How cyber resilient storage hardware can defeat ransomware

SPONSORED FEATURE: Ransomware is everywhere. The FBI and CISA just issued yet another advisory about it.

The average payouts associated with this type of cyber attack are huge. The 2024 Cost of a Data Breach report – conducted by Ponemon Institute and sponsored, analyzed and published by IBM – pegs it at USD4.88m.

The situation is so bad that the White House has just hosted its second multi-national task force meeting to address the problem. While that’s a laudable effort, it did not offer any concrete solutions to stem the flow of damaging attacks.

User education is often the go-to remedy for ransomware prevention. “Just get them to stop clicking those malicious links”, some experts say. Clearly, that alone isn’t enough. People are aware of the threat but infections and ransoms continue to grow.

What’s needed is a multi-layered defense. For some, that stops at appliances to scan email, police URL access, and monitor client devices. For IBM, that wasn’t enough. It had a bright idea: why not do it in storage?

IBM had already introduced elements of ransomware protection to its FlashSystem NVMe-based flash storage in 2022. IBM FlashSystem integrates with its cloud-based Storage Insights storage management and optimization system, which scans for anomalies and potential threats, enabling an organization to recover data from immutable snapshots in the event of a breach or data corruption.

Snapshots play an important part in this recovery process. The snapshot is a point in time image of a disk’s data that is immutable; it can’t be altered or deleted, and it can’t be directly mapped to a host, providing a reliable source for recovery.

Using its Safeguarded Copy feature, IBM adds the ability for the user to set access controls and retention policies to govern permissions around the snapshot management process. It also features an elevated security mode that requires two people to change or remove Safeguarded snapshots. This separation of duties makes it more difficult for any one person to subvert the system.

In 2022 IBM announced Storage Sentinel, which is a system that complements Storage Insights. It scans snapshots to identify signs of corruption by ransomware. Sentinel tags snapshots to highlight a validated and verified point of restore. Armed with this information, it can help IT staff quickly find clean data copies to restore from without reinserting the ransomware threat. Sentinel is now part of IBM’s software suite for data resiliency, Storage Defender.

The next step: Computational storage

While these features and offerings can help shave valuable time from the recovery process, IBM wanted to go further by moving threat detection as close as possible to the point of the ransomware attack in the storage ecosystem. For that, it turned to its computational storage technology, the IBM FlashCore Module.

There’s only so much extra computational muscle that you can squeeze into a server CPU with each iteration. Storage devices are good places for handling storage-specific tasks, and so moving storage-related computing operations into the FlashSystem’s FlashCore Module seemed like a no-brainer, explains Philip Clark, Program Director for FlashSystem at IBM. This is the idea behind computational storage.

IBM has already moved basic functions such as encryption and compression into the flash drive, offloading it from the storage controller. This can increase the efficiency of IBM’s storage, but it felt that it could go further. IBM wanted to make FlashSystem part of a broader drive for cyber resilience. Why not transfer some of the ransomware scanning tasks into the storage devices themselves?

“The whole area of cyber resilience has really become an important focus not just in FlashSystem, but across IBM,” Clark says. Teams across IBM with functions from security to mainframes share cyber resilience knowledge and technology between them.

Computational storage gave IBM an option to put some added value into flash storage, which was becoming a more commodity product category. “Having some pretty unique technologies to address this has been something that stood out as not just the run of the mill technology,” Clark says, explaining that it has moved the endgame for computational storage beyond mere I/O efficiency.

“We’ve gone beyond speeds and feeds to having a much broader story.”Scanning incoming data for ransomware signals was an obvious choice. It allowed IBM to look for digital toxins at the block level rather than the file level targeted by more traditional malware and ransomware scanning solutions.
“Where we’re doing it, at the block level in the raw operating system, is unique,” he says. “We’re not just reading the bits and then comparing it to an existing database scanner, we’re processing each IO pattern in real time, right as they’re coming in.”

Watching for suspicious bits

IBM’s Storage Insights observability platform already had the ability to detect some suspicious signals by looking for changes in compression and entropy statistics. In February 2024, IBM enhanced the ARM-based FlashCore Module in the FlashSystem to power its inline ransomware threat detection capability.

