This GigaOm Research Reprint Expires Aug 24, 2024

GigaOm Sonar Report for Block-Based Primary Storage Ransomware Protectionv2.0

An Exploration of Cutting-Edge Solutions and Technologies

1. Summary

Ransomware is a specific type of malware that encrypts data assets on primary storage systems—including file shares, databases, disk partitions, data volumes, backup systems, and repositories—making them inaccessible unless the victim pays an extortion fee. Ransomware is highly optimized to spread across organizations via networks and infrastructure systems through methods similar to Trojan malware attacks. The ransomware payload is embedded in a file that looks legitimate and is triggered by an unsuspecting user opening the infected file. Usually, it will spread across the environment by taking advantage of user credentials, along with documented and undocumented exploits, bypassing the limited access scope of a user. Thus, ransomware protection is a transversal, cross-stack topic of discussion across organizations.

Ransomware attacks can impact file- and block-based primary storage solutions alike:

  • File-based ransomware attacks are the most pervasive. Advanced file-based ransomware implementations use a combination of techniques to remain unnoticed and spread silently. For example, they may start encryption activities a few weeks or months after a system has been infiltrated, or they may first target dormant files that haven’t been accessed for a long time.
  • Block-based ransomware attacks, while less common, can be even more damaging. Ransomware encrypts entire data volumes, making recovery much harder than for file-based attacks. The entire volume must be recovered, which offers less granularity and fewer recovery prioritization options than for file-based recovery activities. These attacks, however, are quicker and easier to detect because once a volume is encrypted, all read/write operations become impossible.

One Sonar report focuses on ransomware protection solutions available for file-based—or network attached storage (NAS)—primary storage systems; a sister report covers solutions for block-based primary storage.

Figure 1 shows the vendors and primary storage systems covered in each report.

Figure 1. Vendors Included in Each GigaOm Sonar for Primary Storage Ransomware Protection

Although dedicated out-of-band ransomware protection solutions exist, organizations should not underestimate the benefits of in-band ransomware protection capabilities embedded in NAS and block-based solutions. The most effective mitigations include a combination of in-band and out-of-band capabilities, but for smaller businesses or very cost-conscious organizations, NAS and block-based ransomware protection solutions constitute an important first line of defense.

Benefits of ransomware protection on NAS and block-based solutions include:

  • Faster recovery from a ransomware attack than backup restores can provide, usually measured in minutes instead of hours or days, thanks to snapshots. This quick recovery is particularly crucial for mission-critical applications that can’t withstand prolonged downtimes.
  • Greater ease of use delivered because reverting to a healthy snapshot takes considerably less effort than identifying and orchestrating data recovery from a data protection platform.
  • Cost-effective protection and recovery operations: NAS and block-based ransomware protection solutions are usually provided at no cost and deliver a very effective protection layer. Furthermore, fast local recovery from ransomware using ransomware solutions is cheaper than recovery using data protection systems, from both an elapsed time and a human effort perspective. In addition, organizations avoid paying any potential egress transfer fees when restoring from the cloud.

These GigaOm Sonars provide an overview of file-based and block-based primary storage ransomware protection vendors and their available offerings, equipping IT decision-makers with the information they need to select the best solution for their business and use case requirements.

About the GigaOm Sonar Report

This GigaOm report focuses on emerging technologies and market segments. It helps organizations of all sizes to understand a new technology, its strengths and its weaknesses, and how it can fit into the overall IT strategy. The report is organized into five sections:

Overview: An overview of the technology, its major benefits, and possible use cases, as well as an exploration of product implementations already available in the market.

Considerations for Adoption: An analysis of the potential risks and benefits of introducing products based on this technology in an enterprise IT scenario. We look at table stakes and key differentiating features, as well as considerations for how to integrate the new product into the existing environment.

GigaOm Sonar Chart: A graphical representation of the market and its most important players, focused on their value proposition and their roadmap for the future.

Vendor Insights: A breakdown of each vendor’s offering in the sector, scored across key characteristics for enterprise adoption.

Near-Term Roadmap: A 12- to 18-month forecast of the future development of the technology, its ecosystem, and major players of this market segment.

2. Overview

How We Got Here

Ransomware attacks have become a prevalent and persistent threat for organizations across all varieties and sizes of businesses. While these attacks made headlines a few years ago, they’ve now become so widespread that only the most spectacular cases are mentioned in the news media today.

Organizations assess business risk by evaluating the probability of an event occurring and correlating this probability with the extent of possible damage, usually through a risk assessment matrix. The impact can be diverse, ranging from negligible to widespread, but regardless of the physical manifestation, outcomes are generally summed up in three categories: financial (loss of revenue), regulatory (increased scrutiny, fines, and, eventually, the loss of license for regulated businesses), and reputational (loss of trust by customers).

Ransomware is particularly concerning for organizations because it combines a high probability of happening with a widespread impact, not only in terms of locations and systems affected but also in terms of damage. Ransomware can bring businesses and government agencies to their knees, forcing them to choose between paying a hefty ransom or the risk of losing production capacity and revenue for weeks, if not months.

Ransomware does not discriminate among infrastructure layers; once in, it attempts to encrypt all of an organization’s assets within reach, which is why proper segmentation of access and networks is important. Organizations usually implement several data protection layers, including backups and disaster recovery, security at the network layer, and authentication mechanisms that reduce the attack surface. However, relying solely on backups should be avoided for the following reasons:

  • Primary data is the most up-to-date data available in the organization. Large enterprises can have a significant delta between production data and data backups, especially if the data has elevated change rates.
  • Losing primary data and having to restore it from data protection platforms is a time-intensive process, limited by the throughput of the backup media and network bandwidth, especially if protected data resides on the cloud.
  • For cloud-based data protection, data retrieval could incur egress transfer fees, which can add up quickly as more data and systems need to be recovered.

