Auto-on SafeMode™: Default Ransomware Protection

Available in Purity 6.4.10, Auto-on SafeMode delivers ransomware protections by default when new volumes are created, automatically.

Auto-on SafeMode

The best protections are those you don’t have to think about using. They just happen, like the text editor that auto-saves every change you make in real time. (If you’ve ever written hours’ worth of code before hitting auto-save, you know the horror of seeing your work disappear in a flash when your PC crashes.)

SafeMode-protected snapshots have proven invaluable for Pure Storage customers. SafeMode snapshots help them recover from the damage of ransomware attacks in hours instead of weeks, and earn high marks during evaluations for cybersecurity insurance coverage. When used in Auto-on mode, SafeMode also frees them from having to set up snapshot creation and retention schedules. It just happens.


Upgrade to Purity 6.4.10 for Auto-on SafeMode Today!

When you upgrade to Purity 6.4.10, Auto-on SafeMode is turned on by default for all new volumes created, whether on a new FlashArrayTM or your existing array. 

Let’s dive into what that means, and why it matters to you.

1. Protection from Ransomware

Starting with the most obvious, you automatically have baseline protection from ransomware attackers. An attacker aims to encrypt critical storage volumes, and for a large sum of money, will sell you the decryption key so you can recover your data. Before encrypting various workloads, they first check to make sure that recovery is impossible. This is accomplished by deleting snapshots, and then deleting any defined policies that automatically take and retain snapshots. Once all backups are destroyed, they are nearly guaranteed a pay out.

SafeMode works by simply securing snapshots and snapshot policies. It’s so secure in fact, that to delete snapshot policies or snapshots, you have to contact support, have your identity verified, and provide two SafeMode Approvering co-workers who can verify your intentions. Only then can snapshots be deleted and/or policies can be reduced or removed.

2. New Volumes Protected Automatically

For the FlashArray, snapshot policies are defined in protection groups, and it is here that you declare which volumes, how often snapshots are to be taken, and for how long they should be retained. From that point forward, snapshots are automatic. As older snapshots “roll off” new snapshots are taken.

Much like a seatbelt isn’t helpful when it’s not fastened, none of these protections work unless you always remember to modify protection groups after adding new servers and provisioning new volumes. A checklist is helpful I’m sure, but what if we did that for you automatically? With Auto-on SafeMode, all new volumes have baseline protections through SafeMode-protected snapshots.

3. Snapshots Occupy Little Capacity

Snapshots are mostly just pointers to data. They don’t occupy real space at all times. In addition, snapshots capture changes to a volume between time intervals, after, of course, an initial snapshot of baseline data. This baseline of data, and all subsequent snapshots then go through the gamut of data reduction technologies: deduplication, compression, etc. Snapshots often take so little capacity that it makes Auto-on SafeMode a no-brainer.

4. Snapshots Provide “Moments in Time” for Recovery

With Auto-on enabled, you can go back to a point in time before the ransomware attack. For example, you might discover some volumes have been encrypted after you receive a ransom notice. In this example, it’s Thursday, but you have eight total days of snapshots to restore from. You can recover a snapshot from the day before, see if it is infected, and if not, you can then instantly delete the attacker’s volume and replace it. Maybe the attacker was already starting his attack that day, but now you can go hours or a day back, and restore from there. You have a selection of “points in time” from which to restore your volume.

A Pure Storage customer, NTT Managed Cloud Services, was migrating several thousand systems for a client when the client was hit with a ransomware attack. About 2,000 systems were attacked, and the systems migrated to the FlashArray were recovered in “30 to 60 minutes.” The systems that were not yet migrated required “weeks” to recover.

How to Set Up SafeMode Approvers

If you’ve never set up SafeMode administration, you can set up SafeMode Approvers through our new Pure1 process by following directions here. Otherwise, you can reach out directly to support. Be prepared to assign no less than 2 admins (up to 5) who are authorized to modify SafeMode changes.

Can You Opt Out of Auto-on?

For those who want to take a different strategy for ransomware, it is possible to opt out of Auto-on, you can do so globally or per volume. To opt out globally, during the upgrade simply select the option in Pure1 or respond back in your support case.  Opting out per volume is a cinch, just deselect the “add to pgroup-auto” when creating a new volume. Like Microsoft Office’s famous Auto-save feature that transparently takes responsibility off of us, while keeping us protected, Auto-on SafeMode works in the background until we need it, which is the best possible approach to security.