Managing cyber security recommendations for your data sources

Use the BlueXP ransomware protection Dashboard to to get a high-level overview of the cyber resilience of all your BlueXP (formerly Cloud Manager) working environments and additional data sources. You can drill down in each area to find more details and possible remediations.

From the BlueXP left navigation menu, select Governance > Ransomware protection.

A screenshot of the BlueXP ransomware protection dashboard.

The Ransomware Protection Score panel provides a simple way to see how resilient your data is to a ransomware attack. It is an aggregation of all the actions that are recommended to be taken in order to improve your data security posture and cyber resiliency. This panel works in conjunction with the Recommended Actions panel. There are two parts to the Ransomware Protection Score panel:

  • The overall protection score for your data (0-100% protected).

    The score is based on a weighted calculation of all the possible recommendations.

  • How many recommended actions are available to elevate your protection to 100% - if you implement the recommendations.

    The three types of recommended actions are in accordance with the NIST framework for cyber security:

    • Protect

    • Detect

    • Recover

A screenshot showing the Ransomware Protection Score panel and Recommended Actions panel.

In this example page, there are seven recommended actions for the "Protect" category. The first recommendation is relevant for 258 files.

This panel supports working environments and data sources that have been added to BlueXP classification.

Note that recommendations are applicable per data source. So if the same recommendation is relevant to 3 data sources, it will be counted as 3 recommendations.

You can click the down-arrow button to expand each Recommended Action, as shown below.

A screenshot showing the Recommended Actions panel expanded to show total actions per data source.

To see the detailed list of data that has been identified as having a recommended action, click the Investigate button and you’ll be redirected to the BlueXP classification Investigation page with the list of all the files that meet the criteria for the recommended action.

Then you can decide whether you want to apply the recommended action on all those files, or on just some of them.

After you fix the recommended action, the next refresh of the Ransomware Protection Score panel (every 5 minutes) will adjust the number for the score. You can also click the Re-Scan button to update the page now.

These are the currently tracked recommended actions and suggested solutions.

Recommended Action Description Possible Solution

Reduce permissions for X sensitive items with broad permissions

Sensitive files that have open permissions have been found in your data sources by BlueXP classification. This includes all sensitive data (personal data and sensitive personal data) that have "open to organization" or "open to public" permissions.

Click the Investigate button for each data source and you’ll be redirected to the BlueXP classification Investigation page where you can view all the sensitive files at risk and take further action to reduce that risk. This includes how to reduce the broad permissions on those files.

Move X sensitive items from Y unprotected data sources to safe locations

Sensitive data has been found on unprotected data sources by BlueXP classification; these are locations where ransomware protection software is not able to protect the data. Typically, your IT organization has policies that restrict sensitive data from certain corporate locations. This recommended action allows you to identify the files that have sensitive data, and move them to a safer data source - where sensitive IS allowed to be stored.

You can use BlueXP classification to quickly move these files to a better protected data source. You’ll be using the BlueXP classification capability to move source files to an NFS share.

Patch X open CVEs across Y data sources

Unpatched CVEs (Common Vulnerabilities and Exposures) have been found on your on-premises ONTAP systems and/or Cloud Volumes ONTAP systems. These issues are identified only if the BlueXP digital advisor product (formerly Active IQ Digital Advisor) is integrated with your storage systems. These are known vulnerabilities on NetApp storage systems that have fixes available to resolve the CVE. NetApp CVEs are listed on the Product Security page.

Click the Digital Advisor button for each data sources and you’ll be redirected to the Security Vulnerabilities page in the BlueXP digital advisor. There you can see the details about the open CVEs, and the recommended action to resolve each CVE. Often the resolution is to upgrade the ONTAP software on the system. Learn more about the Security Vulnerabilities page.

Configure your business critical data

You have not defined your business critical data policies in the Business Critical Data Configuration page. It is important for you to identify what you consider as business critical data so that possible ransomware issues with this data are brought to your attention.

