Nutanix Files Episode 4.1 - A Security Story

  • 23 June 2022
  • 1 reply
Nutanix Files Episode 4.1 - A Security Story
Userlevel 7
Badge +34

With unstructured data growing exponentially, securing shared storage is increasingly becoming difficult. It is an operational nightmare to identify datacenter weak points let alone predict the next threat. Ransomware attacks are becoming more and more sophisticated, surpassing firewalls and anti-virus software. 

Does this sound familiar? You plug one hole another opens, you update software, you train end users on how to detect suspicious files or emails but the threats keep coming. The rise of Ransomware in recent years has put companies on red alert. CIO’s are well aware of the impacts this can cause and nearly all would say that security is a top priority for their business.

The impacts from Ransomware are staggering:

  • A Cybersecurity Ventures article in 2021 showed that from 2015 to 2021 the damages from Ransomware grew over 57x, from $325M to over $20B. (“Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031”) 
  • Sophos reports that on average the cost of recovering from Ransomware in 2021 was $1.8 million (“The State of Ransomware 2021”) . And in the same report companies that paid the ransom, on average only recovered about 65% of their data.
  • An InformationWeek article from December 2021 on the cost of Ransomware points out that companies surveyed experienced around 21 days of downtime (Pallardy) .

The prime target for this nefarious activity is unstructured data. Data is currency, both for those looking to take advantage of the vulnerabilities and obviously for businesses themselves. Therefore, securing datacenter storage is critically important and is typically viewed in a layered model or a defense-in-depth approach. 

The Nutanix Files™️ storage solution initially helped secure unstructured data with support for third-party antivirus scanning, native file blocking policies, and snapshots to support recovery in the event of intentional (or unintentional) actions. But this was just the start. 

Next, in 2021, we launched the Data Lens™️ data analytics tool to gain insights into unstructured data activity that could indicate potential Ransomware threats. This cloud-based data security and governance service delivers enhanced Ransomware threat detection capabilities based on more than 4,000 known signatures.  Analytics quickly became a powerful tool to help IT Operators and Administrators spot suspicious activity that could be protected by our native file blocking policies.

Now, we’ve added even more protection in Nutanix Files 4.1 which moves beyond known signature detection to include the common day 0 situation when there is no known signature for comparison.

Behavior-based Ransomware detection

With Data Lens and Files 4.1, we can leverage our integrated ability to detect anomalistic activity and pair that with additional pattern detection analysis to help move beyond known signature-based Ransomware analysis. We can take these patterns of suspicious activity and pair it with additional file metadata that can indicate whether a file has been encrypted. 

This takes native security to the next level. This secondary analysis of anomalistic activity opens up a customer’s detection aperture to identify Ransomware activity with no known signature. Once an attack is detected, configurable remediation policies can be applied to block the offending client session or host IP address and the operations team can be alerted to investigate the threat. 

Once the threat is confidently addressed by the IT admin, an operations team has the power to unblock impacted clients or users and leverage recovery features, such as snapshots, to restore any impacted data. Data Lens with Files now delivers a broad spectrum of Ransomware protection, helping provide an extra layer of defense against malicious activity. This may help an organization  to align to the common NIST Cybersecurity Framework of: Identify, Protect, Detect, Respond and Recover.

Write-Once Read Many

Nutanix Files now offers Enterprise WORM Support starting in 4.1. Write-Once-Read-Many (WORM) value has traditionally been thought of in terms of legal hold, compliance or regulatory use cases for storing data. These are indeed valid use cases, but WORM can also be thought of as a security feature in defense of malicious activity.

With this new release, Nutanix Files supports WORM shares that make files read-only after being saved to file shares on a Nutanix Files cluster. This capability is increasingly being called Enterprise or Governance-level WORM. Data written into an Enterprise WORM-enabled share goes through a cool-off period, providing an opportunity for content to still be changed. Once the cool-off period timer expires, the file will transition into a locked state, becoming read-only. A file will remain read-only until a retention timer expires. This helps preserve the state of the file and allows the file to be deleted after the retention timer expires.

Enterprise WORM support also allows “privileged deletes” so that operators with a defined set of permissions can remove a file before the retention timer expires. For security purposes, even operators with privileged delete permissions cannot modify the data contained within the file content itself, thereby protecting the most critical data against malicious attacks including Ransomware.

Now it’s possible to create immutable file sets and specify a retention date, protecting the data from any modification or deletion. Enterprise WORM can be both a great defense against ransomware that attempts to encrypt files it discovers, along with traditional use cases where data retention needs to be in place regardless of the potential for malicious activity.

Multiple File Server Client Networks

Many customers have segmented networks so that not every network is routable.  This helps isolate security domains such as maintaining test and development environments independent of production. The challenge is, how do you provide data services to each of these networks without placing infrastructure, whether physical or virtual, within each of those networks? Every additional piece of infrastructure that needs to be deployed adds overhead for management, operations and ultimately security.

Nutanix Files now supports multiple networks that can be assigned to an individual File server cluster. This means you can deploy a single File Server that can be configured to talk to more than one network, in fact up to ten networks. For example, if an organization has four networks (N1, N2, N3 and N4), Nutanix Files can now, through a single deployed virtual file server, communicate to each of these networks. No need to deploy four different virtual or physical clusters. In addition to further securing the deployment, you can configure network filtering within the file server that will allow for an added layer of security. What this means is that not only will the data be secured through traditional share and file level permissions, you can control who at a network layer is allowed to access the file shares. Like Enterprise WORM above, this extends the value of a feature and helps add another potential layer of security to an environment from undesirable access and maybe even help prevent malicious activity from spreading.

Those intent on unleashing malicious activities will continue to evolve their strategies, leverage new tools, and constantly look for weaknesses in the system. It can be a tiring and challenging endeavor to defend against this, so much so it might make you WannaCry . Nutanix Files recognizes this and works to provide robust mechanisms to enable IT professionals to protect their data. No one product can do it alone, but through complementing and supporting your security needs, Nutanix with our Files and Data Lens solution can help be part of a defense in depth strategy. Together we can help to enable your data to remain secure and in the same state you left it.

Additional Resources

This post was written by Marc Waldrop, Principal Product Manager

[1]Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031

[2]A Sophos Whitepaper. April 2021The State of Ransomware 2021

[3]The Cost of a Ransomware Attack, Part 2: Response & Recovery

[4]What is WannaCry ransomware?

©️️️️ 2022 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.

This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.

1 reply

Userlevel 4
Badge +7

These are exceptionally powerful features to unveil.

Combine with Smart DR for share level protection and easy roll back and suddenly you have a rapid response with low RPO&RTO as an action post detection to minimise the loss both in terms of what is harmed and moreover in productivity.