Enhanced Anomaly Detection in Pure1

Any time there’s a deviation from normal steady state operational patterns, it’s a situation worthy of note. It does not always imply a malicious attack or breach in security, but cautious IT administrators prefer to be aware of these deviations.

Customer environments are unique to each customer given the applications/workload mix, multi-vendor hardware, and usage patterns that vary with the time of the day, day of the week, and month of the year. It’s extremely important to establish what is “normal” for that environment for a given customer and surface the anomalous deviations so that further analysis can take place. It’s painstaking to constantly monitor these metrics and spot significant deviations.

At Pure, we understand this acute need for proactively discovering anomalies and have started surfacing them in Pure1®. 

Figure 1: Pure1 Data Protection Assessment dashboard.

Storage is the last line of defense and the anomalous patterns noted in data storage need qualification by external markers before they can be associated with an unintended action by unsuspecting insiders or an intentional attack. In either case, it’s important to review the anomalous alert raised and clear it.

Data Reduction Ratio (DRR) represents the level of compression and deduplication that a Pure Storage array provides to the customer. This is a highly desired feature of all Pure Storage appliances. For a given application and usage pattern, the DRR tends to stay within a normal operating range. 

Sharp drops in DRR are usually the result of drastic operations on the data—such as a large-scale encryption followed by deletion of data, as is common in many malicious attacks. By surfacing anomalous drops—sharp drops, typically over 30%—in volume level DRR for multiple volumes on your array, we aim to get your attention to analyze them. 

Pure1 now extends its anomaly detection capabilities beyond DRR. By analyzing additional metrics such as latency and changes in volume and snapshot counts, Pure1 provides a more comprehensive surveillance over your storage environment. Sudden increases in latency can signal network issues or even failing hardware, both of which are critical to address to maintain operational efficiency. Changes in volume and snapshot counts could indicate unauthorized data duplication, transfer, or a precursor to data exfiltration or ransomware activity. By integrating these metrics into our anomaly detection, Pure1 delivers a richer, more detailed view of your storage landscape, allowing for quicker identification of potential threats and efficient response.

Figure 2: Pure1 Data Protection Assessment showing arrays with DRR drop anomalies. 

To see if any arrays have such anomalies, go to the Data Protection Assessment or Security Assessment in Pure1 and look for cells that have a lightning bolt (as pictured in the screenshot above). Clicking on the cell will bring up the insights sidebar where you can get more detail on what was detected.

To see the DRR anomaly detection feature in action, check out this Digital Bytes episode.

Figure 3: DRR past behavior for an array with an anomaly detected.

Anomaly detection is not intended to replace your SIEM or other security systems. By the time the anomaly is detected, it’s usually too late, as an attack may already be underway. However, Pure1 is excellent in tracking the extent of an attack, enabling quicker and more targeted recovery efforts. By displaying the latest snapshots for each affected volume, anomaly detection helps you identify a clean recovery point to get you up and running much faster. 

Pure Storage is dedicated to advancing the Pure1 anomaly detection to ensure your data remains secure and under constant surveillance. For more information about Pure1, check out the Pure1 product page. If you’re an existing customer, log in to Pure1 and start taking advantage of this great tool, which is provided to our customers at no additional cost.