Click the down-arrow button to expand the recommendation, and then click the link to open the Business Critical Data Configuration page. Then you can select the policies that define your business critical data. Learn more about configuring and selecting business critical data policies.

Back up X business critical files in Y data sources

This identifies how comprehensively your most important categories of data are backed up to the public or private cloud using BlueXP backup and recovery. The recommendation displays recommendations only if you have defined your business critical data. This is important in case you need to recover any data because of a ransomware attack. Only on-prem ONTAP and Cloud Volumes ONTAP working environments are identified in this recommendation.

Click the down-arrow button to expand the recommendation, and then click the Backup button for each data source and you’ll be redirected to the BlueXP backup and recovery service. There you can enable backup on the necessary volumes.

Turn on cyberstorage configurations for X data sources

This recommendation identifies whether six ONTAP capabilities that help to secure data are enabled or disabled. All the items should be enabled. The items are:

  • Snapshots - You should be creating Snapshot copies of your volumes so you can restore volume data if needed. Learn more.

  • FPolicy - You should be capturing data so you can monitor file operations in case you need to find out who made changes to files. Learn more.

  • SnapMirror - You should be creating copies of your volumes on secondary storage so you can restore volume data if needed. Learn more.

  • MAV - You should have multi-admin verification enabled so that certain operations, such as deleting volumes, can be run only after approvals from administrators. Learn more.

  • ARP - You should have Autonomous Ransomware Protection (Onbox anti-ransomware) enabled so the system can detect ransomware attempts and automatically respond to them. Learn more.

  • Version - You should be running the most current release of ONTAP software for the best performance and security. Learn more for on-premises ONTAP systems and for Cloud Volumes ONTAP systems.

See the links in the previous column for details on how to enable these six ONTAP capabilities.

Cyber Resilience Map

The Cyber Resilience Map is the main area in the dashboard. It enables you to see all your working environments and data sources in a visual manner and be able to view relevant cyber-resilience information.

A screenshot of the Cyber Resilience Map on the BlueXP ransomware protection dashboard.

The map consists of three parts:

Left panel

Shows a list of alerts for which the service is monitoring across all of your data sources. It also indicates the number of each particular alert that is active in your environment. Having a large number of one type of alert may be a good reason to try to resolve those alerts first.

Center panel

Shows all of your data sources, services, and Active Directory in a graphical format. Healthy environments have a green indicator and environments that have alerts have a red indicator.

Right panel

After you click on a data source that has a red indicator, this panel shows the alerts for that data source and provides recommendations to resolve the alert. Alerts are sorted so that the most recent alerts are listed first. Many recommendations lead you to another BlueXP service where you can resolve the issue.

These are the currently tracked alerts and suggested remediations.

Alert Description Remediation

High data encryption rates detected

An abnormal increase in the percentage of encrypted files, or corrupted files, in the data source has occurred. This means that there was a greater than 20% increase in the percentage of encrypted files in the past 7 days. For example, if 50% of your files are encrypted, then a day later this number increases to 60%, you would see this alert.

Click the link to launch the BlueXP classification Investigation page. There you can select the filters for the specific Working Environment and Category (Encrypted and Corrupted) to view the list of all encrypted and corrupted files.

Sensitive data with wide permissions found

Sensitive data is found in files and the access permissions level is too high in a data source.

Click the link to launch the BlueXP classification Investigation page. There you can select the filters for the specific Working Environment, Sensitivity Level (Sensitive Personal), and Open Permissions to view the list of the files that have this issue.

One or more volumes are not backed up using BlueXP backup and recovery

Some volumes in the working environment aren’t being protected using BlueXP backup and recovery.

Click the link to launch BlueXP backup and recovery and then you can identify the volumes that aren’t being backed up in the working environment, and then decide if you want to enable backups on those volumes.

One or more repositories (volumes, buckets, etc.) in your data sources are not being scanned by BlueXP classification

Some data in your data sources isn’t being scanned using BlueXP classification to identify compliance and privacy concerns and find optimization opportunities.

Click the link to launch BlueXP classification and enable scanning and mapping for the items that are not being scanned.

