOWLEDGED,

ACCESS_RESTORED

Launches the Eyeglass workflow to allow the user to recover all files associated with this event. This procedure will put the event into the RECOVERED state when it is complete.

Events in the RECOVERED state.  

See Data Recovery section in this guide.

Mark as recovered

ACKNOWLEDGED,

ACCESS_RESTORED,

SELF_RECOVERY

Allows the admin to manually mark an event as having been recovered. This can happen if the administrator manually restores files, or the user decides that they do not need the encrypted files.

Archive as Unresolved

WARNING,

ACKNOWLEDGED,

LOCKED_OUT,

ACCESS_RESTORED,

SELF_RECOVERY,

ERROR

The administrator can archive an event in nearly any state. The event gets put into event history, and is no longer shown on the active events screen.

Create Snapshot

Manually apply a snapshot to shares in the security event

Run this action if auto snapshot was disabled.  It allows manual apply of snapshots to shares.

Delete  Snapshot

Manually delete snapshots applied to share path security events.

Run this action if snapshots were applied and you want to manually delete BEFORE the auto expiry set on the snapshot.





How to respond to Security Events for Warning, Major or Critical Events

Overview of Security Event Triage Process

Upon a security event being detected the following steps to review and take actions should be followed.

  1. Review the severity (Warning, Major and Critical).  

    1. If Warning:

      1. Review the list of files affected for user account IP address by selecting the link in the Files column.

      2. The file list view shows files that triggered the security event. The last hour of files accessed by the user is shown and should be reviewed for possible compromise or data recovery.

Screen Shot 2017-04-20 at 8.55.50 AM.png

      1. If the affected files are the result of normal file operations and not a malicious event, the event can be marked as resolved with the actions menu.(See Security Event Action State Descriptions section below).

      2. Security event closed and moved to Event history tab.

    1. If Major:

      1. Review affected files, user name and IP address to locate user in AD and your organization.

      2. Review time to lockout timer in Active Events tab which is the time until the lockout will be issued.

        1. If you determine this is a false alarm by contacting the user along with an assessment of the affected files, use the Action Menu to Stop the Lockout timer and then mark security event as Resolved (See Security Event Action State Descriptions section below).

      3. If you determine it is a malicious security event, you can accelerate the lockout timer by using the Action menu to select Lockout Now. (See Security Event Action State Descriptions section below).

      4. Recovery: Re-image machine or other recovery procedures that your policies require.  Determine which files are to be recovered on Isilon by selecting the files option on the security event.  From this screen you can download a CSV file of trigger files AND files from the last 1 hour of activity.

      5. Restore User Access:  Take this step after it has been determined it is safe to restore access to the user.  The actions menu can be used to remove the user account lockout for all cluster shares to which that  user had access.  Using the Actions menu restore user access. (See Security Event Action State Descriptions section below).

      6. The security event will now be in Restored state and can be archived to the Event History tab.  Using the actions menu submit a Mark As Resolved action. (See Security Event Action State Descriptions section below).

      7. Done.

    2. If Critical:

      1. The security event will have a lockout applied immediately since it is a critical detection.

      2. Recovery: Re-image machine or other recovery procedures that your policies require.  Determine which files to be recovered on the Isilon by selecting the files option on the security event.  From this screen you can download a CSV file of trigger files AND files from the last 1 hour of activity.

      3. Restore User Access:  After it has been determined it is safe to restore access to the user.  The actions menu can be used to remove the user account lockout for all cluster shares to which that  user had access.  Using the Actions menu restore user access. (See Security Event Action State Descriptions section below).

      4. The security event will now be in Restored state and can be archived to the Event History tab.  Using the actions menu submit a Mark As Recovered action (See Security Event Action State Descriptions section below).

      5. Done.

Security Event Action State Descriptions

Once a user security event appears in the active events tab the following operations are possible by clicking the Actions icon. Each state has several possible actions.  The table below describes the options available for each state of a security event.

State of Event

Possible Actions

Warning State

Screen Shot 2017-04-02 at 1.16.27 PM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Archive as Unsolved - Moves event to the History tab.  

  3. Lockout -  From the Access Restored state it's possible to re-lockout the user again from the action menu.  This applies deny permission to all shares stored within the lockout event.

