Name: Nasuni Ransomware Protection Demo & Dash
Uploaded: 2025-02-18T16:46:07.399Z
Duration: 30 min 52 s
Description: Nasuni Ransomware Protection Demo & Dash

Transcript for "Nasuni Ransomware Protection Demo & Dash": Flow in, and we'll we'll get started here. And so today, my name is Ben Clark. I'm a product man or product marketing manager here at Nasuni focused on, security and and ransomware, And I'm joined by Mike Driscoll, a director of product management, generally focused on our security offerings as well. And today, I'm going to only go through about, you know, five or so minutes of slides, and we'll quickly get to our demo of our, ransomware protection solution. So before we kick it off, we have one poll. I'm gonna throw it up on the screen now. If we can see it. Yeah. It should pop up on the top right. Let's see. Feel free to put your votes in. What is your organization's primary concern with a potential ransomware attack? The the cost of the ransom, the ability to limit the the blast radius, the ability to detect the attack quickly, recover rapidly, damage to your organization's reputation, or costly downtime. And while these are coming in, up on the top right, there's also the the q and a section. Feel free to put questions in there throughout the presentation, and we'll try to get to it, after the demo. Guess this is kind of a trick question. They're all pretty bad, but it looks like the vast majority have voted for the ability to recover rapidly, which is always super important. The cost of the ransom itself is usually pretty minuscule compared to downtime, that that results from not being able to detect the attack quickly, limit the blast radius by stopping the attack, and then finally recovering rapidly. So they all kinda play together. And if you don't do those components successfully, the the money is gonna add up way more than the ransom. So happy to see that recovery is number one. Alright. We'll close that out, and let me jump into a few slides. Yes. This is being recorded, and we can we can send the the on demand recording right after this. So let's begin. Starting out with a stat from Gartner's market guide from hybrid cloud storage, where Nasuni the category that Nasuni falls into. But ransomware attacks are anticipated to affect 75% of enterprises by 2025, enabling emphasizing the need for robust cyber storage. So this is not new to anyone. Ransomware ransomware attacks are bad. They're getting worse. They're getting more sophisticated. They're affecting the majority of enterprises, even large names that you recognize in the news that have, you know, corporations with security teams and tons of tools that are still getting attacked. They're still struggling to, deal with these these attacks. And the need for having cyber capabilities within your your storage platform or your your infrastructure is key. And I think there's a there's another Gartner stat that we tend to use a lot that by 2027 or 2028, a % of storage platforms will include these cyber capabilities, and we like to think that we, add a lot of cybersecurity capabilities today, which we'll talk about today. So we have a mix of a crowd here. I think we have some customers, some some some non customers. So a quick overview of what Nasuni is. So Nasuni is the only unified file data platform that combines storage and data services into a single scalable software solution. And this is enabling business resilience and better data management while providing a solution that drives IT efficiency, generally cutting infrastructure costs by up to 65%. And this is generally in the form of unifying our customer's global legacy infrastructure into a scalable, global cloud solution. You know, we SUNY stands for originally stood for NAS Unified. We so we're generally unifying these legacy NAS solutions. But our customers are also saving costs by eliminating backup and disaster recovery infrastructure, because, you know, within the Nasuni platform, we include capabilities that can handle backup disaster recovery and cybersecurity. So that's really, really quick overview of what Nasuni is itself. Today, we're focusing on security and how we provide those capabilities. And so number one, file data protection. We Nasuni provides all in one file data protection. We have customers with petabytes of data, petabytes of files, so security is super important to us. So down on the right hand side is your your petabytes of file data. So the first layer here is the Nasuni platform itself. How does that provide, security? Number one, all the great aspects of a storage platform, end to end encryption, you know, Nasuni or the the cloud provider, hyperscalers are not seeing this data. It's always encrypted, zero trust policies, all those great certifications like SOC two, type two. Those are all good to have. But the key thing I wanna touch on here is the infinite immutable snapshots or versions. And so on Assuni, when, whenever a a change is made on a file or a new file is created, a immutable version of this will be saved in the the gold copy, within object storage in the cloud. And so what this is doing is creating a an RPO or recovery point every time a new file or change is is created, and the the pointer in the system is is just pointing to the latest version of your data or your files. And so what that means is if there's a ransomware attack or disaster or something bad happens, you're not re restoring data, which