X-Industry

AI-Driven Malware & Ransomware Detection for NetApp

Posted by Bill Schenkelberg on December 3, 2024 at 12:05pm

13224549256?profile=RESIZE_400xNetwork-attached storage devices like NetApp contain volumes of data which are vital to business operations.  With broad access available to so many users, protecting NetApp storage from malware is critical to operational stability and integrity. Organizations worldwide face increasingly sophisticated threat actors. AI-powered threat detection can level the playing field, protect business data, and stop attacks before they begin. 

The Challenge - Legacy AV solutions have long dominated storage security for NetApp.  However, security innovation has not kept pace with other sectors like EDR and cloud security, even as threat actors have rapidly evolved.  Modern threats from hackers for hire or state-sponsored threat actors easily evade signature-based legacy antivirus. Yes, signatures are useful for identifying known or commodity malware, but they are incapable of detecting novel malware.  Beyond ease of evasion, signatures can create administrative nightmares.  Storage security admins can become bogged down in a relentless spiral, making sure their blocklists are always updated with the latest signatures.

Another challenging factor is broad access to the data stored on NetApp arrays.  Businesses rely upon ready access to this data to function.  Considering the wide access, and the ease with which malicious files can evade signature-based detection, one can readily appreciate how securing the NetApp storage is vital to business continuity.  In addition to business continuity and brand reputation, an additional concern is regulatory compliance.  While exact compliance details vary by framework, organizations in various industries are often required to regularly scan their network attached storage for malware.  Although regulatory frameworks generally do not specify how this is accomplished, more forward thinking frameworks such as GDPR do stipulate that organizations follow the principle of “data protection by design and by default,” and that data protection measures take into account the technological “state of the art.”[1]

Threat Detection for NetApp - To help organizations better provide for continuous security of their data on NetApp storage arrays, and to reduce the risk of business disruption due to advanced malware which evades signature-based alternatives, SentinelOne introduced their Threat Detection for NetApp (TD4NA).  Generally available in the Singularity Cloud Data Security product line, TD4NA delivers AI-powered cloud data security that protects NetApp arrays from malware. High-performance, low-latency inline file scanning delivers verdicts in milliseconds.

When considering state-of-the-art solutions for securing your NetApp arrays, here are some factors which set SentinelOne and TD4NA apart from alternatives.

High-Speed Performance with Low Latency.  NetApp invests heavily in performance optimization, so that their storage solutions offer high-speed data access with low latency.  

TD4NA leverages SentinelOne’s proprietary Static AI Engine that is optimized for performance and security efficacy, having been trained on nearly 1 billion malware samples over the last decade.

13224550655?profile=RESIZE_400xTD4NA delivers verdicts in milliseconds, allowing user access to their data without performance bottlenecks and without compromising security.  When a file is judged to be malicious, it is automatically encrypted and quarantined, to stop the potential for spread before it even has a chance to begin.

Fully Compatible with ONTAP.  NetApp uses a proprietary OS called “ONTAP” for their storage arrays.  For this reason, ONTAP is not compatible with traditional endpoint agents.  SentinelOne’s Threat Detection for NetApp, however, is fully compatible with the ONTAP protocol.

Proven and Trusted Innovation.  SentinelOne brings their malware detection technology to a data storage security market that has been dominated for years by legacy antivirus.  Unlike legacy AV solutions that rely on signatures and frequent updates, SentinelOne’s solution offers uncompromising security against novel and unknown malware without the worry of constant signature updates.

Alternatives which rely upon signatures are easily circumvented.  A threat actor can simply pad a malware sample, recompile, and the malware has a new signature not found in any blocklist.  In contrast, SentinelOne’s proprietary AI deeply analyzes a file’s characteristics for indicators of malicious intent, no signature required.  All files are scanned locally.  No sensitive data ever leaves your network.  For some organizations, this is an important regulatory compliance consideration.

The TD4NA respects existing user blocklists or file exclusions, removing the need to rebuild them.  Additionally, it provides valuable threat metadata for greater insights and analysis, enhancing security posture.  All security data, whether from cloud security, networked storage, user endpoints, and even 3rd party security solutions, are stored in the high-performance Singularity Data Lake.  This single security data repository simplifies data access, streamlines investigations, and accelerates incident response.

How It Works - The TD4NA agent is installed on a “Vscan server” which, according to the NetApp ONTAP architecture, is dedicated to malware scanning.  System requirements for the Vscan server are documented in the SentinelOne knowledge base.   It is possible to configure more than one TD4NA agent on a single Vscan server, depending upon customer requirements for redundancy or IOPS performance.

When a user submits a file put/access request, the NetApp array automatically submits a scan request via ONTAP protocol to the Vscan server.  The TD4NA solution then works as follows:

  • Scan the file.
  • Report the result, both to the SentinelOne management console and to the NetApp array.
  • Upon scan completion, the NetApp array grants or denies the user request, depending upon the scan verdict. If the file verdict is not malware, the user is granted access.
  • If the file verdict is judged by the AI to be malware, the user request is denied and the file is automatically encrypted and quarantined by the solution. The quarantine directory is specified beforehand by the security admin. At their discretion, security admins may access the malicious file via 1-click file fetch for further analysis and sandboxing.
  • All file scans are local and inline. Local file scanning occurs on the Vscan server. Inline file scanning holds the file until scanning is complete.  The solution is optimized for performance, so file scans complete within milliseconds for a low latency user experience.


Conclusion - With SentinelOne’s AI-powered Threat Detection for NetApp, malware is identified and mitigated in real time, thereby minimizing dwell time and downstream data risk. All files are scanned locally so that no sensitive data leaves your network, and TD4NA is managed from the same Singularity Platform that SentinelOne customers know well.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://www.sentinelone.com/blog/ai-driven-real-time-malware-and-ransomware-detection-for-netapp/

Views: 12
Tags: ir-24-337-002, netapp, td4na, gdpr, ai engine, vscan
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!