  4. Acknowledged State - An administrator has acknowledged this event but has not marked as resolved.  In this state the user is not locked out or in timed lockout states.

  5. Create Snapshot -  Manual snapshot created on all share paths in the security event.

  6. Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Locked out User State (Critical Severity Threat Detection)

Screen Shot 2017-04-02 at 11.45.48 AM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Restore User Access - This will reverse the lockout and grant access to the shares that were locked out.  Review the lockout details for a full list of shares and clusters that lockout was applied.

    1. Once Restore User Access  is launched, this will start a restore access job (running jobs window) and real-time restore access to the share that was last locked out.

    2. Verify user has access

    3. Verify a cluster share to confirm that the restore access was successful

  3. Archive as Unsolved - Leaves the lockout applied and moves the event to the History tab.  Not recommended unless the user access is permanently revoked.

  4. Create Snapshot -  Manual snapshot created on all share paths in the security event.

  5. Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Access Restored State

Screen Shot 2017-04-02 at 12.58.43 PM.png

  1. Mark as Recovered - This option allows archiving the security event to the history tab.

  2. Lockout -  From the Access Restored state it's possible to re-lockout the user again from the action menu.  This applies deny permission to all shares stored within the lockout event.

  3. Initiate Self Recovery -  This option will only function if the Cluster Storage Monitor addon is purchased.  It integrates with the Backup Recovery User portal to create secured shares to snapshots and DR data that allow the user to recover data from snapshots.  The temporary shares will have a time to live of 2 days by default, after which they will be deleted. The shares are secured only to the user involved in the lockout.  The data recovery request will require approval in the Data Recovery Manager Icon. See Data Recovery section in this guide. (If licensed)

  4. Comment - on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  5. Restore User Access - (Allows to re-run this job in the event a share or update failed) This will reverse the lockout and grant access to the shares that were locked out.  Review the lockout details for a full list of shares and clusters that lockout was applied.

    1. Once Restore User Access  is launched, this will start a restore access job (running jobs window) and real-time restore access to the share last that was locked out.

    2. Verify that the user has access

    3. Verify a cluster share to confirm that restore access was successful

  6. Archive as Unsolved - Leaves the lockout applied and moves the event to the History tab.  Note: recommended unless user access is permanently revoked.

  7. Create Snapshot -  Manual snapshot created on all share paths in the security event.

  8. Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Delayed Lockout state

Screen Shot 2017-04-02 at 1.07.57 PM.png

  1. Lockout -  From the Access Restored state it's possible to re-lockout the user again from the action menu.  This applies deny permission to all shares stored within the lockout event.

  2. Stop Lockout Timer-  This option can be used to stop the timed lockout.  This would be used when investigation determines the user account should not be locked out.

  3. The status changes to Acknowledged and the lockout will stop.

  4. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  5. Create Snapshot -  Manual snapshot created on all share paths in the security event.

  6. Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Acknowledged State


Screen Shot 2017-04-02 at 1.12.57 PM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Archive as Unsolved - Leaves the lockout applied and moves the event to the History tab.  Note: recommended unless user access is permanently revoked.

  3. Initiate Self Recovery -  This option will only function if the Cluster Storage Monitor addon is purchased.  It integrates with the Backup Recovery User portal to create secured shares to snapshots and DR data that allow the user to recover data from snapshots.  The temporary shares will have a time to live of 2 days by default, after which they will be deleted. The shares are secured only to the user involved in the lockout.  The data recovery request will require approval in the Data Recovery Manager Icon. (If licensed)

  4. Mark as Recovered - This option allows archiving the security event to the history tab.

  5. Create Snapshot -  Manual snapshot created on all share paths in the security event.

  6. Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Archived Event on Event History

Screen Shot 2017-04-02 at 1.06.01 PM.png

  1. Comment on the event to update the security response or assessment of the event.  Can be viewed by other administrators that review the security event history.

  2. Create Snapshot -  Manual snapshot created on all share paths in the security event.

  3. Delete Snapshot - Manual snapshot deleted on all share paths in the security event.


Error State

  1. Open the Action to see the Event Action History Here you will see which shares had an issue in Lockout or Restore and reason

  2. Lockout -  If Lockout Error and is related to an AEC_CONFLICT then select the Lockout action again to re-attempt to complete the Lockout.

