Reading Time: 13minutes IN THIS WHITE PAPER Ransomware attacks increasingly target data environments such as backup and storage systems. Cybercriminals see this threat vector as both…
Reading Time: 13minutes
IN THIS WHITE PAPER
Ransomware attacks increasingly target data environments such as backup and storage systems. Cybercriminals see this threat vector as both exceptionally profitable and vulnerable, and there is enormous pressure to return to normal as quickly as possible when data has been locked.
Varonis and Panzura provide a ransomware defense that goes to the heart of the data environment itself.
The Panzura global file system offers protection and recovery by way of its underlying immutability, derived from methods for writing to object stores, meant to speed up access to files. This makes data impervious to encryption and prevents ransomware from impacting any of the data held in the system.
Catching ransomware that perimeter security alone does not detect, Varonis can identify and lock down access controls, as well as overexposed sensitive data that attackers could exploit. This impedes ransomware inside the Panzura global file system, as well as with other servers, NAS, and core IT resources.
This white paper examines how Panzura and Varonis have teamed up to deliver a more resilient data protection and recovery architecture. The authors discuss how the technology shields data, applications and workloads in the cloud, augmented by built-in AIdriven data analytics. They also review vulnerabilities that could lead to an attack, and countermeasures to stop ransomware cold.
Information security has always been a delicate balancing act. Organizations struggle to achieve a careful equilibrium between ease-of-use, data access, and governance— ensuring that the right people have access to the right data at the right time. While risk can never be fully eliminated, implementation of data security controls for both protection and recovery, as well as perimeter and endpoint defenses, are vital to securing an organization’s information assets, as well as its reputation and legal exposure.
Putting out a proverbial “welcome mat” by exposing access credentials, deliberately or accidentally, poses an inside threat commensurate with malicious outsiders. The enterprise faces an ongoing dilemma from accidental breach by users with poor password hygiene, as much as it does from organized cybercriminals and state actors intent on hit-and-run data theft, and sophisticated extortion schemes such as ransomware.
Disconnecting a network from the internet, while it may seem like a prudent measure, is as shortsighted as expecting everyone in an organization to follow responsible data access, management and usage procedures. Quite simply, it is a flawed business decision that turns companies, workflows and employees into an operational island surrounded by a web of competition It also renders digital transformation—leveraging the full potential of data, especially vast repositories of unstructured data which represent more than 80% of information held by large companies—impossible.
Nonetheless, more and more companies are actually considering cutting off their data infrastructure from the fast lane to competitive advantage in response to the real and growing attack surface. It’s an unacceptable tradeoff. Consider that a recent report from Philips and CyberMDX indicates nearly half of U.S. hospitals have disconnected their networks in the past six months due to ransomware.
Research from Gartner reveals that by 2025, three-quarters of IT organizations will be hit by one or more attacks, which is a massive sevenfold uptick from 2020 figures. More concerning from the vantage point of CISOs, and the c-suite in general, is that these attacks increasingly target backup data and Administrator functions, which are typically considered the last line of defense.
However, immutable data protection has emerged as a powerful remedy. The Panzura global file system is recognized as a definitional solution in this regard, having been engineered from the start with data resiliency in mind.
While this has always been a foundational element of the Panzura global file system, meant to protect data from inadvertent overwriting or deletion, it is now being adopted at pace by enterprise companies and large organizations looking to ensure data cannot be compromised or encrypted by malicious payloads.
In the case of attack, for instance, data held in the Panzura system can be reverted in a matter of mere minutes all the way to the level of individual files, complete directories, or the entire file system itself—with no data loss whatsoever.
The agility and total security of the Panzura global file system has been well-publicized and verified. When a regional hospital in Illinois was hit by a ransomware attack, their entire IT infrastructure went down. The healthcare facility used automated data protection, backup, and disaster recovery capabilities in the Panzura global file system to quickly restore files to a pre-attack state and undo unauthorized data encryption. Data was restored to previous, clean versions in less than 15 minutes.
