[ NOTE: machine translation with the help of DeepL translator without additional proofreading and spell checking ]
In the first part of this blog series (Part 1), I gave a brief introduction to the topic of ransomware attacks. This article is about the use of a protection mechanism that prevents the unintentional and irrevocable deletion of data on your storage systems during cyber attacks.
Don't give ransomware a chance!
Be aware of ransomware and activate "SafeMode" as a protection mechanism - your "last line of defense" on Pure Storage.
Pure Storage SafeMode enables organizations to protect their data from malicious attacks. SafeMode creates read-only snapshots of production data and/or backups and its associated metadata. SafeMode snapshots cannot be deleted, encrypted or modified. When SafeMode is enabled, no one can delete snapshots for a fixed period of time - not even attackers who manage to gain administrator privileges on the Pure Storage systems. Should you wish to make adjustments within SafeMode such as:
Add/remove authorized persons
the above operations are only possible if a clearly defined process has been run through, this includes:
Change Request via Support Case (Pure Storage)
Authorization as authorized person "Named Accounts" for changes using a PIN (defined for each Named Account during setup)
Authorization takes place exclusively by telephone *
This procedure is similar to two-factor authentication (2FA).
SafeMode is the life insurance of your company data in case of a ransomware attack!
Added value when you store your data on Pure Storage systems:
SafeMode - protection of your data/metadata
Rapid Restore - fastest recovery after a ransomware attack thanks to NVMe End-to-End
SafeMode - all Purity Software features (implemented/planned) without exception - is included as part of your Pure Storage Evergreen subscription and you don't pay a single additional Euro/$ for it when using it.
Meanwhile, the SafeMode feature is embedded in all Purity OEs. However, the preferred system with SafeMode is clearly FlashBlade (Purity OE FlashBlade). SafeMode works with FlashBlade, FlashArray and NEW! Cloud Block Store (CBS). Depending on the platform, SafeMode differs minimally, but the same protection is achieved with both products.
SafeMode FlashBlade vs. FlashArray
SafeMode for CBS
Cloud Block Store also supports SafeMode since Purity 6.1. CBS SafeMode works in the same way as FlashArray.
The right SafeMode strategy
In the event of an attack, the first thing to do is to determine when encryption began in order to find out which of the last SafeMode data sets (uncompromised copy) can be used for recovery. Most attacks are detected within a few hours. Once the vulnerability is closed, recovery can begin. After successful recovery, cleaning of the environment/data for remnants of the malware can then begin. Such a "washing" of the data can take several days.
Basically, when configuring SafeModes, I always advise customers to divide their infrastructure into different lines of defense:
First Line of Defense = Technologies to detect and avert ransomware attacks ahead of time.
Datacenter Security Breach (assumes failure of the first line of defense) = Technologies to quickly clean up ongoing ransomware attacks (partial encryption) in the data center on primary storage. Data recovery without mandatory restore from backup storage.
Last Line of Defense (assumes failure of the "Datacenter Security Breach") = Technologies to ensure backup recoverability in the event of a widespread ransomware attack (full encryption) in the data center. A data recovery with mandatory restore from backup storage.
For the first point of the defense strategy, one has to look for suitable technologies beyond storage systems. Pure Storage does not have a suitable product in its portfolio to meet such a requirement. However, corresponding security providers are also the better experts here.
Should there now be a propagation with early detection of encryption in the production environment, it is helpful to activate SafeMode with a low retention of between 3-14 days. This gives you a quick way back without having to access the actual backups directly. The same applies to remote sites, which usually have limited bandwidth available anyway and full restores from HQ take accordingly.
If, in the worst case, a ransomware attack has been able to rage largely undetected over a period of several hours or a weekend, there is usually only one way to go: restore from fast backup storage. Depending on how large your data stock is, I recommend a retention of 14 to 30 days here. It increases the probability that really 100% of your data can be restored with a higher retention - with a hidden-sneaky encryption.
SafeMode can not only be used in a Pure Storage infrastructure. If you are using other storage vendors (DELL, NetApp, HPE, Huawei, ...) in your data center today, a FlashBlade or FlashArray (as appropriate) will suffice for the time being to store backup data within Purity in the future and secure it against ransomware attacks using SafeMode.
There is an official Pure Storage reference story about an attacked hospital that was able to clean itself from the ransomware attack within 3 days thanks to SafeMode: Pure Accelerates Hospital’s Recovery from Ransomware Attack.
I have written a PowerShell script to send a daily report of pending deletions (within SafeMode Retention) by mail to the responsible persons to gain additional monitoring on the behavior of the storage systems. See my post from January 19, 2021: FlashArray: Eradication Pending Reporting - PowerShell Script available - ask me.
More info - Links
All officially published setting options in the GUI but also CLI can be read via the "on-board" user guides of the Pure Storage systems.
Click on "Help" in the Purity main menu.
The User Guide is structured like the main menu and can be opened downwards. A search function is also integrated - within here you can also search for keywords.
WEB: Pure Storage (Pure1) support portal - Ticket system and support *(requires registered FlashSystems)
PHONE: Pure Storage phone support: GER - (+49) (0)800 7239467; INTERNATIONAL - (+1) 650 7294088