On-box anti-ransomware is not active for all volumes

Some volumes in the on-prem ONTAP system don’t have the NetApp anti-ransomware feature enabled.

Click the link and you are redirected to the Harden your ONTAP environment panel and to the working environment with the issue. There you can investigate how best to fix the issue.

ONTAP version is not updated

The version of ONTAP software installed on your clusters are not in accordance with the recommendations from the NetApp Security Hardening Guide for ONTAP Systems.

Click the link and you are redirected to the Harden your ONTAP environment panel and to the working environment with the issue. There you can investigate how best to fix the issue.

Snapshots not configured for all volumes

Some volumes in the working environment aren’t being protected by creating volume snapshots.

Click the link and you are redirected to the Harden your ONTAP environment panel and to the working environment with the issue. There you can investigate how best to fix the issue.

File operations auditing is not turned on for all SVMs

Some storage VMs in the working environment don’t have file system auditing enabled. It is recommended so you can keep track of users actions on your files.

Click the link and you are redirected to the Harden your ONTAP environment panel and to the working environment with the issue. There you can investigate whether you need to enable NAS auditing on your SVMs.

Ransomware incidents detected on your systems

Ransomware incidents detected on your managed systems will appear as alerts in the Ransomware incidents panel. This includes encryption events, suspicious file extensions, ransomware activity, and malicious activity. The panel will display the type of incident and whether any automatic actions have been run to try to resolve the issue. For example, a volume Snapshot copy could be been generated and sent to the cloud.

A screenshot of the Ransomware Incidents panel.

Current support is for on-premises ONTAP clusters that are running Autonomous Ransomware Protection (ARP). ARP uses workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal activity that might indicate a ransomware attack. Learn more about ONTAP Autonomous Ransomware Protection.

You can click the down-arrow button to expand an incident to view the number of encrypted files identified in the suspect volume, the types of file extensions, and the time the attack occurred.

A screenshot showing the Ransomware incidents panel expanded to show automatic actions for your volumes.

You can click the Recover button if you want to attempt to recover from the ransomware attack. This brings you to the BlueXP ransomware protection Recovery dashboard where you can replace the volume with an older Snapshot copy that has not been affected by ransomware. See how to use the Recovery dashboard.

Prerequisites

  • You must have an on-premises ONTAP cluster running ONTAP 9.11 or greater.

  • You must have the Anti_ransomware license (ONTAP 9.11.1 +) installed on at least one node in the cluster.

  • Each volume that you want to protect must have ARP enabled. See how to enable Autonomous Ransomware Protection.

  • NetApp Autonomous Ransomware Protection (ARP) must have been enabled for an initial learning period (also known as "dry run") for 30 days before being switching over to "active mode" so that it has enough time to assess workload characteristics and properly report suspected ransomware attacks.

Data listed by encrypted files

The Encrypted Files panel shows the top 4 data sources with the highest percentage of files that are encrypted, over time. These are typically items that have been password protected. It does this by comparing the encryption rates over the past 7 days to see which data sources have a greater than 20% increase. An increase of this amount could mean that ransomware is already attacked your system.

A screenshot of the encrypted file chart on the BlueXP ransomware protection dashboard.

Click a line for one of the data sources to view the filtered results in the BlueXP classification Investigation page so that you can investigate further.

Top data repositories by data sensitivity

The Top Data Repositories by Sensitivity Level panel lists up to the top four data repositories (working environments and data sources) that contain the most sensitive items. The bar chart for each working environment is divided into:

  • Non-Sensitive data

  • Personal data

  • Sensitive Personal data

A screenshot of the data sensitivity chart on the BlueXP ransomware protection dashboard.

You can hover over each section to see the total number of items in each category.

Click each area to view the filtered results in the BlueXP classification Investigation page so that you can investigate further.

Domain Administrative Group control

The Domain Administrative Group control panel shows the most recent users who have been added into your domain administrator groups so that you can see if all the users should be allowed in those groups. You must have integrated a global Active Directory into BlueXP classification for this panel to be active.