In another documented incident, Applied Software, a managed service provider of Autodesk programs and other applications primarily focused on the architecture, engineering and construction industries, saw parts of its own network attacked by a Thor ransomware injected via a rogue PDF file. Panzura allowed the IT team to quarantine infected files and recover them near instantaneously to the version auto-saved a few minutes before the incursion.
While most organizations are understandably reluctant to divulge that they have been subject to an attack, they are universally exposed to the ever-multiplying potential points of entry of the attack surface. Moreover, and perhaps more importantly, they must take into account all of the data and systems that may be affected, and the full amount of damage that a single compromised user can cause, as the full potential “blast radius”.
The Attack Surface.
Illustration 1. offers a bird’s eye view of a hybrid multi-cloud global file system architecture which, when deployed as shown, protects network environments from ransomware. It also provides the inherent capability of making file access seamless to users meaning the “welcome mat” is eliminated without cutting off the enterprise from the outside world.
How Varonis helps
Varonis does not install or run anything on a client to monitor for ransomware activity. Rather, it analyzes data, email, and Active Directory behavior in context with perimeter activity from VPN, DNS, and web proxies as means of detecting signs of compromise throughout an attack.
Often, early indications of command and control, reconnaissance, and lateral movement are precursors to unusual data access, exfiltration, and encryption (which Varonis picks up on the servers themselves).
Varonis can automatically identify privileged accounts like service accounts, admins, or executives, and monitor for suspicious activity like privilege escalation. Varonis puts activity from both on-premises and cloud data repositories in a single interface, helping to speed up investigations.
How Panzura helps
Varonis integrates with Panzura to provide contextual performance-based alerts on anomalous user activity in the Panzura global file system. As previously discussed, this makes it possible to augment Varonis with a unified view and dashboard management of the global file system, both onpremises and at the cloud edge. Initial access to data typically occurs at the client-user level, either through email phishing or any numerous other ways to steal credentials or inject unauthorized code into a network.
When an alert is delivered by Varonis, users can use Panzura Data Services (“Data Services”) to search that user’s activity throughout the global file system—such as details on individual files, specific directories, or permission touchpoints—and pull all of this information up almost immediately.
Recently, by way of anecdote, one Data Services wildcard search served 800,000 results in a matter of seconds. This type of powerful, advanced search and analysis can be applied to the entire cloud network.
How Varonis helps
Varonis monitors all file system activity on file servers and storage appliances, analyzes permissions, classifies data, and employs behaviorbased threat models to detect and provide alerts on any meaningful deviation that may indicate compromise by ransomware.
Varonis proactively reduces the blast radius for any potentially compromised system or user by automatically remediating overly permissive access controls and enforcing a zero-trust model. When users and systems have access to only what they need, it makes it harder for an attacker to access sensitive data without detection as they escalate privileges and move laterally.
When anomalous or suspicious behavior is detected, such as accessing an unusual amount of sensitive data or modifying files in a way that resembles encryption, Varonis can automatically terminate a user session to stop the suspected attackers in their tracks.
In the event of ransomware infection, Varonis logs a full audit trail of the data that the compromised account has accessed or modified, in context with the user’s role and working profile, data sensitivity, authentication and internet activity, thus allowing for quick assessment of the damage and reduced recovery time.
How Panzura helps
Working in parallel with Varonis, Panzura Data Services provides an ML- and AI-driven data analytics layer that is fully integrated with the Panzura global file system. This built-in SaaS-based logic platform is unavailable with any competitive solution, and allows organizations to apply advanced cloudbased AI and ML analysis, using intelligent and elastic search, audit and file network logic, over an entire cloud file-storage infrastructure.
Data Services is the engine behind Panzura’s ability to deliver sophisticated security, performance and activity alerts, along with tools for IT admins to fully diagnose and troubleshoot their environment. It can track and audit which files and directories have been accessed, opened, changed or even deleted.
Additionally, Data Services will track if a threat-actor changes or deletes file permissions. For example, one tactic employed by adversaries is to attempt to execute malicious code by interacting with or creating system services on servers. If a non-admin user’s activity is connected to any global file system processes, Data Services can rapidly pull up all of the activity in the global file system for that specific user, allowing administrators to mitigate potential system compromise by restricting file and directory permissions in real time.