generally will take a long time. You're just dialing back to the version, before that ransomware attack started. And this makes recovery extremely fast and enables us to have rapid recovery of, you know, a million files in under a minute. We have, a video showing us doing this. And that built into the platform, these infinite immutable versions. We have some of our largest, oldest customers that have over a billion snapshots today or a billion recovery points. There's no retention period to how long you can have them. There's no limit on as soon as to how many of these snapshots you can have. So that's a great strength right there. But recovering fast is is not too powerful if you can't detect an attack, stop the attack, and know what's going on, have transparency and reporting to all the details, that are happening with that attack. And so that's where our ransomware protection solution comes in. I'm not gonna go any further on that because we're about to see a demo, of a simulated ransomware attack. And then finally, we're also gonna touch on today is enterprise integrations sitting on that that top layer here. So our our great recovery and ransomware protection is really focused on those files within Nasuni. But, you know, these attacks tend to spread, and these large organizations tend to use these, security management tools and have security teams that are overlooking a global enterprise. We we have a strong focus now on integrating with as many SIEM SOAR tools, as possible, to kind of extend the reach of our ransomware and our security capabilities to the rest of the enterprise. And so CrowdStrike, Mike will touch on this today in the demo as well, is our newest integration that's coming early March. So looking at the NIST framework, four pronged approach, protecting your data in an unlimited immutable versions, quickly detecting and stopping attacks at the edge, responding by providing all the key details, and you'll see each of these these steps in the demo, coming up soon, and then quickly recovering as many you know, it might not it won't be millions of files at this point because you detected and stopped it, but having the ability to rapidly recover these files. And what this what every piece of this solution is really harping on is the mean time to recovery. And I I think we saw in our poll that everyone's aware of the importance of recovering fast, but as you as time goes on in in the sense of a ransomware attack, downtime is gonna increase, more files and users are gonna be affected, more bad things are gonna happen, and costs are gonna go up and up. And so from detection to mitigation to recovery, the solution is all built around speed. And so before I pass it over to Mike, just want everyone to ask themselves these questions. When we're coming into 2025 where cybersecurity is one of the the heaviest investment areas, for organizations. Are you confident with your current cybersecurity strategy? Have a plan in place? No matter what your strategy is, do you know what you what who's gonna do what and what you're gonna do when a ransomware attack happens? Because, you know, we're seeing 75% of organizations it will happen to. How long can you afford to have unplanned downtime be down, and is your data easily recoverable? So just some questions to think about as you plan for 2025. And well, that took ten minutes. But, Mike, I will pass it over to you for the demo. Alright. Thanks, Ben. Yeah. So I'm going to, share a demonstration. We're gonna do a simulated ransomware attack against a Nasuni edge appliance, and we'll see how the system responds and implements that those key pieces of response that Ben just covered. So, on on your screens right now, you can see I'm logged into my NMC, my Nasuni management console. This is the single pane of glass through which customers can manage their entire, Nasuni kinda ecosystem. Mine's gonna be kinda boring because it's it's just a lab. But I'm gonna go, visit our cyber resilience section, and this is where I'll configure the ransomware protection add on. I've got a few test volumes set up here. We're gonna focus our demo on this corp data volume. And to turn on ransomware protection, it's just a matter of flipping a couple of switches. The first one enables the detection process. So this will monitor, for signs of ransomware attacks in real time on each edge appliance connected to the volume. The second switch is the mitigation policy. What this does is implement the blocking policy that cuts off the attacker once we detect an attack. So this minimizes that that blast radius, that that Ben alluded to earlier. In the advanced options section, I have the ability to adjust, essentially, how how aggressively the system responds to a potential attack. So this is a way for you to adjust this to kind of meet your particular environmental requirements depending on, how your users interact with your edge appliances. For the purposes of the demo, I'm just gonna, bump these all the way down to very low. This means the system will be as aggressive as possible in in classifying something as a ransomware attack. Normally, we would recommend starting with, with the the default thresholds of medium and high for detection and mitigation. And having this separation lets you adjust, just kinda how the system responds. So maybe you can start with, detection only for a period of time, make sure, you're not seeing, any false positives, and