NetApp is previewing its ONTAP AI-powered automated ransomware protection service, which its UK-based testing lab says can detect 99% of ransomware attacks.
ONTAP’s ARP/AI service detects ransomware attacks against data in NetApp arrays in real time. SE Lab The testing facility provides independent testing and consulting services to cybersecurity vendors and end users, awarding top products with A, AA, or AAA awards, and also funds its own comparative studies and awards. SE Labs tested NetApp ARP/AI against hundreds of known ransomware variants and achieved a 99 percent detection rate. NetApp ARP/AI detected 100 percent of legitimate files with zero false positives.
“NetApp has achieved a significant milestone in the fight against ransomware as the first and only storage vendor to offer AI-driven, on-box ransomware detection with the highest level of externally validated protection effectiveness,” said Dr. Arun Gururajan, vice president of research and data science at NetApp.
He criticized the reliance on ransomware detection using backup datasets: “Ransomware detection methods that rely solely on backup data are too slow to effectively mitigate the risks enterprises face from cybersecurity threats. NetApp ARP/AI enhances enterprise storage by providing robust built-in detection capabilities that can respond to ransomware threats in real time.” Gururajan said NetApp wants to provide “the most secure storage on the planet.”
NetApp To tell First introduced in 2021, ARP uses workload analytics in NAS (NFS and SMB) environments to proactively detect and alert on anomalous activity that may be indicative of a ransomware attack. Ransomware detection is based on:
- Identifying whether received data is encrypted or in clear
- Analytics is
- Entropy: A measure of the randomness of the data in a file
- File extension types: extensions that do not follow the normal file extension types
- File IOPS: Unusual spikes in volume activity due to data encryption
If an attack is suspected, ARP creates a new snapshot copy in addition to the existing protection provided by scheduled snapshot copies. After a learning period of up to 30 days, it detects the spread of most ransomware attacks even after only a small number of files are encrypted, automatically takes action to protect your data, and alerts you that a suspected attack is occurring.
ARP/AI goes further to detect ransomware attacks in near real time, including changes to file entropy, extension and header manipulation, and partial encryption.
There are no other SE Labs reports evaluating the in-array malware attack capability, so a direct comparison with other suppliers is not possible, but Infinidat has announced InfiniSafe, an automated cyber resilience system. Automated Cyber Protection (ACP).
“By leveraging the real-time monitoring that exists within many enterprise security operations centers and the speed of computing at any alert level, security teams can define triggers to automatically and instantly create immutable snapshots of their Infinidat storage environments, mitigating the risks of data corruption, data deletion, data encryption, and more,” Infinidat said.
“InfiniSafe Cyber Detection performs deep scans of block, file and database stores by presenting an immutable snapshot of InfiniBox and InfiniBoxT SSA to a powerful AI-based scanning engine. The scan uses over 200 data points to determine what data may have been compromised with 99.5% accuracy.”
Infinidat’s Cyber Detection is based on machine learning model technology from Index Engines, which is also used by Dell and IBM.
According to NetApp, their ARP/AI detection technology is continually adapting and evolving as new ransomware variants are discovered. Model parameters have non-disruptive updates that can be performed seamlessly at any time, regardless of ONTAP release cycles. ARP/AI is currently in technical preview. Customers can contact their NetApp sales representative to request to participate in the technical preview.
Download the SE Labs NetApp ARP/AI report here.