The Data Services layer provided by Panzura also makes it possible to search for activity according to an individual user, or for a specific file type according to a file size range, as well as within a specific date range. Options to customize searches in multiple ways make it easier to produce fast results and insights so mitigation strategies can be applied quickly and at scale.
The Panzura global file system is deployed on-premises via a CloudFS virtual machine inside of VMware or HyperV. These are merely a virtualization or emulation of a computer system running software applications, and may be susceptible to ransomware attacks themselves. As a result, the virtual machine may be locked to users or encrypted at the hypervisor level, or even individually at the CloudFS level.
Either way, any CloudFS location—servers at the edge that integrate primary storage, cloud storage, back-up, versioning, and WAN acceleration—could consequently be knocked out. However, even in these cases, the file system itself has yet to be impacted, and while a particular location may be down for the count, there are several countermeasures which Panzura employs to ensure that an on-premises implementation remains unaffected.
As Illustration 1 shows, there are two CloudFS instances in each location.
Should one go down, get encrypted, catch fire or otherwise become incapacitated, the other location, assuming the CloudFS instance was not
also on the affected machine, will quickly take over.
In fact, a downed virtual machine has no impact on the global file system itself, as Panzura keeps all data and metadata on the backend object store. Should a location become completely corrupted, administrators can simply redeploy the Panzura template, point it to the object store, and the system will upload the original state once again.
While these examples represent on-premises implementations, cloud implementations are not remarkably different. Panzura supports the most pervasive hyperscalers, and directly from the marketplaces of the major cloud providers.
All that is necessary is to bring up a Panzura instance, as well as a highavailability (HA) instance. Should one become unavailable, the other will take its place. There is, therefore, significantly less probability of an outage. This is because Panzura offers true cloud redundancy via its powerful cloudmirroring capabilities, while users of competitive unified NAS providers are crippled when primary cloud storage goes offline.
Should a data center become completely corrupted within a region, and time is expended rebuilding an environment, it is crucial to know what happens to the files for which locks were “owned” by the CloudFS instances that went down.
Panzura has no single point-of- failure with file locking that ensures alwayson data consistency. When central file locking fails, which often happens with inferior unified NAS solutions, the entire Panzura system reverts to read-only. This is achieved through Panzura’s unique concept of a global HA node. This type of backup can be located anywhere, and can take the place of a virtual machine in a region that is no longer reachable.
When necessary, it takes ownership of the cohort’s lock management, so that those files may be accessed, and global file system usage everywhere else is uninterrupted.
The benefit is that, in the event of an attack at the hypervisor level, data will not be lost. Given the two types of high availability offered with Panzura, both free of charge, an organization can have confidence that a ransomware incursion will be minimally impactful, and data is fully protected from corruption, encryption or deletion.
A cloud or on-premises object store serves as the back end for the Panzura global file system. The example in Illustration 1 is a cloud-based object store, however on-premises versions can be made just as resilient, with a few minimal architecture modifications.
There are two conceivable attacks on the object storage. Firstly, an attack can come from the front via the file system itself, or secondly, from the side via an attack directly on the object store through cloud consoles.
From the Front
In this scenario, a credentialed user with file system permissions, which has become the victim of ransomware, innocently logs into the network and sets a ransomware payload free inside network boundaries. The ransomware locates the global file system and begins to methodically encrypt its way through files and directories.
Since the back end of the Panzura global file system consists of an actual object store, the data is committed as encrypted “garbage” just as the attackers planned. However, because Panzura is built on an immutable data architecture, it commits deltas (or block changes) over the lifetime of each file.
Moreover, once a ransomware begins to access and encrypt an unusual amount of data in the file system, as previously discussed, Varonis threat models will pick up this anomalous behavior by comparing it against the compromised user’s established baseline.
It then alerts admins to the attack, and through the use of PowerShell commands, automated responses can be configured in Varonis to shut down the attack as soon as it is detected, mitigating any potential damage.
