Nutanix Files 4.1 anti-ransomware: Through the Data Lens

We were very interested in understanding more about how Nutanix Files v4.1 ransomware product works so we sent a few questions over and Lee Caswell, SVP of product and solutions marketing at Nutanix, sent his answers back.

Blocks & Files: How does the ransomware detection work?  

Lee Caswell: Data Lens is a cloud-based data governance service that helps customers proactively assess and mitigate security risks. Data Lens applies real-time analytics and anomaly detection algorithms to unstructured data stored on Nutanix Unified Storage platform. The service presents customers with a global risk view of their unstructured data with actionable insights specific to unusual access patterns, data age, and other contextual information, to gain a time advantage in responding to ransomware attacks and insider threats.    

Real-time auditing software forwards Nutanix Unified Storage data events, including file reads, writes, renames, and deletes, to the Data Lens service over the Nutanix Pulse framework.  Captured events are used to create audit trails, detect user-defined anomalies, and detect ransomware signature access patterns.   Locally scanned metadata including file extension, file size, file mime type and other attributes are also forwarded to Data Lens. 

Data Lens maintains a list of known ransomware file signatures (file names and file extensions.)  It can automatically apply this list to the file blocking capabilities of Nutanix Files to prevent file create and rename events using those patterns.  For customers interested in demonstrating compliance, Data Lens addresses auditing requirements and forensic analysis.  

Blocks & Files: Is it a third-party scanner or one built by Nutanix?  

Lee Caswell: Data Lens is developed by Nutanix and the Nutanix scanner runs natively in the Unified Storage File server. 

Blocks & Files: How is it updated?  

Lee Caswell: Data Lens is a Software-as-a-Service offering that is updated transparently for customers. Updated ransomware file signatures are applied as validated to the blocking list of the file server in Data Lens releases which are managed by Nutanix.  

Blocks & Files: What ransomware attack patterns does it use?  

Lee Caswell: Ransomware threat detection capabilities are based on file signature blocking and audit pattern detection.   Signature blocking applies a list of nearly 5,000 known signatures to the file blocking capabilities of Nutanix Files. Any file create or rename operations attempted by a client to one of those patterns is automatically blocked in real-time.   

Pattern detection is for unknown variants. Data Lens looks at incoming audit events and applies algorithms to see if any event pattern looks suspicious.  Ransomware attacks typically follow a common pattern, for example, read, overwrite (encrypt), and rename.  Another example is read, write (encrypted new file), and delete.  Data Lens looks for these various patterns, and once detected, additionally then inspects the mime type of the file.  If the mime type reflects a potentially encrypted file, Data Lens will mark the pattern as a ransomware attack.   

Blocks & Files: Is machine learning involved? 

Lee Caswell: Data Lens uses algorithms to detect ransomware patterns, however these patterns are not adaptive or based on machine learning.   

Blocks & Files: If an attack is detected are the affected files identified? 

Lee Caswell:: Yes, all files impacted by the attack are listed. The impacted file list can be downloaded to a .csv or .json file format for reporting or as a list for remediation.   

Blocks & Files: Can they be rolled back to previous known good versions?  

Lee Caswell: Yes, Data Lens checks the file shares to ensure snapshots are enabled (windows previous versions for SMB and .snapshot directories for NFS). Administrators are alerted if snapshots are not enabled for file shares. Impacted files can be rolled back to known good versions using these snapshots.  Administrators or end users via self-service can perform the remediation. We are evaluating how Data Lens could provide automated remediation although this is not currently available.  

Blocks & Files: Are the affected files isolated? 

Lee Caswell: No, the files are not isolated by Data Lens today. Nutanix Files integrates with antivirus vendors for scanning offload.  AV vendors can request files to be quarantined as they are scanned, which would isolate the files.  

Blocks & Files: If an attack is detected are further activities from that source user or account halted until an all-clear is somehow generated? 

Lee Caswell: Yes, the user account and/or client associated with the attack can be automatically blocked from accessing the file shares. Blocking is configured by the user as part of policy definition and an administrator can later choose to unblock the user or client.  

Blocks & Files: If an attack is detected are alerts sent out? To whom and how? 

Lee Caswell: Yes, alerts are sent via email to a user-defined list of email addresses. Emails are sent on suspected ransomware events, notification of blocked users or clients, and on detection of user-defined anomaly rules.