Nutanix Unified Storage & Ransomware Protection on File Services
Did you know that Nutanix Unified Storage has a built-in Ransomware Protection feature? Ransomware Protection on File Services includes file blocking with automatic signature updates and ransomware file access pattern detection. When ransomware events are found you are notified as Nutanix Administrator to block the client and user or set the entire file server to read-only. A Self Service Restore (‘SSR’) snapshot is automatically taken at the time of the attack to provide a recovery point. Recovery workflows flag all files which may have been impacted and recommend which snapshot to restore. Read on to learn how to enable this feature and see an example of file blocking.
Nutanix Unified Storage
But first, what is Nutanix Unified Storage? Nutanix Unified Storage is a software-defined data services platform that simplifies enterprise data storage operations while offering the speed and flexibility needed to build modern applications and services no matter where they are deployed – on the core, cloud or edge. It offers a single platform for File, Object and Block Storage services to accommodate all your workloads and users. Do not worry about growth with the pay-as-you-grow licensing model. And, of course, all management functions available using the familiar ‘single pane of glass’ Prism web-based interface.
Enabling Ransomware Protection
Enabling the Ransomware Protection feature is quite straightforward when you have your Nutanix File Storage and File Analytics services already up and running. Have a look at the below steps to enable the feature using Prism.
- Open the main menu on the lefthand side, navigate to ‘Services’ and click on ‘Files’
- Click on the Nutanix File Storage service on which you want to enable the feature
- Click on ‘Launch File Analytics’ within the ‘File Analytics’ widget on the dashboard
- Open the menu on the lefthand side and click on ‘Ransomware’
- Click on the ‘Enable Ransomware Protection’ button
- In the pop-up window, review the settings, add ‘Ransomware Email Recipients’ if required and click on ‘Enable’
- When enabled, you will be redirect to the ‘Ransomware’ screen showing an overview of the ‘SSR Status’, ‘Block Signatures’ and ‘Infection Attempts’
The Ransomware Protection feature is now enabled and actively monitoring your Nutanix File Storage service. You can download and review the Signature list (blocked extensions) by clicking the ‘Download (.csv)’ link.
But how to know whether it works? Let’s do some testing.
File Blocking
Using a client desktop connected to the Nutanix File Storage service, we can test whether file blocking works as part of the recently enabled Ransomware Protection feature.
- Within a client desktop, create a mapped network drive using the UNC path to a share on the relevant Nutanix File Storage service
- Inside the mapped network drive, create a new file and give it any name with ‘.txt’ as file extension
- Change the file extension of that text file to ‘.jpg’ and see what happens
- As expected. Now, change the file extension from ‘.jpg’ to ‘.surprise’ and see the difference: File Blocking is not allowing you to change the file extension as it a blocked extension
- In Prism and looking at the ‘Ransomware’ dashboard inside ‘File Analytics’, you can now see ‘Infection Attempts’ information
Anomalies
Besides file blocking the Ransomware Protection feature also includes detection of Anomalies within your Nutanix File Storage service. Let’s see how that works.
- In the menu of ‘File Analytics’, click on ‘Anomalies’
- There are no rules defined yet, so click on ‘Define Anomaly Rules’ to start creating the first rule
- In the pop-up window, click on the ‘+ Define Anomaly Rules’ button
- In the next window, you can start creating the actual rules for the Nutanix File Storage service. These rules are created based on Events such as file creations, deletions, renames or permission changes. My example rule will be based on renaming a file more than 5 times within 1 hour by any user
- Click on the ✓ icon to save the new rule
- Now, change the filename of the previously created file within the client desktop more than 5 times within the next hour
- Back in ‘File Analytics’ and looking at the ‘Anomalies’ dashboard, you can now see information regarding the detected anomaly
Nutanix Data Lens
All of the above is using File Analytics on premises, which limits the features to local Nutanix File Storage services only. In contrast, Data Lens functions on a global level, in a cluster-neutral environment, without being tied to a single Nutanix cluster. Nutanix Data Lens provides a cloud-hosted analytics and monitoring service for all of your file servers hosted on Nutanix Files. Data Lens centralizes data from all of your clusters connected to Pulse, across various data center locations.
You can expect to see another post on Nutanix Unified Storage focused on Object Storage to be published on MCL in February.
Thank You & Stay Safe!
“Trust Nutanix as part of your Security Strategy”