Consequently, when the user of an encrypted file attempts to open it, and receives an anonymous message about paying a ransom, they can simply revert the file back to the previous version.
This is done via Microsoft VSS by right-clicking on the file in question. The next step is to go to properties, select the previous version and—Voila!—recovery is instantaneous and downtime is reduced to no more than minutes
Once an attack has been halted, files held in the global file system have been restored, and an organization is back to work, the next step is typically to restore other general IT systems—those that did not archive data in the Panzura system—from backup tapes or other backup repositories, following the incident.
But Panzura can also make this long night of work a little easier with Panzura Data Services. Previously discussed in this white paper, Data Services can help automate recovery of affected files via an audit log, elastic search, and other technology which has been put in place to assist with such events.
Varonis can detect, mitigate, and audit impact both inside the Panzura global file system, as well as with other on premises and cloud file systems.
Recovery and clone functionality within Panzura Data Services can be used not only to restore data quickly and easily, but it is also useful should an IT department choose to recover data but do not want to restore it to its original location. After an IoC, for example, the security team may still need to run post-mortem assess ments and analysis. With recovery and clone, it is possible to restore data to a different location so quick access to the original data can be achieved while audits are conducted in the background.
Cloud mirroring provides an added layer of protection and control using writesplits to two object storage targets—a primary, and a secondary. Should the primary fail, or become the target of an attack by internal or external bad actors, then an administrator would need only to fail the environment over to the second object storage target to circumvent the exploit.
Once control over the primary environment has been regained, the Panzura files can be re-synced. Incidentally, it is fortunate that cloud vendors do not charge for ingress.
THE BLAST RADIUS
This section explores details of attacks on the client, server, cloud, and known MITRE ATT&CK mitigation strategies. Both Varonis and Panzura can help with detection and recovery, and the following discussion outlines tactics around initial access, recon and foothold, privilege escalation, and impact. Together with Varonis and Panzura, it is feasible to compare and map a threat-actor’s activity with the MITRE ATT&CK framework:
Keep a full audit trail of time-stamped file activity
Map out what servers have been touched by the threat actor
Identify the folder to which files have been uploaded
Reveal who has permissions to access recently uploaded files
Utilize deep analytics to reveal how your storage footprint is changing and who is causing it
Run our time-stamped results against your timeline; Provide evidence as needed
Alert on unexpectedly high CPU load, memory load, or cache misses
Use File Audit to narrow a search to find damaged files, as well as the compromised user account
Again, this is meant to broaden understanding of what is involved in the meticulous balance of security with ease of use. Panzura and Varonis are committed to ensuring a secure and usable file system environment so people can quickly and effortlessly get back to work, no matter what threats may arise.
Learn About Panzura
Panzura helps enterprise companies take advantage of the cloud’s benefits regardless of where data or users are located. Panzura’s cloud data management capabilities drammatically reduce hybrid-cloud complexity, and simplify data storage management, while speeding up access and analysis for applications and users.
The Panzura global file system is 70% cheaper to own and operate than legacy storage and other solutions. It provides unrivaled efficiency, stability and edge performance especially at scale. Immutable security delivers permanent, at-scale data resilience for the hybrid multi-cloud with the highest level of protection and recovery against ransomware and other threats.
With an industry-leading Net Promoter Score of 87, Panzura provides the highest calibre customer support and services. It’s an open-and-shut case when it comes to the competition because Panzura’s award-winning technology outperforms at every level.
Learn About Varonis
Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cyber-security companies. Varonis focuses on protecting enterprise data: sensitive files and emails;confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property.
The Varonis Data Security Platform detects cyberthreats from both internal and external actors by analyzing data, account activity and user behavior; prevents and limits disaster by locking down sensitive and stale data; and efficiently sustains a secure state with automation.
Varonis products address additional important use cases including data protection, data governance, zero trust, compliance, data privacy, classification and threat detection and response. Varonis started operations in 2005 and has customers spanning leading firms in the financial services, public, healthcare, industrial, insurance, energy and utilities, technology, consumer and retail, media and entertainment and education sectors.