  3. Restore - If Restore Error is related to an AEC_CONFLICT then select the Restore action again to re-attempt to complete the Restore.



Rapid Machine to Machine Malware Spreading Attack Defense

Overview

Ransomware Defender can use multiple cluster detections to elevate the automated response due to the severity of the detection and number of concurrent security events.  Refer to the diagram below:


Rapid Machine to Machine Malware Attack Auto Response Escalation Configuration

This feature is designed to protect against a multi user scenario where malware affects many machines in a short period of time and when malware is spreading from machine to machine.  The goal in this scenario is to escalate the response automatically based on the number of concurrent events.   The example below walks through how warning → major → critical response escalation will occur based on settings.  

Best Practise: Set the Warning to Major to a higher number example 30 and Major to Critical to half of the warning example 15.

  1. Major and Upgrade to Critical events are set to upgrade the severity to this level when a lower severity detection event matches or exceeds the number entered.

  2. Example (A) if Upgrade to Major (events)  is set to 8 this means if 8 separate Warning events are detected the response  will be auto upgraded to Major and timed lockout will be started. (see screenshot below)

  3. Example (B) if Upgrade to Critical (events) is set to10 this means if 10 separate Major events are detected the response  will be auto upgraded to Critical and immediate lockout will be activated.  (See screenshot below)

Screen Shot 2017-07-20 at 7.26.37 PM.png

False Positive Security Event Handling and Configuration Options

This section documents how to react to false positive security events.   New in 2.0 and later releases is the ability to teach the system about user behaviours that are deemed normal.

This is done using the mark as false positive feature on an active security event.


How to teach Ransomware Defender about false positives


  1. Recommended to enable Monitor mode (settings tab)  to allow user behaviours to be detected

  2. On any security event found click on the Signal Strength  column indicator

    1. For any event other than threat detector count except for Thread detector 6 (security guard) or type 7.  Open the actions menu and select false positive action and submit.

    2. Mark the event as recovered only if in monitor mode.

      1. NOTE If not in monitor mode, then triage the security event and restore user permissions of status is locked out.  Then mark as resolved.

    3. This will store a per user rule that is 10% higher than what the event detection recorded.   

    4. If this does not resolve the user behaviour then repeat the false positive flagging of events until the User no longer appears as an active security event.


How to manually configure per user Threat level settings with IGLS CLI


IGLS commands exist to add and delete per user threat level override settings without waiting for a security event to teach.

Enter commands to create unique settings per user.  This avoids the need for whitelisting users and can customize the settings per user.  These settings are downloaded to the ECA cluster and processed in real-time once set as events flow through the cluster.

igls rsw useroverride set --user=testuser1@ad1.test --tdid=07 --parameter=X --multiplier=3.5

igls rsw useroverride delete --user=testuser1@ad1.test --tdid=07

igls rsw useroverride get

See Admin guide for complete documentation on the CLI commands



Warning

  1. If a Small number or occasional warning events are detected, no action is needed since no end user action is taken.  Each warning will survive for a default of  8 hours and each user file action is continuously monitored to determine if the warning should be promoted to a Major or Critical event.

Actions: No action is needed the events will automatically expire after a typical working day and moved to the Event history tab.  This ensures a record of the event.

  1. If a High number of warning events are detected, the thresholds for threat detectors should be increased.  

Action: Open a case with support (support.superna.net) to get recommended threat detector values to be changed on the settings tab of the Ransomware Defender window.  Support logs will be required.

    1. Disable Critical on Mode - Enable Create Snapshots

Screen Shot 2017-07-20 at 7.26.37 PM.png

Major

  1. Small number of Major events. User is locked out after delay timer and it's determined the detection was false.  If the user or application workflow is triggering a lockout an ignore list is recommended.

    1. Verify snapshot mode is enabled (default)

    2. Follow steps in “Ignore List setting Procedures

  2. High number of Major events.   

    1. Follow steps in “Enabling Monitor only Mode

    2. NOTE: In this release existing locked out users will need to be restored using action menu and then archived using Action Mark as Resolved.

    3. Contact Support with support logs to get adjusted threat detector settings.

    4. Verify Create Snapshots is enabled

    5. Increase the delayed lockout in minutes to a value that you can respond to alerts to issue manual lockout.

Critical

  1. Small number of critical events. Same as Major.  Add to Ignore list and save.

    1. Follow steps in “Ignore List setting Procedures

  2. High number of critical events.

    1. Follow steps in “Enabling Monitor only Mode”   This will disable user actions quickly in the event many users are detected and locked out.