Primary data is the first point of impact for ransomware attacks, so it’s advisable to implement primary storage solutions that incorporate ransomware protection. Timely identification, alerting, and mitigation are preferable to dealing with the aftermath of a ransomware attack and its severe financial, regulatory, and reputational impacts.

Block-Based Primary Storage for Ransomware Protection

Even if block storage systems are not primary vectors of ransomware spread, they are still targets for ransomware:

  • Block storage often serves large virtualization environments and mission-critical applications.
  • VMs running on block storage can be impacted at the operating system layer by ransomware, with volumes getting encrypted and becoming unreadable.
  • Side attacks using credential theft can enable an attacker to gain access to block storage, allowing them to delete snapshots, thus depriving organizations of the ability to revert to a healthy state.

Without proper controls, such as segmentation of data, least-privilege access, and stringent permissions, block storage repositories become easy targets for the unchecked spread of ransomware.

Solution Components

The goal of ransomware protection on primary storage is to act as the first line of defense by mitigating threats and ensuring primary data remains protected, thereby ensuring continuity of operations. Primary storage solutions can provide ransomware protection in various ways, from the very simple to the most advanced.

Immutable snapshots provide the most basic level of protection. These allow administrators to revert to a healthy state if data is compromised by ransomware. While foundational for ransomware protection, this feature is reactive and doesn’t provide proactive insights. It’s only after the environment has been hit and the ransomware detected that administrators can use immutable snapshots to recover from the attack.

Combining immutable snapshots with other techniques, such as replication, provides an intermediary level of protection. In this case, snapshot data is replicated to a dedicated, isolated system or to the cloud. Additional capabilities, such as basic detection and snapshot recovery orchestration, may also be included.

The most advanced implementations provide sophisticated ransomware identification algorithms trained using AI/ML models. They’re able to analyze a broad range of patterns and anomalous behaviors and correlate seemingly isolated incidents to identify potentially harmful scenarios. These detection patterns include usual activity times in a given geographic area, data types typically accessed and user access patterns, and large-scale file operations across folders and shares. In addition, advanced solutions implement proactive mitigation strategies, such as the identification of systems and accounts that are the source of these changes, the ability to revoke access of potentially impacted users and systems, and the possibility of cutting off access to parts or all of the affected file systems. Finally, these solutions integrate with monitoring and AIOps platforms, providing comprehensive alerting and active mitigation options.

Ransomware creators implement various techniques to avoid immediate detection. For example, ransomware can make its way into an organization’s environment but stay dormant for weeks or months. It can also perform staggered activities, affecting only a few files at a time, usually those that haven’t been accessed for months or years. However, this focus on old files, unnoticed by humans, is easy for the storage platform to detect.

Finally, some ransomware creators are also implementing partial encryption to evade recognition via indirect observation metrics such as sudden drops in data compression rates combined with steep increases in data change rates. Advanced attacks have been reported that include injecting storage drivers into the operating system layer: data is encrypted in the back end, at the block storage LUN or logical unit number level, but the storage driver decrypts data and transparently provides access to it until the attacker enables a kill switch and completely disables data access.

With the growth of ransomware protection solutions and the increased focus on proactive monitoring, the concept of encrypting old files first in an indiscriminate manner is losing its appeal and may make room for random patterns that are more difficult to identify. On the other hand, AI-based ransomware protection solutions are regularly updated and trained to catch up with new threat models and identify them.

Market Segment

To better understand the market and vendor positioning, we assess how well block-based primary storage solutions with integrated ransomware protection are positioned to serve specific market segments (Table 1). Note that we’re looking only at ransomware capabilities offered by primary storage vendors, not at dedicated, standalone ransomware protection solutions.

  • Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies, including departmental use cases in large enterprises. For these use cases, the solution should provide a turnkey experience and a complete feature set suited to the IT generalist. The solution should compensate for the limited resources of these organizations and the unavailability of dedicated personnel, such as IT specialists or information security experts.
  • Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category focus on the feature set depth and integration with existing enterprise tools, such as data protection solutions, information security tools, AIOps, and IT service management (ITSM) platforms. Scalability and flexibility are key to successful enterprise adoption.

Table 1. Market Segment

Market Segment

SMB Large Enterprise
DDN
Dell Technologies
Hitachi Vantara
HPE
IBM
Infinidat
NetApp
Nutanix
Pure Storage
StorONE
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Considerations for Adoption

The purchase drivers for adopting ransomware protection deployed on file-based primary storage are very clear. The only potential downside is that a storage system embedding advanced ransomware protection may be more expensive than a storage system without such capabilities. On the other hand, the benefits are so overwhelming that organizations should seriously consider whether purchasing a storage solution without ransomware protection capabilities makes sense.

Prospective customers should carefully consider the following when evaluating solutions: first, how the primary storage ransomware protection fits within their overall security, threat, and ransomware protection posture; and second, how the solution integrates with their broader threat mitigation strategy.

A primary storage solution that provides only immutable snapshots as a ransomware protection layer would be acceptable for an organization that has invested in advanced, dedicated ransomware protection. However, this would be insufficient for organizations that can’t afford the same investment in a dedicated ransomware solution, or organizations that are refreshing their primary storage arrays and investing in security at the same time.

Similarly, organizations with a heterogeneous storage infrastructure might question the benefits of a deeply integrated and advanced ransomware protection solution that is proprietary to a single storage vendor.

Another consideration is the scope of a given solution compared to the broader infrastructure footprint. If the customer manages other storage types and one vendor’s solution supports both file and block systems, this could be an advantageous choice for the organization.

In any case, determining the current security posture of an organization, where it plans to take that posture next, and the available budget will help further refine the appropriate adoption criteria.

