The ARP/AI operates by analyzing file characteristics without accessing actual file contents, ensuring data privacy while identifying suspicious encrypted files through probabilistic modeling.
It monitors saved data for signals such as data entropy, encrypted file content and headers to detect potential ransomware without opening files
Upon detection, ARP/AI can automate responses like taking an immutable snapshot, evidence creation, alert generation, and with additional services like user blocking using Ransomware Protection Services in NetApp Console.
Data Safety and AI Model Design
The AI model is purpose-built for ransomware detection, with no command line access or use for other tasks. It assigns probabilities to modified files indicating the likelihood of malicious encryption, ensuring no file content is used for training or decision-making.
Evolution of ARP/AI
Since its initial introduction in ONTAP 9.10.1 with basic detection capabilities, ARP/AI has undergone significant advancements. The introduction of learning modes in ONTAP 9.10.1, pretrained model and automatic model updates introduced in ONTAP 9.16.1, have continued to enhance its functionality.
Model Training Process
ARP/AI models are trained in a lab sandbox using clean files from open datasets, exposed to known malware to generate corrupted files.. Along See Figure 1 for a visual explanation of the process.
Figure 1 – Generating the AI Model Package for ONTAP To ensure data safety, ARP/AI creates snapshots every four hours and additional snapshots upon ransomware detection. These snapshots allow rollback to pre-infection states and are marked for deletion after specified durations, which are adjustable by users. See Figure 2 for an explanation of how this works.
Figure 2 – How ARP/AI uses Snapshots to protect data in ONTAP 9.17.1
ARP/AI for SAN Environments
Introduced in ONTAP 9.17.1, ARP/AI for SAN detects ransomware at the volume level using data entropy. It reports volumes infected by ransomware without pinpointing specific files inside complex storage like VMDKs, enabling rollback of entire volumes. This capability is now also available in NetApp’s new ASA r2 storage systems.
In Figure 3 below, the image shows that NFS/CIFS volumes detects ransomware at the file level. In the example it shows regular files (.docx, .jpg, etc) and VMware VMDK virtual disk files. If there is ransomware within the virtual disk, ARP/AI would point you at the VMDK but is unable to “see inside” the VMDK to detect the ransomware infected file itself.
ARP/AI for SAN will show you which volume contains ransomware. In the example, there is a LUN on the SAN volume, and, in this example, it is formatted with VMware’s VMFS file system.
On that file system are two virtual machines and their files. If ransomware got into one of the virtual machines, ARP/AI would detect that the whole VOLUME is suspect. This is because ARP/AI for SAN detects ransomware at the block level. ONTAP doesn’t have visibility into both the VMFS file system and the VMDK’s that reside in it.
Note that the VMFS file system is only being used as an example. ARP/AI for SAN is agnostic to the contents of the SAN volume because it is looking for ransomware at the volume/block level, not at the LUN or filesystem level. This means that the virtual machine could be running on a different hypervisor with a different filesystem.
In either case, File or SAN, you are notified that ransomware exists, and you can respond automatically via a snapshot and/or additional methods that may be unique for your environment.
Figure 3 – ARP/AI for Block vs NFS/CIFS
Beginning with ONTAP 9.17.1, ARP requires an evaluation period to determine if entropy levels for SAN volume workloads are suitable for ransomware protection. After ARP is enabled on a SAN volume, it monitors data continuously during an evaluation period to determine an optimal encryption threshold. ARP distinguishes between suitable and unsuitable workloads in the evaluated SAN volume and, if the workloads are determined to be suitable for protection, automatically sets an encryption threshold based on evaluation period statistics.
User Interface and Thresholds
Enabling ARP/AI is straightforward via the The AI triggers on multiple signals, detecting abnormal entropy spikes and suspected ransomware, with thresholds that automatically adjust
To wrap things up, ARP/AI for ONTAP 9.17.1 is a great improvement in your security posture. Now it’s not just for file shares but for your SAN workloads as well! You are alerted immediately in ONTAP or via SYSLOG to your SIEM that ransomware has been found and a Ransomware discovery snapshot has been taken.
It’s been my personal belief for many years that the more security we can push down into the infrastructure at the closest level possible to the data is the best security. ARP/AI for ONTAP is another great feature that brings that capability to your storage.
Oh, and did I mention that it’s free? That’s right, it’s built in (not bolted on like some solutions!) and part of ONTAP. Give it a try, let us know what you think. It’s easy to enable (or disable if you really must) and will give you piece of mind should the bad actors decide you are their next target.
If you are a registered user, sign in to leave a comment. If you are not a registered user, please register for the NetApp Community to leave a comment.
