Tech ONTAP Blogs

Active IQ Unified Manager 9.10 : Support for anti-ransomware events

Divya7
NetApp
4,138 Views

Ransomware attacks are catastrophic and the biggest nightmares for organizations. We understand that ransomware protection requires more than detection and with Active IQ Unified Manager 9.10, we’ve got you covered!

I am excited to announce that we just added a new feature to Active IQ Unified Manager that will protect you in the event of a ransomware attack. ONTAP 9.10.1 introduces the ransomware detection feature where ONTAP will continuously monitor your volumes at the File level. It keeps a check on the entropy and file-level activity logging to understand whether the system is reflecting the expected behaviour. In case of any abnormal file level activity, an automatic alert is generated by ONTAP which allows administrators to dig in further to determine whether the activity is indeed malicious and take appropriate actions.

Active IQ Unified Manager 9.10 brings in all the ONTAP events raised for ransomware detection feature at volume and Storage VM level as AIQUM events. As part of this release, the following new events have been introduced –

 

Event name

Impact level

Source type

Severity

Volume anti-ransomware monitoring is Enabled (Active Mode)

Event

Volume

Information

Volume anti-ransomware monitoring is Disabled

Risk

Volume

Warning

Volume anti-ransomware monitoring is Enabled (Learning Mode)

Event

Volume

Information

Volume anti-ransomware monitoring is Paused (Learning Mode)

Risk

Volume

Warning

Volume anti-ransomware monitoring is Paused (Active Mode)

Risk

Volume

Warning

Volume anti-ransomware monitoring is Disabling

Risk

Volume

Warning

Ransomware activities detected

Incident

Volume

Critical

Volume suitable for anti-ransomware monitoring (Learning Mode)

Event

Volume

Information

Volume suitable for anti-ransomware monitoring (Active Mode)

Risk

Volume

Warning

Volume exhibits noisy anti-ransomware alerting

Risk

Volume

Warning

Storage VM anti-ransomware monitoring is Disabled

Risk

SVM

Warning

Storage VM anti-ransomware monitoring is Enabled (Learning Mode))

Event

SVM

Information

Storage VM suitable for anti-ransomware monitoring (Learning Mode)

Event

SVM

Information

 

Just like any other ONTAP EMS event, Unified Manager offers a detailed view for Anti-Ransomware events on the Event Management page. Similar to all the ONTAP events, these can be assigned, acknowledged, marked as resolved and alerts can be added.

Divya7_0-1645697197486.png

 

You can go ahead and set up alerts for the anti-ransomware events just like any other alert -

Divya7_1-1645697197497.png

 

Not only that you are alerted of the potential attacks but AIQUM also offers recommendations to fix these threats. Not to worry as AIQUM is at your aid to prevent the malicious cyber attacks by providing management actions through ‘Fix-It’ buttons. You can simply enable/ disable the Anti-Ransomware feature on suitable volumes and storage virtual machines with these one click remediations available.

Here is what AIQUM offers as remediations to combat Ransomware attacks and keeps your data secure –

  • Configure Storage VM Anti-ransomware Learning - If an SVM supports all NFS/SMB protocols then it is a good candidate to be tried for the ARW feature. UM raises an event and a fix-it that sets the SVM in a dry-run mode including all new volumes provisioned.

Divya7_2-1645697197506.png

 

  • Configure Volume Anti-ransomware Learning - If a volume supports only NFS/SMB protocol then it is a good candidate to try out the ARW feature. UM raises an event and a fix-it that sets the volume with the ARW feature in dry-run mode.

 

Divya7_3-1645697197514.png

 

  • Enable Volume Anti-ransomware - When a volume is in dry-run configuration mode for about 45 days, AQIUM raises an event and a fix-it that sets the volume with the ARW feature in active mode.

 Divya7_4-1645697197522.png

 

 

  • Disable Volume Anti-ransomware – When a high-rate of false positives are observed in a volume under ARW (e.g. 10 per 30 days ) as EMS events, then the volume may not be suited for it. AIQUM raises an event and a fix-it to disable  ARW on that volume

 Divya7_5-1645697197531.png

 

Try It Out!

Now that you’ve read about our new Anti-Ransomware support feature, we hope it entices you to update and try Active IQ Unified Manager 9.10.

If you would like more information, contact us (ng-aiqum-feedback@netapp.com) and we would be happy to answer your questions.

 

Comments
Public