Key Characteristics for Enterprise Adoption

Here we explore the key characteristics that may influence enterprise adoption of the technology based on attributes or capabilities offered by some vendors but not others. These criteria will be the basis on which organizations decide which solutions to adopt for their particular needs. These key characteristics for primary storage ransomware protection are:

  • Architecture
  • Enhanced immutability
  • Proactive identification
  • Mitigation and recovery
  • Air gap
  • Monitoring and analytics

Architecture
The design, implementation, and feature set of ransomware protection solutions can impact scalability, performance, and efficiency. Solutions tightly embedded within the storage platform will provide immediate results but will lack the kind of global view that is better able to identify anomalous patterns happening either at scale or in specific locations. On the other hand, other solutions may use a different model based on a centralized AI/ML proactive detection system to which suspicious patterns are sent for analysis and training purposes.

Enhanced Immutability
Even if data immutability is a foundational capability of ransomware protection, simple implementations can be bypassed by malicious actors. Network Time Protocol (NTP) DDoS attacks can be used to trick the system and cause the snapshot retention period to lapse, giving the attacker the ability to delete snapshots that should have been immutable. In addition, the lack of multiple-administrator validation controls can allow an attacker to delete data retention policies and snapshots without any safety checks. Solutions with enhanced immutability features add an extra security layer to protect against tampering, implement enhanced action validation controls, and deliver additional retention mechanisms to allow the recovery of deleted snapshots.

Proactive Identification
Basic ransomware protection features such as snapshots and continuous data protection are now taken for granted. Ransomware infection patterns are nearly imperceptible to IT personnel, who often realize the extent and impact of a ransomware attack only after it’s too late to react. Advanced ransomware protection systems are trained on ransomware behavioral patterns that can identify anomalous behavior by analyzing file system changes in real time.

Mitigation and Recovery
Although timely identification of infection patterns is crucial, alerting is not sufficient. The solution should implement techniques to isolate encrypted data and contain the spread; for example, by terminating active connections to the file system or temporarily restricting access. Similarly, it must implement methods to recover the impacted data easily.

Air Gap
To further protect data, some vendors implement air gapping, a method of securely replicating the data from primary storage to an isolated environment that can be located either on-premises or in the cloud, and is sometimes even provided as a service.

Monitoring and Analytics
Monitoring and alerting capabilities and the ability to visualize threats and their impact are essential. The solution should include a management interface with proactive alerting capabilities, and it should integrate with enterprise system management solutions and security alerting/monitoring tools, AIOps, and ITSM tools.

Table 2 shows how well these key characteristics are implemented in each of the solutions assessed in this report.

Table 2. Key Characteristics Affecting Enterprise Adoption

Key Characteristics

Architecture Enhanced Immutability Proactive Identification Mitigation & Recovery Air Gap Monitoring & Analytics
DDN
Dell Technologies
Hitachi Vantara
HPE
IBM
Infinidat
NetApp
Nutanix
Pure Storage
StorONE
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

4. GigaOm Sonar

The GigaOm Sonar provides a forward-looking analysis of vendor solutions in a nascent or emerging technology sector. It assesses each vendor on its architecture approach (Innovation), while determining where each solution sits in terms of enabling rapid time to value (Feature Play) versus delivering a complex and robust solution (Platform Play).

The GigaOm Sonar chart (Figure 2) plots the current position of each solution against these three criteria across a field of concentric semi-circles, with solutions set closer to the center judged to be of higher overall value. The forward-looking progress of vendors is further depicted by arrows that show the expected direction of movement over a period of 12 to 18 months.

Figure 2. GigaOm Sonar for Block-Based Primary Storage Ransomware Protection

As you can see in the Sonar chart in Figure 2, three groups of vendors are emerging. On the Platform Play side, the first group contains solutions with a strategic, longer-term approach. Infinidat offers a complete and balanced ransomware protection solution with InfiniSafe technology included, which has been enhanced this year with InfiniSafe Cyber Detection, an ML-based, petabyte-class, proactive ransomware detection solution. Dell Technologies’ PowerMax solution offers solid ransomware protection capabilities, while PowerStore and PowerFlex are gradually being improved by inheriting some of PowerMax’s features. These are augmented by Dell CloudIQ’s AIOps platform’s proactive detection capabilities, propelling the company forward in the Sonar. Hitachi Vantara offers a rich ecosystem of monitoring and data management software that can help identify and protect against ransomware attacks, while its Virtual Storage Platform (VSP) implements good immutability features. Closing in towards the Leaders circle, Pure Storage provides ransomware protection through its SafeMode snapshots (now enabled by default) and strong multifactor authentication (MFA), while it has added security posture features to its solution. It also delivers a ransomware recovery SLA, an add-on service that helps customers recover faster in case of an attack.

In the second Platform Play group, StorONE offers a well-balanced solution and improves the ransomware protection capabilities with a proactive detection feature called anonymous detection. Nutanix offers comprehensive analytics, hardening, and immutable snapshots with instant recovery, along with a strong focus on proactive detection at the network layer. IBM delivers solid foundational capabilities with a focus on air gap, orchestration, and recovery. The company is slowly expanding its proactive detection capabilities, but these are currently limited to specific use cases (SAP HANA, Caché, and Iris).

On the Feature Play side, the third group consists of vendors with a feature-focused approach. HPE is closing in on the Leaders band with robust foundational capabilities now available in the entire Alletra portfolio. It offers a modular building-block approach with a broad portfolio of software solutions. NetApp has a strong roadmap for file-based ransomware protection, and although its scope for block storage ransomware protection is smaller, some innovations like zero-trust security are worth noting. DDN offers a basic set of ransomware protection features, including immutable snapshots and cloud-based monitoring capabilities, which can be used to indirectly observe potential ransomware activity.