then come back and enable mitigation, once once you're confident in the detection piece. So when I hit the save button, just kinda the way the NMC works, it will send, the configuration information down to the edge appliance that's attached to this volume. So you now you can see that detection and mitigation are both enabled. And now I'll I'll flip over to a client, that is connected to the Edge Appliance. You can see up here in, the Explorer address bar, NEA one, and the corp data volume. And I've got some test data that we'll use, you know, in this particular example. I've got some pictures of of airplanes. This is what we're gonna go through the simulation against. And for that simulation, I have a a PowerShell script that, behaves similar to a real ransomware attack. It will go through and encrypt the contents. I've already kinda prestaged some of this. I'm gonna tell it I want to go through and encrypt files. I'm gonna use a random extension and then choose our our test dataset here and confirm I wanna start. And in a couple of seconds, we'll start to see the script go through, start processing and encrypting, the contents of this ransomware test data set. So the way our algorithm looks, it's or works is it's looking for signs of destructive actions indicating an encryption event. It also does make use of known, ransomware signatures, which can act as a confidence booster for us so that we can become more certain that this is a ransomware attack more quickly, than with a, random, pattern. So you can see I've got, now these airplane files have been encrypted. If I try and open them with paint, for example, you're not gonna be able to actually open them anymore. So these have have really been encrypted. And and, again, what's happening in the background as the script continues to execute is that the Edge Appliance is tracking this activity, and coming up with that confidence score that this actually is a real ransomware attack as opposed to legitimate end user activity. And as we approach the configured threshold, we can see actually we've hit it. Notice that the counter has stopped incrementing and the script is seems to be kinda paused and stuck. If I go back over to my management console in the upper right corner, I've got a little notification here indicating that I've detected a ransomware attack, from this user, Jay Smith, on the volume corp data. And when I go over and look at my incident management page, I'll see a record of the fact that I've detected this incident and, the associated confidence level with it. Notice the signature column that's that's currently blank. That's because, there was there was no known signature associated with this attack. And in the, column all the way at the right, you can see there's a little shield icon indicating that the, mitigation policy was triggered as part of this attack. So that is that, ability to cut off the end user, right, that's involved in the attack, keep that user from causing further damage. And also up in the notification section, you can see a second notification has come in, indicating that the mitigation policy has been enforced, and the client device has been blocked from any access to, further access to this to this appliance. If I go back to that client, you can see my my script is has finally timed out. It's given me some errors about being unable to access the network any longer. And Windows Explorer in the background here, you can see is no longer able to access this folder. And if I tried to browse anywhere on this Edge Appliance, I would be have have absolutely no access, because of that mitigation policy. So now now this client can't cause any further damage on the appliance, and, I've reduced, the the blast radius of the files I need to worry about restoring. So back on the incident management page, you know, now that I've got an incident here, I might wanna dig a little bit into the details of of what happened, during this incident. So our first action button allows me to generate an incident report. This is generated every time you click that button, and this is designed to give you a summary of all the key events related to this particular incident. And we start by, just kinda laying out some of the things we already saw in the NMC UI in terms of the, volume involved, the edge appliance involved, and the user involved. And then we provide some of that same detail in tabular format over on the right. You can see here calling out the user involved in this incident and the number of files, that were affected. Underneath the summary, we lay out key events on a timeline, and that starts with the last snapshot taken prior to the beginning of the attack. So Ben was talking about, our ability to take an infinite number of immutable versions, create an infinite number number of an immutable versions, and that's what, we're referencing here. This is our recovery point when it comes time to, restoring those files back to a known good state. This is the last one that was taken prior, to that attack happening. The delta between when this last snapshot occurred and when the attack starts, it's just gonna depend on your environment, how frequently you're creating these, these versions or snapshots, and and, of course, when the, first violation, as we call it, is detected. And that's referred to in the second field. So this is that first instance where we detected an encryption against, against one of