Integration with ONTAP Autonomous Ransomware Protection

Contributors netapp-alavoie

The ONTAP Autonomous Ransomware Protection (ARP) feature uses workload analysis in NAS (NFS and SMB) environments to proactively detect and warn about abnormal in-file activity that might indicate a ransomware attack.

Additional details and license requirements about ARP can be found here.

Cloud Secure integrates with ONTAP to receive ARP events and provide an additional analytics and automatic responses layer.

Cloud Secure receives the ARP events from ONTAP and takes the following actions:

  1. Correlates volume encryption events with user activity to identify who is causing the damage.

  2. Implements automatic response policies (if defined)

  3. Provides forensics capabilities:

    • Allow customers to conduct data breach investigations.

    • Identify what files were affected, helping to recover faster and conduct data breach investigations.

Prerequisites

  1. Minimum ONTAP version: 9.11.1

  2. ARP enabled volumes. Details on enabling ARP can be found here. ARP must be enabled via OnCommand System Manager. Cloud Secure cannot enable ARP.

  3. Cloud Secure collector should be added via cluster IP.

  4. Cluster level credentials are needed for this feature to work. In other words, cluster level credentials must be used when adding the SVM.

User permissions required

If you are using cluster administration credentials, no new permissions are needed.

If you are using a custom user (for example, csuser) with permissions given to the user, then follow the steps below to give permissions to Cloud Secure to collect ARP related information from ONTAP.

For csuser with cluster credentials, do the following from the ONTAP command line:

security login rest-role create -role arwrole -api /api/storage/volumes -access readonly -vserver <cluster_name>
security login rest-role create -api /api/security/anti-ransomware -access readonly  -role arwrole -vserver <cluster_name>
security login create -user-or-group-name csuser -application http -authmethod password -role arwrole

Sample Alert

A sample alert generated due to ARP event is shown below:

ONTAP ARP Example Screen

A high confidence banner indicates the attack has shown ransomware behavior along with file encryption activities.
The encrypted files graph indicates the timestamp at which the volume encryption activity was detected by the ARP solution.

Limitations

In the case where an SVM is not monitored by Cloud Secure, but there are ARP events generated by ONTAP, the events will still be received and displayed by Cloud Secure. However, Forensic information related to the alert, as well as user mapping, will not be captured or shown.