    2. NOTE: In this release existing locked out users will need to be restored using action menu and then archived using Action Mark as Resolved.

    3. Click Critical on Mode to disabled (unchecked).  This disables immediate lockouts.

    4. Verify snapshot mode is enabled (default)

    5. Set Major delayed lockout timer to a value (in minutes) that would alert you to issue a manual lockout.

    6. Contact Support with support logs to get adjusted threat detector settings.

Ignore List setting Procedures

Follow the steps below to add ignore list of paths, uses or server/client source IP.

  1. Open Ransomware Defender window.

    1. Select Ignored List tab

Screen Shot 2017-04-20 at 8.32.53 PM.png

    1. Enter a path, AD user domain\userid, or server or client IP address and save.


Eyeglass User Lockout Active Directory Planning

The lockout process identifies all shares the user has access permissions based on searching all shares in all Access Zones on all clusters managed by Eyeglass.  This list of shares will have a real-time deny permission added to the share for the affected user.

A special case is handled for the “Everyone” well known group which should be understood how it operates in multi-domain Active Directory configurations.

Two scenarios can exist with AD domains on Isilon clusters.  

Scenario #1

  • The first is parent and child AD domains that are members of the same forest and a trust relationship exists.

Scenario #2

  • The second scenario covers two domains that are not members of the same forest and no trust relationship exists between the domains

The “Everyone” well known group if applied to a share in each scenario is shown below and a lockout permission applied regardless of which domain the user is located.  This is required since Eyeglass has no way to know if the domains trust each other or not.  This solution ensures all “Everyone” shares are locked out, which is more secure than skipping some shares.

Reference the diagram below.

Security Guard - Automated Security Testing

Ransomware Defender monitors cluster IO for suspicious user behaviour.  Under normal day to day conditions no actions are required since alerts are sent in the event of a Warning, Major or Critical security event.

The Security Guard feature simulates a Ransomware attack on a daily basis to validate all components are functioning including alerting and lockout of user sessions.  Once configured administrators get daily updates that Ransomware Defender is actively monitoring and responding to Ransomware events.

This offers you the highest level of confidence that your environment is ready in the event a malicious virus is inside your network and finds shares to attack data.

The feature will create a “honeypot share with name igls-honeypot” in the System Zone of each cluster managed by a Ransomware agent license key.   The feature can simulate an attack on demand or on a scheduled interval.

Simulated Attack

  1. Creates share automatically secured to the service account.

  2. Share name igls-honeypot

  3. Creates test files using a well known extension to trigger a simulated attack response from Ransomware Defender Clustered agent

  4. Verifies the user lockout occurs by checking that files cannot be written to the share

  5. Initiates recovery of the user and verifies access to the share again

  6. Reports success and failure per step

  7. Emails administrator results

Prerequisites

  1. System Zone must have an AD provider

  2. A user account created in Active Directory within the System Zone AD provider. This user is not a special user in any way and should be a normal user created, Home directory does not matter.

  3. System Zone must be enabled in the audit configuration on the Isilon cluster

Security Guard Lockout Behavior

  1. The user does not need to be added to any shares. The Security Guard will create its own share in System Zone called igls-honeypot and add the service account user to the share.

  2. If you add the service account user to other shares, only the igls-honeypot share will have files written during the execution of a simulated attack.

  3. Additional shares that have the service account add to the share permissions WILL  have the service account access locked out during simulated attacks.

Configuration

  1. Open the Ransomware Defender window on the desktop and select the Security Guard

Screen Shot 2017-03-30 at 8.51.49 PM.png


  1. Active Directory User - Enter User Name (Active Directory service account) and Password from System Zone authentication provider. Example domain\userid or user@domain.

  2. Settings:

    1. Enable Security Guard Tasks

    2. Interval Between Runs - Set interval to schedule simulated attacks

  3. Select checkbox of each cluster to simulate the attack

  4. Submit -  Saves settings

  5. Run Now -  Tests Security guard on demand.

Advanced Configuration

In some environments, audit events are delayed before they are sent to the ECA for processing.  The security feature writes 100 files, one per second.  If the detection of events does not occur before this 100 seconds, the Security Guard will fail the test.  