A screenshot of the users who have been added as domain admins on the BlueXP ransomware protection dashboard.

The default administrative admin groups include “Administrators”, “Domain Admins”, “Enterprise Admins”, “Enterprise Key Admins”, and “Key Admins”.

Data listed by types of open permissions

The Open Permissions panel shows the percentage for each type of permission that exist for all files that are being scanned. The chart is provided from BlueXP classification and it shows the following types of permissions:

  • No Open Access

  • Open to Organization

  • Open to Public

  • Unknown Access

A screenshot of the encrypted file chart on the BlueXP ransomware protection dashboard.

You can hover over each section to see the percentage and total number of files in each category.

Click each area to view the filtered results in the BlueXP classification Investigation page so that you can investigate further.

Storage system vulnerabilities

The Storage system vulnerabilities panel shows the total number of high, medium, and low security vulnerabilities that the BlueXP digital advisor tool has found on each of your ONTAP clusters. High vulnerabilities should be looked at immediately to make sure your systems are not open for attack.

Prerequisites

  • The BlueXP Connector must be installed on your premises - not deployed with a cloud provider.

  • You must have an on-premises ONTAP cluster

  • The cluster is configured in BlueXP digital advisor

  • You must have registered an existing NSS account in BlueXP to view your clusters, and to view the BlueXP digital advisor UI.

Note that you can view the BlueXP digital advisor directly by selecting Health > Digital advisor from the BlueXP menu.

A screenshot that shows the number of security vulnerabilities in your ONTAP storage systems.

Click the type of vulnerability (High, Medium, Low) you want to view for one of your clusters and you are redirected to the Security Vulnerabilities page in BlueXP digital advisor. (More about this page can be found in the BlueXP digital advisor documentation.) You can view the vulnerabilities and then follow the recommended action to resolve the issue. Oftentimes the resolution is to upgrade your ONTAP software with a point release, or full release, that resolves the vulnerability.

Status of ONTAP systems hardening

The Harden your ONTAP environment panel provides the status of certain settings in your ONTAP systems that track how secure your deployment is according to the NetApp Security Hardening Guide for ONTAP Systems and to the ONTAP anti-ransomware feature that proactively detects and warns about abnormal activity.

You can review the recommendations and then decide how you want to address the potential issues. You can follow the steps to change the settings on your clusters, defer the changes to another time, or ignore the suggestion.

This panel supports on-prem ONTAP, Cloud Volumes ONTAP, and Amazon FSx for NetApp ONTAP systems at this time.

A screenshot of the status for ONTAP hardening on the BlueXP ransomware protection dashboard.

The settings that are being tracked include:

Hardening Objective Description Remediation

ONTAP Anti-ransomware

The percentage of volumes that have on-box anti-ransomware activated. Valid for on-prem ONTAP systems only.
A green status icon indicates > 85% of volumes are enabled. Yellow indicates 40-85% are enabled. Red indicates < 40% are enabled.

See how to enable anti-ransomware on your volumes using System Manager.

NAS Auditing

The number of storage VMs that have file system auditing enabled.
A green status icon indicates > 85% of SVMs have NAS file system auditing enabled. Yellow indicates 40-85% are enabled. Red indicates < 40% are enabled.

See how to enable NAS auditing on SVMs using the CLI.

ONTAP Version

The version of ONTAP software installed on your clusters.
A green status icon indicates that the version is current. A yellow icon indicates that the cluster is behind by 1 or 2 patch versions or 1 minor version for on-prem systems, or behind by 1 major version for Cloud Volumes ONTAP. A red icon indicates that the cluster is behind by 3 patch versions, or 2 minor versions, or 1 major version for on-prem systems, or behind by 2 major versions for Cloud Volumes ONTAP.

See the best way to upgrade your on-prem clusters or your Cloud Volumes ONTAP systems.

