Because of a few very bad people, we all carry a burden. At home, that could mean locking the front door, checking the side gate, or taking other precautions.
With data center security, the burden is omnipresent—and very expensive. Plus, it’s not optional or very inspirational. You pay the costs so your organization can move forward normally.
Ransomware presents a new kind of data center burden. If you’re a victim of it, the consequences can be staggering: a complete cessation of your operations, the subsequent costs due to that interruption, a huge loss in reputation, and famously, an exorbitant ransom. After all of that, you’re back to square one.
Therefore, mitigating ransomware needs to be easy. It should be as simple as checking the front door before you go to bed.
Pure Storage® SafeMode Snapshots is exactly that.
Ransomware Attacks
Ransomware is discussed everywhere today, so I won’t go into too much detail. In a nutshell, it’s when an attacker maliciously encrypts your data and then sells you the encryption key to recover your data. What many people don’t know is that ransomware software and “aaS kits” sell on the internet like mainstream software. And it’s very lucrative.
It takes a combination of luck and skill for an intruder to gain access to a storage device or an entire application server and its connected volumes. Preventive maintenance is critical: locking down resources, retiring older devices, and reviewing access logs. These measures will go a long way in preventing an attack.
But, if an intruder does attack your organization, the following sequence of events is likely to occur:
- Through some means, an intruder gains access to sensitive data or information.
- The intruder starts an encryption process to slowly and discretely encrypt your organization’s data and information.
- After some time elapses, the volume snapshots are permanently deleted, leaving only the encrypted volumes.
- The application crashes and operations are offline until you pay the ransom.
- The ransom is paid, and you can restart applications with access to unencrypted data (hopefully).
Ransomware Mitigation with SafeMode Snapshots
Now, let’s take the same sequence of events but with SafeMode enabled.
- Through some means, an intruder gains access to sensitive data or information.
- The intruder starts an encryption process to slowly and discretely encrypt your organization’s data and information.
- The intruder attempts to delete snapshots but can’t because they’re locked with SafeMode.
- The intruder’s encrypted volumes are taken offline or removed and recovered with unchangeable, locked snapshots.
- Operations are either not impacted or only minimally interrupted, and no ransom is paid.
SafeMode Is Easy to Enable
SafeMode is a data-protection solution that is built into FlashArray™ and FlashBlade™. Simply call Pure Storage Support and request it. Support will set up a conference call with you and your account team. Changes to SafeMode are only possible when at least two authorized contacts from your organization conference with the Support team. You can authorize up to five contacts who can make changes to SafeMode. Each authorized contact will get a six-digit PIN.
SafeMode Is Easy to Use
SafeMode doesn’t delete your system’s volumes, snapshots, hosts, or anything else. It destroys them. Once destroyed, these objects sit in a special “destroyed” area that is visible in the GUI. They remain recoverable for 24 hours, by default. After 24 hours, SafeMode eradicates these objects permanently. This Eradication Timer provides an “undo” button for mistakes.
However, any array admin can eradicate any destroyed object. Just click on the trash can icon next to it, and it’s gone forever. SafeMode prevents this by locking everything in the destroyed area. You have to wait for the Eradication Timer to count down before the object can be removed forever. For ransomware, 24 hours isn’t long enough. We suggest changing the timer to a longer duration such as 14 days. You can select up to 30 days. And SafeMode on FlashArray is “auto-on” allowing you to secure your data from the moment it’s deployed in your environment.
To summarize, setting up SafeMode to protect your data is as simple as:
- Deploying FlashArray in your environment
- Logging into Pure1 to create/enable SafeMode approvers.
- Establishing authorized contacts and recording your assigned PIN.
- Adjusting the Eradication Timer to something beyond 24 hours to provide an optimal recovery window.
Immutable Snapshots
Pure Storage snapshots are immutable. With SafeMode, they’re ineradicable (yes, that is a real word). And they’re fast. It takes less than a millisecond for a snapshot to create a few persistent data structures. Finally, and most importantly, Protection Groups offer robust configurable snapshot policies. These cover the frequency of snapshots, retention policy of snapshots, and even the ability to send snapshots to a variety of other destinations such as FlashArray//C, FlashBlade®, AWS, Microsoft Azure, and NFS shares.
SafeMode is a comprehensive, high-performance solution. Here are a few additional highlights. With our latest Purity release, SafeMode also locks down:
- Protection Group targets: An intruder can’t prevent snapshots from being sent to another destination.
- Snapshot retention: An intruder can’t set the retention to zero and eradicate all of the snapshots. This retention can be increased as needed, but it can’t be decreased unless two authorized contacts and their associated PINs contact Pure Support.
- FlashArray files
Conclusion
SafeMode is a built-in feature of FlashArray. Snapshots offer infinitely configurable policies and a near-infinite means of offloading snapshots. While technology often complicates things, this isn’t the case with FlashArray.
As we’ve been saying since 2011, there’s no reason for compromise or complexity.
Hacker’s Guide to Ransomware Mitigation and Recovery
More on Ransomware
Written By:
Enable SafeMode
Make sure all of your hosts and volumes have a snapshot policy and protect your organization from ransomware attacks.