5. Vendor Insights

DDN

DDN’s IntelliFlash platform delivers unified file and block storage and includes features that protect against ransomware attacks: IntelliCare Cloud Analytics for detection and IntelliFlash immutable snapshots for remediation. Although the solution provides a strong foundation with immutable snapshots, these are now considered table stakes, and the company hasn’t introduced to its solution any advanced immutability capabilities, such as enhanced control over snapshot policies, multiple-administrator validation, or soft-delete of immutable snapshots past their retention period.

For monitoring and analytics, IntelliFlash leverages IntelliCare Cloud Analytics to identify unusual storage growth and generate alerts. The solution is capable of identifying anomalies but does not provide any direct observation, nor does it offer any proactive response such as terminating connections or quarantining users or file shares.

If a ransomware attack is confirmed, IntelliFlash snapshots can be used to rapidly revert to a prior healthy state. Snapshots can be scheduled and enabled from IntelliFlash’s management interface with the ability to land snapshots on-premises, in the cloud, or both, and to store data at multiple locations. There is, however, no recovery orchestration capability available. Similarly, with regard to air gapping, the solution allows manual configuration of a secondary system with snapshot scheduling, but there is currently no reference architecture or dedicated air gap offering that would allow customers to quickly implement air gapping for recovery from a ransomware attack.

Although not evaluated as part of this report, Tintri (a company owned by DDN) implements advanced ransomware capabilities on its Tintri VMStore storage appliances. Tintri VMStore provides ML-based ransomware protection capabilities; however, VMStore is targeted only at virtualized workloads and provides a storage abstraction similar to VMware vVols, so it does not fit into GigaOm’s classification of block or file storage.

Strengths: DDN provides a basic set of ransomware protection features on its IntelliFlash platform, including basic monitoring capabilities and immutable snapshots.

Challenges: Detection capabilities are limited and indirect. The solution has no recovery orchestration and no dedicated air gap offering.

Dell Technologies

Dell Technologies currently provides comprehensive ransomware protection capabilities on its PowerMax storage appliances. The solution combines immutable snapshots and proactive detection, and it is complemented by air-gapped backups.

Proactive detection capabilities are delivered through CloudIQ, Dell’s AIOps platform. PowerMax provides telemetry data to CloudIQ, which monitors and detects anomalies in near real time, assesses adherence to security baselines, and identifies security incidents such as potential ransomware attacks. Alerts are subsequently generated and pushed to administrators through a variety of methods. The solution also integrates with ITSM and SIEM platforms to automatically create incidents and initiate investigation activities.

From a mitigation perspective, PowerMax snapshots are natively immutable (read-only). To prevent their intentional deletion by a malicious user, Dell Technologies added another layer of security with “secure snapshots,” a policy-based feature that prevents accidental or malicious deletion of immutable snapshots (even by administrators) for the entire duration of the defined lock period. PowerMax snapshots can also be replicated to S3 object storage in the cloud, providing additional immutability options. The solution includes anti-tampering measures to protect against time server drift and premature expiration of the lock duration on secure snapshots.

Recovery-wise, organizations can define set-and-forget snapshot policies with frequent intervals, allowing recovery point objectives (RPOs) as low as 10 minutes. Although adjacent to primary storage ransomware protection and not evaluated in this report, Dell Technologies also offers integrations with PowerProtect Cyber Recovery, an independent product for use with any storage platform. This allows data backup from a PowerMax to a Dell PowerProtect appliance and getting this backup replicated to another air-gapped PowerProtect appliance. Moreover, Dell Technologies also provides the ability to scan and recover last valid data copies with Cyber Sense, a solution that scans vaulted backups performed with PowerProtect Cyber Recovery. In addition, native air gap is available through Symmetrix Remote Data Facility (SRDF) on PowerMax.

Secure snapshots are a standard PowerMax feature. Dell Technologies CloudIQ is provided as a part of a customer’s support contract at no extra cost. The solution was conceived to support the broadest range of Dell Technologies products, including storage solutions, data protection platforms and appliances, servers, human computer interaction solutions, and Dell networking products. As such, it offers complete support and visibility across storage systems and geo locations.

Regarding other block storage solutions in Dell Technologies’ portfolio, PowerStore currently supports immutable snapshots, and Dell introduced an optional secure snapshot setting starting with PowerStore OS 3.5. When enabled, the snapshot and its parent resource are protected from deletion until the retention period expires on all secure snapshots, providing additional protection against ransomware attacks. PowerStore 3.5 also supports MFA with SecureID, which enables safeguarded access to PowerStore’s administrative tools. The PowerFlex solution also supports secure snapshots and PowerProtect Cyber Recovery vault.

Strengths: Dell offers solid ransomware protection capabilities on its PowerMax platform, combining true snapshot immutability with an AIOps platform capable of identifying ransomware attacks. Some capabilities are making their way into PowerStore, providing an affordable first line of protection against ransomware to small and medium enterprises as well.

Challenges: Ransomware protection features are primarily centered on the PowerMax platform. Some features such as multiple-user validation and proactive termination of access could be added.

Hitachi Vantara

Hitachi Vantara has traditionally targeted its products at medium-sized and large organizations. Those systems use the same storage operating system and expose the same feature set, enabling users to design their infrastructures with consistent characteristics at the core and the edge. This holds true for its ransomware protection as well, for both block and file storage.

Proactive detection capabilities are delivered through Ops Center Analyzer, part of Hitachi’s AIOps platform. Ops Center Analyzer analyzes I/O patterns and correlates them with threat types, informing administrators via alerts and reports automatically, letting them know whether a ransomware attack is in progress or if a data exfiltration activity is happening.