Snapshots

Is the snapshot capability activated on data volumes, and what percentage of volumes have Snapshot copies.
A green status icon indicates > 85% of volumes have snapshots enabled. Yellow indicates 40-85% are enabled. Red indicates < 40% are enabled.

See how to enable volume snapshots on your on-prem clusters, or on your Cloud Volumes ONTAP systems, or on your FSx for ONTAP systems.

Status of permissions on your critical business data

The Business critical data permissions analysis panel shows the permissions status of data that is critical for your business. That way you can quickly assess how well you are protecting your business critical data.

A screenshot of the permissions status for the data you are managing on the BlueXP ransomware protection dashboard.

This panel shows data based on the policies you have selected in the Business Critical Data Configuration page. It shows data from the two business critical policies which have the most total files. Click the link to view or define additional policies. Learn more about configuring and selecting business critical data policies.

The graph shows permission analysis of all the data that meets the criteria from your policies. It lists the number of items that are:

  • Open to public permissions - the items which BlueXP classification considers as open to public

  • Open to organization permissions - the items which BlueXP classification considers as open to organization

  • No open permissions - the items which BlueXP classification considers as no open permissions

  • Unknown permissions - the items which BlueXP classification considers as unknown permissions

Hover over each bar in the charts to view the number of results in each category. Click a bar and the BlueXP classification Investigation page is displayed so you can investigate further about which items have open permissions and whether you should make any adjustments to file permissions.

Backup status of your critical business data

The Backup Status panel shows how different categories of data are being protected using BlueXP backup and recovery. This identifies how comprehensively your most important categories of data are backed up in case you need to recover because of a ransomware attack. This data is a visual representation of how many items of a specific category in a working environment are backed up.

Only on-prem ONTAP and Cloud Volumes ONTAP working environments that are already being backed up using BlueXP backup and recovery and scanned using BlueXP classification will appear in this panel.

A screenshot of the backup status for the data you are managing on the BlueXP ransomware protection dashboard.

Initially this panel shows data based on default categories that we have selected. But you can select the categories of data that you want to track; for example, codes files, contracts, etc. See the full list of categories that are available from BlueXP classification for your working environments. Then select up to 4 categories.

After the data is populated, hover over each square in the charts to view the number of files that are backed up out of all files in the same category in the working environment. A green square means 85% or greater of your files are being backed up. A yellow square means between 40% and 85% of your files are being backed up. And a red square means 40% or fewer files are being backed up.

You can click the Backup button at the end of the row to go to the BlueXP backup and recovery interface to enable backup on more volumes in each working environment.

Data in your volumes that are being protected using SnapLock

You can use NetApp SnapLock technology on your ONTAP volumes to retain files in unmodified form for regulatory and governance purposes. You can commit files and Snapshot copies to "write once, read many" (WORM) storage, and set retention periods for this WORM-protected data. Learn more about SnapLock.

The Critical data immutability panel shows the number of items in your working environments that are being protected from modification and deletion on WORM storage by using ONTAP SnapLock technology. This allows you to view how much of your data has an immutable copy so you can better understand your backup and recovery plans against ransomware.

Prerequisites

  • The BlueXP Connector must be installed on your premises - not deployed with a cloud provider.

  • You must have an on-premises ONTAP cluster

  • You must have a SnapLock license installed on at least one node in the cluster

A screenshot of the Critical data immutability panel for your ONTAP storage systems.

This panel shows data based on the policies you have selected in the Business Critical Data Configuration page. Click the link to view or define additional policies. Learn more about configuring and selecting business critical data policies.

The panel shows the following information for the data that matches the selected policies:

  • The number of business critical files in all of your scanned working environments that are configured to use SnapLock.

  • The number of business critical files in all of your scanned working environments, excluding those that are configured for SnapLock. Note that some of these files could be protected using a mechanism other than SnapLock.

BlueXP classification policies that include the following filters are not available in the dropdown for selected policies because they rule out important search areas:

  • Working environment name

  • Working environment type

  • Storage repository

  • File path

So when creating the policies to view your critical business data in the Critical data immutability panel, make sure you keep this in mind.