NTP Software Defendex™ Product Analysis
Ransomware is, for good reason, top of mind right now. Most strategies under discussion now are actually responses, not analysis and elimination. And, because ransomware is such a profitable “business,” new versions will continue to appear and each will be smarter than the last. The attack strategies in use today are already adapting to target the organization’s response measures like snapshots, replication and backups, and each uses’ increasingly sophisticated social engineering. But there are some foundational elements to a ransomware attack which, if IT were to monitor and act on them, can stop ransomware before it spreads.
How Ransomware Works
Ransomware works by encrypting files so the affected organization can no longer access them. It typically gains access to the files by hijacking a user’s account and uses that account’s permissions to encrypt every file the user has access to. Sophisticated ransomware also identifies which files among those it touches can be used to further spread the infection and modifies them to do so.
The victim of the attack has to pay a ransom to get the “key” to decrypt the files.
To encrypt a file, the application performing the encryption has to open the file, modify it by rearranging its bits, and then save that file back to storage.
NTP Software’s Defendex – The Right Ounce of Prevention
It’s said that an ounce of prevention is worth a pound of cure. While the ability to recover encrypted data is important (many pounds of cure), what IT really needs is the ability to stop a ransomware attack before it can do that much damage (an ounce of prevention). NTP Software’s Defendex does just that.
Defendex is a software solution that watches how your file data is used. It can be focused on specific assets, or it can monitor all of your files. Defendex has real-time access to everything that happens to your file data. It can show what files are changing and who is making the changes.
The product has been available since before ransomware ever existed, but its attributes of file monitoring make it the perfect solution to limit the damage of a ransomware attack. Defendex tracks the number of files that an individual user changes over a given period of time. A few such changes are likely to be an actual human doing work. Hundreds or thousands of such changes is exactly what ransomware will do.
If Defendex detects a particular account making a high number of changes in a very short period of time, it can disable that account, stopping the ransomware in its tracks and send an alert to IT administration.
Defendex is policy-based, so prevention happens automatically, as time is of the essence. For example, a policy can be set to disable a user account after the user reaches a certain change-per-minute threshold. Given that we expect users to, at most, change only a few files per minute, a policy that detects 10 file modifications a minute should be enough to identify and stop a ransomware attack or a virus, with only 10 files having been infected, instead of the thousands or tens of thousands in a typical attack.
Once Defendex triggers the policy, it will disable the user account. IT can use Defendex to determine where the offending ransomware package is and eliminate it. The software also reports which files the user changed during the attack so that IT knows exactly what files need to be replaced by the backup system.
Defendex does not replace a good backup system but it does significantly shrink the organization’s risk profile and the size of any recovery effort.
Protection From WikiLeaks Too
Ransomware is only one threat facing IT. While data is encrypted during ransomware attack, it is not stolen from the organization. The other threat is data leakage and at its extreme data theft. Leakage is generally an “employee driven” event where the employee copies data to a USB drive or to the cloud. An example might be an employee copying data to a USB drive prior to leaving the company with the intent to use that data in a new job. For example, a salesperson copying a list of accounts and contacts.
Watch Storage Switzerland and NTP Software CEO Discuss using Archive to protect against Ransomware in our ChalkTalk Video, "WannaCry, Snowden, Wikileaks… Is Your Data Next?"
Theft is more the case of a hacker stealing data for the specific intent of damaging the company’s reputation or to extort money from the organization. A recent example is the theft of the new Pirates of the Caribbean Movie from Disney, which will soon open in theaters. The hackers are threatening to release the movie to the public in the days before the movie release, unless Disney pays. Disney, at last report, is refusing to pay.
Defendex can also alert IT if data is being inappropriately copied. Different files can have different sensitivity levels set on them based on type, location, or even specific name. If someone copies these in an unapproved manner, anything other than backup, then an alert can occur and the connection can be shut down.
Inappropriate deletes can be can be managed similarly. Just as an unhappy employee may take data they shouldn’t, sometimes the payback is simply to delete everything. (Even if it’s not irretrievably lost, it’s costly to recover and disruptive to the business.) Another simple policy stops serial deletes before serious damage can occur.
Defendex did not start life as a solution to ransomware. It was a product before the term was coined. And that is what makes it so effective against not only current but future attacks. There is no question ransomware attacks are becoming more sophisticated by the day, but they still have to change a file in order to work. The same holds true for data theft, to steal data, someone has to copy it somewhere.
Defendex is an ideal aide to limit the damage of an attack both now in the future. The good news is it also provides day-to-day value that organizations will come to count on in addition to protection from current and future hacks.
Sponsored by NTP Software