To mitigate ransomware, the solution uses the Hitachi data retention utility orchestrated through Hitachi’s Ops Center protector. This tool is part of the Hitachi storage OS that’s included with all Hitachi virtual storage platform (VSP) arrays at no additional cost. It provides options to lock logical storage devices or volumes to prevent any modifications, such as host writes or array management operations. These locks can’t be removed before a specified retention period has expired.

From a recovery perspective, organizations can easily set immutable snapshot policies with frequent intervals, enabling low RPOs. Hitachi’s Ops Center Protector offers a full set of copy data management capabilities for snapshots, clones, and more. This allows data to be backed up from a VSP system and have this backup replicated to another air-gapped VSP system. Finally, Hitachi can also scan and recover last valid data copies through CyberVR, a complementary cyber resiliency solution that Hitachi recommends for specific use cases requiring automated data recovery orchestration from ransomware across a large VM environment (hundreds of VMs) or when more advanced ransomware security testing and forensics is required.

To protect data from ransomware, and as an overall management interface, Hitachi Ops Center management suite includes the Ops Center Protector and Ops Center Analyzer bundled in the base software package at no additional cost with each Hitachi VSP storage system. These tools enable protection against ransomware that is effective and scalable, and they can be increasingly automated.

Hitachi offers a broad range of ransomware protection for its primary storage offerings. The Hitachi Ops Center suite provides the right tooling to analyze and protect data from ransomware while allowing quick recovery from an attack. Although the solution is extensive and effective, it still requires external solutions, like CyberVR, to create a secure environment that can detect anomalies and protect the data.

Strengths: Hitachi offers good ransomware protection on its VSP platform with great snapshot immutability. The Hitachi Ops Center platform can identify and protect against ransomware attacks.

Challenges: Ransomware protection and recovery capabilities are spread across multiple tools; Hitachi could improve manageability for end users by consolidating its toolset.

HPE

Through its layered and modular approach, HPE provides comprehensive data protection against ransomware. It makes use of features from its Alletra block storage system, HPE Infosight’s AIOps platform, Zerto, and additional data resilience capabilities available on the HPE GreenLake platform.

Focusing solely on components in scope for this report, proactive detection capabilities are delivered by HPE Infosight. The solution uses sophisticated techniques including ML to detect and report anomalies that can indicate an active ransomware attack. Although Infosight compares workload characteristics against historical trends, it can also tap into normalized and anonymized baselines for similar workloads that are collected across HPE’s entire customer base.

HPE implements a feature branded Virtual Lock, which was available originally on 3PAR systems and is now available on Alletra 9000 systems and on HPE Primera storage arrays. The Virtual Lock function, originally implemented for compliance purposes to prevent deletion of volumes, is used to protect snapshots intended for ransomware recovery by locking immutable, read-only snapshots on storage arrays, effectively preventing volume copies and accidental or intentional deletion of volumes. Organizations can define a custom retention period during which deletion is impossible, even by administrators with the highest privilege level. In addition to Virtual Lock, which is still being developed to support more of the data storage products, Alletra 5000/6000, and GreenLake for File Storage offer built-in immutable snapshots.

In addition, Alletra 9000 includes time-server tampering protection features. A time change can’t be forced on the system, which prevents an attacker from prematurely and artificially expiring the immutability period on snapshots. The only way to force a time change is to fully factory reset the Alletra 9000, which would mean an attacker can’t access and encrypt the data and demand a ransom for its recovery.

HPE offers various snapshot replication and protection topologies for Alletra 9000 and Virtual Lock, some of which include HPE StoreOnce backup appliances (which also offer immutable snapshots).

On the Alletra 6000 platform, HPE implements strong MFA and multiple-user authorization. The Alletra 6000 has been enhanced to offer native storage snapshots with the ability to determine retention criteria, along with deep integration with the top data protection solutions to integrate snapshots to the overall backup and archive strategy.

All these capabilities on Alletra 9000 and 6000 are core features of the storage platforms discussed here and do not incur extra licensing fees. HPE offers a Zerto Cyber Resilience Vault appliance based on its Zerto solution and Alletra storage arrays. The solution can act as a replication target for production environments and offers a vaulting capability, but the Zerto solution is applicable to virtual environments, containerized environments, and cloud workloads, placing it out of scope for organizations that require native block storage ransomware protection. Zerto also includes proactive detection capabilities and supports immutability on Azure Blobs, Amazon S3, or S3-compatible storage (including on-premises options).

Strengths: HPE offers a modular and realistic approach to combating ransomware, with a number of built-in capabilities that large organizations can integrate into their broader ransomware protection strategy. Improvements have been made across the Alletra portfolio to support snapshot immutability.

Challenges: HPE’s approach requires an architectural mindset to correctly tie all the building blocks together.

IBM

IBM supports ransomware protection capabilities on its block storage product line that runs IBM Storage Virtualize, the operating system that powers IBM FlashSystem appliances, and IBM Storage Volume Controller (SVC).

The solution implements snapshot immutability, orchestration, and recovery to a healthy state after a ransomware attack. To achieve this goal, it relies on IBM Safeguarded Copy (SGC), a technology that provides immutable copies of data on a FlashSystem or SVC, and on IBM’s copy services manager (CSM), an external automation and scheduling tool. IBM CSM provides crash consistency and facilitates creating, cataloging, and recovery of SGC snapshots. SGC is also available on IBM DS8000 storage systems.

The solution is branded IBM FlashSystem Cyber Vault and constitutes a framework for automating the processes required to proactively use SGC to perform data validation and recovery when a ransomware attack has occurred, providing the customer with an air gapped environment.

Technically, Cyber Vault requires a dedicated FlashSystem environment and is deployed in a dedicated “clean room” or sandbox environment isolated from production, with CSM handling the scheduling of SGC snapshots. These immutable snapshots can’t be altered or deleted. Recovery happens on separate recovery volumes, which can be used for data validation, forensic analysis, and restoration of production data.