the files. And then our third bullet here is when we reached a sufficient confidence level to trigger, the incident creation. And then our last bullet point is currently, when the mitigation policy was triggered and we blocked that client device from further access to the appliance. The same detail is laid out in a table underneath the timeline, and then we record some system configuration information. We show you what the current confidence level is as well as the confidence level, that was configured as part of the policy. We'll show you the status of the clients that have been blocked as part of the incident. And lastly, we'll give you up to the first one hundred impacted files, that were part of the incident. The reason we capped this at a 100 impacted files is because this report is designed to be something you can easily share with stakeholders within your company to give them an overview of the attack and what happened, as part of it, how this how the Nasuni platform responded and, reduced the blast radius. An admin can always go and see kind of full details about the incident, all the files impacted by visiting our ransomware log files that are stored at the root of every Nasuni volume. So I'm gonna close the incident report for now. We'll come back to it again in a moment. Our second action, now that we've determined that we've been attacked and we know the incident has been mitigated, maybe I've gone off. I've tracked down that client. I've taken it, you know, off the network entirely. Now I need to recover those files, that were involved in the attack. So I'll do that via our targeted restore process. And when I click on this, what we're doing is combining all the information we have about the attack, the appliance, the volume, the files that were involved. We know that last snapshot taken prior to the beginning of the attack. So we build the recovery job for you. So you don't have to go through and find all the impacted files. We do that. You don't have to, you know, pick and choose them or, roll back an entire volume or directory. We'll just do this targeted restore of just the impacted files for you. We do give you the ability to customize the job a bit. If you'd like us to, we'll clean up the encrypted files as part of the recovery. So as we restore the last good version of the file, we'll delete the encrypted version. If you want to, you can leave this unchecked, and we'll leave those encrypted files alone. So they'll remain in place if you need to collect them or investigate them further on your own. For our demonstration, I'll have the system go ahead and clean it up. And then a couple of kind of standard restore options here. You can have us back up existing files. Maybe, you know, user notices that their PowerPoint file was encrypted. They've got a local copy on their laptop, so they proactively restore it. With backup existing, we'll rename their version before we do our restore, making sure that that kind of both versions are preserved and the user can determine which is the, more appropriate one to keep around. And then lastly, you can choose to restore to a different location. So I'm just gonna confirm that I want to perform my restore. I'll hit the restore files button, and this will resubmit that restore job down to the edge appliance, connected to the volume, and we'll give you a little progress indicator, here in the table, as the appliance goes through and recovers, those files. And, you can see we're already at 87%. We'll come back to this page in a moment, but our last page here is the block clients page. So here you can see a record of the client that was blocked by the mitigation policy. So once I have taken that client, isolated it entirely from my environment, I can come in here, check the box, hit the little trash can icon in the upper right corner, and that will remove this, mitigation rule from the appliance, meaning that another device that happens to pick up this IP address will be allowed to, to connect successfully to the appliance. Let's see. Back in my incident management, you can see I've got a restore completed. If I go from this machine, which was not part of the attack, so it's not blocked, you can see I'm on that same appliance, that same corp data volume in our test dataset. And if I go in here, we can see my airplanes are back to their good state, and, I'm once again able to access my files. So all those 200 files recovered in just a matter of seconds. And now if I go generate a new incident report, we'll see that it's been updated a bit. Most of it has has remained the same. But now in our timeline, we've got a new entry indicating that a restore has been completed. And in the details below that, we can see, two events, showing that the user named admin, that's who I'm logged in the NMC as, started the targeted restore job, and that restore job completed successfully a few seconds later and recovered all 223 files. And as with the ransomware logs themselves, we also have, logs about the actual restore process in the root of the volume for an admin to go review further. So now that I've completely responded to this incident, I could maybe hit the print button, save this as a PDF, file it away, or send it via email, again, to all the stakeholders who need to know, the scope and response to the incident. So this is all great from a, kinda Nasuni admin point of view, but, of course, security teams also need to know what's