Hardware-assisted computational storage makes it easier to manage ransomware scanning across a growing storage ecosystem. Scaling out traditional server-based file system-level scanning can mean adding more of those servers to the rack. The FlashSystem storage hardware scales its scanning capabilities automatically because every additional drive comes with its own computing capabilities built in. Even though these drives search for ransomware anomalies independently, they can be combined into a single management system for visibility and convenience, Clark adds.

The ransomware detection algorithm is based on machine learning. While the sophisticated AI model trains on IBM’s servers, the inference model runs entirely in the FlashSystem hardware. The FlashCore Module collects and aggregates samples of what’s happening to the data, passing it to the inference engine every two seconds. This means it can trigger a ransomware alert after six samples, which translates into raising the alarm in as little as twelve seconds of detecting a ransomware attack.

IBM regularly updates the inferencing model automatically, or on demand, as it retrains the data on new emerging malware patterns. The AI isn’t scanning for individual ransomware hashes. Instead, it detects patterns associated with ransomware activity on data, even if it hasn’t seen the specific ransomware before.

If the inference model detects false positives, it will send information about that back to the model for further training, but that data isn’t an actual file with business-related content. Instead, it’s statistical data about block-level activity that enables IBM to update the training model without compromising client privacy.

Sounding the alarm early

This in-drive ransomware scanning function doesn’t need to replace traditional file system-level scans. It’s a different animal altogether. File system scans have the advantage of context, because they can focus on file-level content and metadata. What block-level scanning lacks in that area it makes up for in responsiveness. Together, the two form a powerful anti-ransomware proposition.

Companies can take days or weeks to find out about an attack that is identified at the file system level. Introducing another layer of defense closer to the storage and scanning at a lower level demands a different kind of scan that doesn’t rely on the context of a file. It heightens sensitivity to attacks and increases the chance of catching a nascent ransomware threat. “An early warning system is ideal,” Clark says.

That early system is all very well, but only if the warning goes somewhere and something gets done. Integration with external systems is key, and IBM accomplishes this in a couple of ways. At the most basic level, it can be integrated with anything that supports syslogs, meaning that any tool supporting these can read FlashSystem’s warnings about malicious data.

However, IBM’s integration with Storage Insights and Storage Defender means that administrators can create automated recovery processes when FlashSystem triggers an alert. Storage Insights is engineered to restore a snapshot quickly to minimize downtime from a malware infection. The security team still has to contain and eliminate the infection, but the storage software also provides integration opportunities with other third-party tools to help facilitate that process.

Webhooks from Storage Insights enable other programs to access its alerts in near real time. IT Service Management Tools can subscribe to these, giving them structured information about block-level events that can feed straight into their monitoring and operations systems. Webhooks enable FlashSystem to talk with a range of systems, ranging from SIEMs (including IBM’s own QRadar) to file scanning tools, to surface suspicious events as they happen.

Ransomware recovery in action

This in-drive detection capability surprised Sam Wheatley, a technical presales consultant at Swedish value-added distributor TD Synnex. He took the FlashSystem model 5300 for a spin, loading up a virtual machine with PDF and Excel files and then letting the REvil ransomware loose on the sandboxed system. He noticed alerts lighting up Storage Insights right away with reports of mass decompression and encryption activities.

“With fast ransomware threat detection alerting, you have a chance to save data before it gets encrypted,” he says. “Imagine the relevant data that you could save instead of having to restore terabytes of potentially infected data after the fact in attempt to find it.”

In the fight against ransomware, the time it takes to detect an attack can impact the cost and effort of remediation. The closer you can get to the point of malicious encryption and take action, the fewer headaches you’ll have later.

Computational storage is a novel way to close the gap to the malicous encryption point. Its integration with the rest of the storage management ecosystem, and beyond, makes it possible to action automated responses along the incident response chain.

Will we eliminate ransomware as a major threat anytime soon? Keep wishing. But at least with more responsive detection systems, businesses can mitigate the impact of the threat when it does strike.

Sponsored by IBM.