IBM introduced hardware ransomware detection capabilities in Q2 2023 on FlashSystem. This capability analyzes data write patterns on FlashSystem’s OS, IBM Storage Virtualize, during cache destage to flash. In the future, IBM plans to add this function to FlashCore Modules (FCMs).

The analyzed data is then sent to IBM Storage Insights Pro, IBM’s cloud-based storage management platform, which implements AI/ML capabilities and a learning engine to determine whether there is a potential ransomware attack in progress. Subsequently, alerts are sent to the administrators. The detection on IBM Storage Insights Pro is currently in tech preview.

Strengths: IBM has made significant progress with its anomaly detection capabilities and plans to extend the capability to hardware flash modules in the future. Cyber Vault provides a robust ransomware protection framework focused on data isolation and controlled recovery.

Challenges: The air gap solution requires a dedicated FlashSystem or SAN volume controller (SVC) environment to operate, and while this provides increased security, it also increases the cost of the solution.

Infinidat

Infinidat boasts a modern, AI-based hybrid software-defined storage architecture that delivers a no-compromise feature set with compelling $/GB and $/IOPS ratios. To achieve this, its InfiniBox and InfiniBox SSA II storage systems take advantage of a data path designed around a combination of DRAM, flash memory, and hard disk drives associated with sophisticated AI-based caching technology to optimize data placement. Infinidat’s core InfiniSafe technology is built into InfuzeOS and is provided at no additional charge.

Ransomware protection is delivered across Infinidat’s portfolio through Infinidat’s InfiniSafe technology solution. Its InfiniGuard solution offers modern data protection, backup, disaster recovery, and business continuity features. InfiniGuard offers backup and recovery performance at scale, covering all data protection needs and easily integrated with leading data protection solutions. As with Infinibox and Infinibox SSA II primary storage platforms, Infiniguard’s ransomware protection capabilities are also enabled by InfiniSafe.

Branded InfiniSafe, the technology provides immutable snapshot copies of source data sets that incorporate logical air-gapping—both local and remote. When a customer undergoes a cyberattack, they can move the copies into a secure fenced network to check for malware or ransomware. Known good copies of the data are identified, and the customer can make a near-instantaneous guaranteed recovery of the known good copy in less than a minute for petabyte-scale primary datasets on the InfiniBox and InfiniBox SSA and less than 20 minutes for backup datasets on the InfiniGuard. Infinidat’s InfiniSafe Cyber Storage guarantee is provided on InfiniBox, InfiniBox SSA, and InfiniGuard platforms.

The company recently introduced InfiniSafe Cyber Detection, an ML-based, petabyte-class solution built on Infinidat’s indexing capabilities, which targets primary storage (volumes, snapshots), databases (like Oracle, DB2, SQL, and SAP HANA), and user files. This solution uses 200 points of determination with 99.5% accuracy to identify highly granular attacks, including partial encryption. It organizes alerts by severity, provides relevant details, and generates forensic reports. It also makes corrupted files available for download for further analysis and will tag corrupted files. The solution runs on a separate server (or more) and scans attached snapshots and volumes. It can also scan on a secondary source; data can be replicated to a target system, then scanned there. As of launch time, the solution supports block and file workloads and will support backups later in 2023.

Strengths: InfiniSafe delivers a fully fledged set of cybersecurity features at no extra cost, allowing customers to quickly and securely restore data, even at scale, in case of an attack. The addition of proactive detection is a major milestone for Infinidat.

Challenges: InfiniSafe Cyber Detection was recently launched and has not yet been proven in the field.

NetApp

NetApp implements a comprehensive, multilayered ransomware protection strategy across its product portfolio for both on-premises and cloud workloads.

Most NetApp anti-ransomware capabilities are focused on proactive data identification and recovery, making them particularly suitable for SMB/NFS volumes. For block volumes, organizations can take advantage of the flexibility provided by ONTAP immutable snapshots. These snapshots can be configured and scheduled via policies and can be replicated either locally or in the cloud with Cloud Volumes ONTAP, providing multiple layers of resiliency and the ability to recover even if the primary source is compromised.

In addition, NetApp includes SnapCenter, a tool that orchestrates the creation and replication of application-consistent snapshots, which can be replicated to a remote location and used to recover from attacks. To further enhance immutability, NetApp enforces multiple-administrator verification for sensitive operations. This prevents unauthorized changes made by one person to snapshot and replication policies and immutability settings. This can also prevent snapshot deletion and more.

Cloud management tools such as BlueXP Ransomware Protection Dashboard provide some additional capabilities, including a security storing feature that allows organizations to assess their storage estate resiliency against a ransomware attack from a security posture perspective. It is also possible to configure custom alerts to identify potential ransomware attack patterns on block volumes.

NetApp recently announced a “ransomware recovery guarantee,” initially available on NetApp AFF C-Series and ASA A-Series storage purchases. Through this mechanism (which requires NetApp Professional Services and subscription to a NetApp Ransomware Protection and Recovery Service), NetApp warrants snapshot data recovery either on primary or secondary ONTAP storage. If data cannot be recovered, NetApp will offer compensation. This guarantee is based on the NetApp SnapLock compliance built into ONTAP, a WORM capability for snapshots with advanced data retention.

Strengths: NetApp offers immutable snapshots and options for flexible replication to the cloud for block storage ransomware protection. The recovery guarantee provides operational benefits and recovery assurance for mission critical data and workloads.

Challenges: The approach for block storage primarily focuses on recoverability. An increased focus on AI/ML-based anomaly detection for block storage would further improve NetApp’s feature set.

Nutanix

Nutanix provides a comprehensive platform with varied storage capabilities that go beyond its initial hyper converged infrastructure (HCI) scope. Its Nutanix Unified Storage suite delivers native file, block, and object capabilities. In the context of primary block storage, the solution delivers these capabilities through the Nutanix Volumes service.