Second phase of Security Guard will restore user permissions and test write access again to the share.  This can also have a timer applied to extend the time between lockout and restore step to allow authentication and share settings to replicate to the cluster.

These advanced settings can be configured from the CLI to check the timers and set new higher values.

Consult the Ransomware CLI guide section at the end of the guide.



How to Run on Demand Security Guard Penetration test

  1. Open the Ransomware Defender window (see screenshot below)

  2. Select Security Guard tab

  3. Select each licensed cluster to test

  4. Select Run Now (see screenshot below)

Screen Shot 2017-03-31 at 5.36.50 PM.png

  1. Open Jobs window

  2. Running jobs tab to monitor progress (see screenshot below)

Screen Shot 2017-03-31 at 5.32.38 PM.png


How to Review Security Guard Penetration test history and logs

  1. Open the Ransomware Defender window

  2. Select Security Guard tab

  3. Select each licensed cluster to test

  4. Select Run Now (see screenshot below)

Screen Shot 2017-03-31 at 5.36.50 PM.png

  1. Click Open link to review results

Data Recovery Manager Integration with Ransomware Defender

Overview

This feature integrates the Data Recovery Manager feature that is part of the Cluster Storage Monitor addon licensed product.   It allows a end user recovery of files, compromised by a security event, by triggering a data recovery job customized to the users shares that stored the compromised files.

How to launch Data Recovery Manager Request From Ransomware Defender Action Menu

Prerequisites

  1. Cluster Storage Monitor license key

  2. For detailed configuration and setup of Data Recovery Management portal and integration requirements review the Cluster Storage Monitor admin guide.

Procedures

  1. Initiate File Recovery: From the Actions Menu of a security event select Initiate Self Recovery

    1. Screen Shot 2017-04-22 at 12.49.10 PM.png

  2. Complete Version Selection of share(s): When the Data Recovery Management window appears, it lists versions of the shares detected for this user.  The versions are based on snapshots and DR copies of the listed share on the local or remote cluster.  NOTE: You can select one or more share to add to the request.

Screen Shot 2017-04-22 at 10.02.20 AM.png

  1. After selecting the versions using the checkbox for each SmartConnect name (NOTE: each SmartConnect name and list of shares is a separate request, only select the shares that require data recovery requests).  Click the Request Access button.

Screen Shot 2017-04-22 at 10.01.48 AM.png

    1. Enter the user's AD login using syntax domain\userid (Reference the Security event UserID in the Ransomware Active Events tab).  

      1. Enter UPN AD login credentials

      2. Enter the user's email address

      3. Add a comment to be sent to the user’s email and Click Request.

  1. Monitor and Approve Pending Data Recovery Requests: The request has been submitted to the Data Recovery Management Pending Requests tab to be approved.  (NOTE: Role based access allows separate admin user to review and approve data recovery requests, consult Cluster Storage Monitor admin guide.)

Screen Shot 2017-04-22 at 10.02.34 AM.png

    1. Approving Data Recovery: Click the Approve icon to have the request processed and generate temporary share secured to the User affected by the security event.   This will create a temporary recovery share on the selected version of the share(s) with a time to live of 2 days (default setting), and email the user the UNC path to access the recovery share(s).

Screen Shot 2017-04-22 at 10.09.07 AM.png

  1. Temporary Share: The share created has a syntax of share name - UserID@domain name-#  (where # is the number of the share created for this request).

Screen Shot 2017-04-22 at 10.06.34 AM.png

    1. You can see in the screenshot above the share is created on a snapshot path and secured to the user in the request.

  1. User Access: User can access the read-only version of data on the temporary share to retrieve files that were compromised by the security event.

Screen Shot 2017-04-22 at 10.14.29 AM.png

  1. NOTE:  You can wait for expiry of the recovery to auto delete the shares or using the Data Recovery management icon Select the Requests History tab.

  2. Click the Alarm Clock Icon Screen Shot 2017-04-22 at 7.33.38 PM.png to complete the Recovery before the expiry.  This action will delete the temporary shares created for this ser recovery.

Screen Shot 2017-04-22 at 7.31.45 PM.png

  1. Recovery Process Completed.