happening, around these attacks. So the way we do that is by feeding this data to external, SIEM and source solutions. And I've got loaded up here already an example of that, with CrowdStrike. So this is a forthcoming integration that Ben mentioned we, plan on formally launching in March, of this year. And what you can see here at the top is, this is kind of an example dashboard of, the latest, ransomware incidents. So you can see these are the same details that we saw in the NMC about the incident being, detected, the ransomware attack being detected, and also the mitigation policy being triggered. And then I'm also feeding file system audit events to CrowdStrike so that, I can also see, what has that what what was that user up to, in the last few minutes, around around this attack? And you can see those same files, that we saw encrypted in Windows Explorer are now listed here. As long as you're feeding all of your audit events here, you could investigate further back in time, go see what else that user was up to earlier in the day, and further investigate the the kind of the scope. And that, pretty much takes us through our demonstration of, the ransomware protection add on. Alright. Thank you, Mike. Well, we had a a lot of questions come in, a lot around how we do the mitigation and blocking. So, Mike, is is the blocking the same for NFS and SMB access AKA IP based? It is it is different. So the mitigation, the blocking applies only to SMB access. For NFS, we will, report on an incident, but we do not support mitigation with NFS. K. Will it only block the client from the specific Edge Appliance or all Edge Appliances? So we'll block just from the appliance that's under, under attack. If the user or the client starts an attack on us on another appliance, it would be running the same, ransomware policy. So that, same mitigation would would trigger on that appliance, and that user would be blocked there. Also, we do have an example of a way to make that block, apply globally via, via an external script. So that mitigation policy is available via our NMC API. So, you could set up a system where that monitors for an, mitigation policy and then applies it across all your connected appliances. That's also some a feature we're considering adding in a future release, to make that global by default. So maybe a little similar here. Is the client block only on the filer that the activity occurred on or on all filers, or is the block at the volume level? Yeah. It is it is it is at the filer level, so it, impacts out every share and volume essentially. Alright. The that client can't access anything, including the, management UI. K. And can the block be based on user login and or source IP because an attacker can easily get another IP address with leaked user credentials? It's a great question. So stay tuned for an announcement coming later this year. We are currently developing the ability to block by username. Okay. Would it another question here. Would it detect large amounts of data before encryption? So the ransomware, algorithm itself does not detect any sort of kind of exfiltration activity right now. We're constantly looking at ways to improve that algorithm and add new actual encryption events themselves or, potentially for some sort of massive read operation. That detail can be gleaned, though, from our file system audit events. So the the detail we saw in that CrowdStrike dashboard, you could you could watch for massive read operations either within CrowdStrike or, in our, our FileIQ platform. That's another, area where we're looking at making investments to identify anomalous activity. Alright. And then one more question here about the CrowdStrike integration. So is the CrowdStrike integration a built in oh, it disappeared. A built built in feature that is managed by you, or is it tied to our own CrowdStrike service that we we pay for outside of Nasuni? So the way the integration works is via us sending messages, over Syslog to CrowdStrike. So there's nothing that Nasuni hosts in that regard. You would configure your appliances to send, the relevant log details to a collector, which then would, forward them on to CrowdStrike seam, solution. So, that that would be the integration path. K. We got another one coming in here. We have about a minute left. How many current customers have added ransomware? Is it like buying an insurance policy, so selling this to management when I could use my immutable snaps to recover? If I could take this one. I mean, it it has been, you know, very popular among our customer base. I think with with new customers, you know, in the last quarter, we've seen almost 80% or over 80% attach rate to add this product. And it it really the point I made earlier, the immutable snaps do help you recover, but if you don't even know you got attacked or you can't stop the attack, which can, you know, encrypt hundred thousand files in in minutes, and you can't you don't have that report to know what the last clean snapshot was or the details about what happened. You know, the the immutable snaps can help you recover, but this this ransomware solution really makes the whole workflow from detection to recovery extremely fast and easy all within the the management console. So it definitely does help there when it it comes to a ransomware attack. Okay. Well, I think that is the last question right on the dot, 11:30. Thank you joining. Yeah. Thank you, everyone.