Whereas Nutanix Files leverages integrated ransomware protection and Nutanix Data Lens to proactively detect ransomware, Nutanix Volumes handles block storage, and so uses a different solution to identify ransomware threats. Nutanix Security Central monitors for network anomalies and malicious behavior, as well as common network attacks that propagate and seek vulnerabilities as ways to further infiltrate the network and spread ransomware. Security Central also monitors endpoints such as VMs to identify malicious traffic, isolate individual clients with network segmentation, and prevent lateral expansion of threats, thus reducing the overall attack surface and protecting other data.

From a mitigation and recovery perspective, Nutanix Volumes provides immutable snapshots, preventing tampering and deletion. Those native snapshots can be easily recovered and organizations can take advantage of a secondary level of immutable storage with Nutanix Objects, which also delivers immutable object storage and support for WORM policies.

Nutanix implements by default hardening features that can be used to prevent ransomware attacks. Adherence to security best practices and monitoring against baseline deviations are handled through Nutanix Security Central, a security-oriented management platform that allows security monitoring and management across multiple Nutanix deployments. The solution has strong support for compliance, with several standards supported (FIPS, DoDIN APL, and so forth), and embeds a fully fledged security technical information guides (STIG) compliance setup.

Nutanix Security Central is an add-on for Nutanix Cloud Infrastructure (NCI), a complete software stack that unifies hybrid cloud infrastructure including compute, storage, network, and hypervisors and containers, in public or enterprise clouds.

Strengths: Nutanix delivers comprehensive network analytics, security hardening features, and instant data recovery through immutable native snapshots.

Challenges: Detection happens primarily at the network layer; there is currently no anomaly detection capability available for the storage layer.

Pure Storage

Pure Storage offers multiple storage products. Among them, FlashBlade delivers unified fast file and object storage capabilities, while FlashArray focuses on block and file storage.

To protect against ransomware attacks, Pure Storage implements immutable snapshots in both solutions. Snapshots can be turned on for blocks and files on FlashArray and for files on Flashblade. However, while the data in the snapshots is immutable, the snapshots could be deleted by an attacker with rogue administrative access.

A feature called SafeMode, built into both storage array types, locks snapshots and prevents their deletion. On FlashBlade, SafeMode snapshots can be used to create a read-only protected snapshot of a full backup, including the backup and associated metadata catalogs as well.

Instead of the standard deletion process, entities such as volumes or snapshots are destroyed and moved into a staging “destroyed” area for a predefined period of at least 24 hours and up to 30 days, with Pure Storage recommending at least 14 days of retention. This incompressible timeframe locks any entity in the “destroyed” area and prevents it from being wiped until the timer has expired.

SafeMode is built into the storage solution’s operating system and enabled by default. Recently Pure Storage introduced Enhanced SafeMode Management, which is a more streamlined multiple-party authentication process compared to the previous solution.

To further improve ransomware recovery, Pure Storage recently introduced a ransomware recovery SLA for its EverGreen//One offering. This add-on service guarantees a clean storage environment will be shipped the next business day after a customer has been hit by a ransomware attack, and includes a joint design service between Pure Storage and the customer at sign-up time to plan recovery steps in case of an attack. The ransomware recovery SLA also guarantees recovery of operations within 48 hours at a transfer rate of 8 TiB/hour. Finally, the organization can keep this loaned storage array for up to 90 days in order to fully restore operations past the initial 48-hour recovery window.

SafeMode snapshots are configured through Pure1, Pure Storage’s management, analytics, and support platform. Pure1 can also assess whether SafeMode snapshots are enabled across all Pure storage arrays.

Pure Storage added a data protection assessment feature to Pure1 to ensure the FlashBlade and FlashArray systems follow Pure Storage’s recommended security practices. This feature analyzes the entire Pure Storage estate and determines whether SafeMode is fully or partially enabled on each array and verifies snapshot expiration policies and other factors such as adherence to security guidelines. These take into account local snapshot policies as well as remote policies and whether snapshots are replicated or not. Finally, this feature provides guidance on improving the security posture with actionable insights.

Although Pure Storage doesn’t provide a proactive ransomware detection solution, it does provide anomaly detection capabilities, available in the Pure1 data protection dashboard. Pure1 monitors the data reduction ratio of storage appliances, a metric that combines the level of deduplication and compression that Pure Storage arrays typically offer to a customer. In case of sharp, anomalous drops (for example, large-scale encryption and/or data deletion), the system will generate alerts to inform administrators about potential malicious activity so they can take further action. Those capabilities are expected to be further improved in 2024.

Strengths: Pure Storage provides thorough advanced immutability features with SafeMode snapshots, strong MFA, and multiple-administrator validation mechanisms. New software and service features, such as data protection assessment and the ransomware recovery SLA, improve its mitigation and recovery capabilities.

Challenges: Anomaly detection features are adequate for block storage, but proactive ransomware detection needs to be further developed for file storage. Those improvements are on Pure Storage’s roadmap.

StorONE

StorONE’s ransomware protection strategy relies on immutable snapshots on its StorONE S1 software-defined storage platform. The solution includes a feature called “anonymous detection,” which performs anomaly detection by identifying unusual patterns, behaviors, or events that deviate significantly from the expected norm. In case of anomalous behavior, customers are instantly notified of unusual activity on one of their volumes.

StorONE immutable snapshots can be created either ad hoc or scheduled with policy-based frequency and retention periods, using either the management interface or API calls. Immutable snapshots can’t be deleted manually while the retention policy is active, and volumes with active snapshots can’t be deleted either. Furthermore, StorONE implements multiple-administrator validation for all configuration changes, including retention policies.

The new management interface allows these various policies to be created seamlessly, with a visual understanding of how they overlap and a clear view of how long data is retained. Furthermore, different retention policies and snapshot frequencies can be created per S1 instance.

The company also offers a flash-based S1:Backup appliance targeted at data protection and long-term retention. This appliance is based on StorONE S1 software and implements the same immutability mechanisms. It effectively provides an additional level of protection in case the production StorONE S1 system is impacted. Even if primary and backup data are corrupted by ransomware, the use of immutable snapshots allows users to revert to a safe snapshot taken before the infection occurred.

It’s worth noting that StorONE immutable snapshot technology applies to both file and block volumes. When used with file volumes, the snapshots can be instantly restored to a browsable image at the file level, allowing administrators to verify file integrity and recover a file or subset of files.

Strengths: StorONE offers good capabilities to identify, mitigate, and recover from ransomware attacks, including anomaly detection, instant recovery, and multiple-admin validation.

Challenges: There are several opportunities for improvement around anomaly detection that primarily revolve around visualization dashboards and logging.

6. Near-Term Roadmap

There’s a clear divide among the evaluated solutions in terms of capabilities because many are already mature in providing a broad set of advanced features, including AI/ML-based anomaly detection and proactive remediation.

Implementing proactive threat detection is a possible roadmap direction for less-mature solutions that offer snapshot immutability and/or continuous data protection. However, this largely depends on each vendor’s ability and appetite to commit R&D resources. Given the amount of effort and cost involved, it’s more likely that these solutions’ feature set will remain the same while the vendors seek strategic partnerships with well-established, general-purpose ransomware protection vendors.

Meanwhile, advanced solutions will continue to improve their AI/ML detection and training models. While provided as a part of the primary storage management stack, these solutions will remain adjacent to the storage array itself and may eventually be expanded to support heterogeneous environments. Alternatively, they could be spun off as a standalone solution, free to use with the vendor’s storage platforms but licensed for use with external storage solutions.

7. Analysts’ Take

Although ransomware protection is not new, the increased attack frequency rate is thrusting this discipline more and more into the spotlight. Until recently, data protection, business continuity, and disaster recovery discussions were the primary drivers for ransomware protection solutions.

Organizations were already aware of the need for deep, layered threat protection strategies that implement threat detection and mitigation mechanisms at multiple levels. Similarly, storage vendors acknowledged the ransomware risk and that production data storage systems were often the primary target.

Compared to 2022, several emerging trends such as enhanced immutability and air gapping are reflected in this year’s key characteristics.

Enhanced immutability features are varied and range from policy-based snapshot management to anti-NTP tampering mechanisms. An additional security layer is provided by multiple-administrator validation or similar quorum-based validation mechanisms for sensitive operations such as policy changes or policy deletions. Enhanced immutability features are not necessarily complex to implement and represent an attainable improvement that provides tremendous benefits to customers with moderate R&D efforts.

The other low-hanging fruit, which has been aptly identified by several vendors, is to provide recovery guarantees, recovery SLAs, or a combination of both. These guarantees provide assurance of recovery without fundamentally changing the solution from a technical perspective (an immutable snapshot should always be recoverable). The introduction of ransomware recovery SLAs by which the client gets a loaner storage array and a guaranteed time to recover their primary data is a smart commercial offering that requires minimal R&D investment and delivers immediate value.

In contrast, proactive identification requires a much steeper R&D investment: some companies have decided to take this arduous route in the past 18 months and are now reaping the benefits of these investments by delivering outstanding value to their customers. Moving forward, proactive identification will become a decisive selection factor, especially for file-based storage systems. Although it’s less relevant for block storage solutions, organizations deploying unified storage solutions may want to keep an eye on proactive identification capabilities, particularly for deployment scenarios that include both file and block storage.

By implementing ransomware protection on primary storage systems, storage vendors enable organizations to strengthen their security posture with proactive identification and mitigation. The most advanced ransomware protection primary storage solutions ensure that primary data is minimally impacted by ransomware attacks, guaranteeing a normal flow of business operations while mitigating the consequences of financial, regulatory, and reputational impact.

Furthermore, ransomware protection on primary storage systems—and its maturity—allows storage vendors to differentiate against their competition and create new business opportunities.

8. Report Methodology

A GigaOm Sonar report analyzes emerging technology trends and sectors, providing decision-makers with the information they need to build forward-looking—and rewarding—IT strategies. Sonar reports provide analysis of the risks posed by the adoption of products that are not yet fully validated by the market or available from established players.

In exploring bleeding edge technology and addressing market segments still lacking clear categorization, Sonar reports aim to eliminate hype, educate on technology, and equip readers with insight that allows them to navigate different product implementations. The analysis highlights core technologies, use cases, and differentiating features, rather than drawing feature comparisons. This approach is taken mostly because the overlap among solutions in nascent technology sectors can be minimal. In fact, product implementations based on the same core technology tend to take unique approaches and focus on narrow use cases.

The Sonar report defines the basic features that users should expect from products that satisfactorily implement an emerging technology, while taking note of characteristics that will have a role in building differentiating value over time.

In this regard, readers will find similarities with the GigaOm Key Criteria and Radar reports. Sonar reports, however, are specifically designed to provide an early assessment of recently introduced technologies and market segments. The evaluation of the emerging technology is based on:

  • Core technology: Table stakes
  • Differentiating features: Potential value and key criteria

Over the years, depending on technology maturation and user adoption, a particular emerging technology may either remain niche or evolve to become mainstream (see Figure 3). GigaOm Sonar reports intercept new technology trends before they become mainstream and provide insight to help readers understand their value for potential early adoption and the highest ROI.

Figure 3. Evolution of Technology

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2023 "GigaOm Sonar Report for Block-Based Primary Storage Ransomware Protection" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.