Nebulon TripLine Combined Server and Storage Threat Detection for Cryptographic Ransomware

Nebulon, Inc., provider of cyber-resilient smartInfrastructure for data centres edge to core, announced TripLine, a threat detection service designed to alert customers when a cryptographic ransomware attack has been detected, as well as the precise location and point-in-time the attack occurred.

The company also announced smartDefense, a cybersecurity solution that narrows threat vectors, detects ransomware attacks, and accelerates recovery.

Despite the growing awareness about the dangers of ransomware – nearly 2/3 (63%) of the codebases in production have unpatched vulnerabilities rated ‘High’ or ‘Critical’ according to the March 2023 Unit 42 Cloud Threat Report ⁽¹⁾. The same report also cites an average response time of approximately 6 days to a security alert, whereas it only takes a few hours for threat actors to start exploiting a newly disclosed vulnerability.

The firm’s TripLine combined server-storage threat detection solution for cryptographic ransomware. This smart infrastructure service can identify attacks on application data as well as the OS and application software.

It is enabled within 2 parts of the company’s solution: 1) the Secure Enclave, an isolated infrastructure domain that includes all server lights-out management, data services, boot and data volumes, and attached SSDs, and 2) the Nebulon ON cloud control plane.

ML runs in the Secure Enclave and identifies encrypted versus unencrypted blocks in real time. Every 30s, these results are sent to the Nebulon ON cloud, which uses a combination of ML and statistical models to compare that data to the historical average of encrypted blocks for a given volume. A spike in encrypted blocks will generate an alert within a few minutes of the first suspicious result.

“As a provider of Electronic Medical Records and Practice Management solutions, HIPAA compliance is a top priority for our organisation and our clients,” said Hamid Amjadi, CTO, Prime Clinical Systems, Inc. “Nebulon’s new ransomware detection service, combined with their existing recovery features, helps us better protect patient privacy and should be a checklist item for any healthcare provider looking to bolster HIPAA compliance.”

HCI, which provides no isolation between infrastructure services and application services, is particularly vulnerable to cyberattacks. When the HCI OS becomes infected, data services become unavailable and the disks that store snapshots protecting application data become compromised, making fast recovery impossible. This leaves enterprises with no choice but to re-install and reconfigure OSs and clustering software, then recover application data from backup servers which also likely have been compromised – a process that can take days or weeks.

Unlike HCI, TripLine enables ransomware detection and recovery of the entire physical infrastructure without resorting to re-installation or backups. Combined with Nebulon ON, enterprises can benefit from push-button, API-accessible recovery of all affected volumes using TimeJump, Nebulon’s 4-minute ransomware recovery service.

The company also announced smartDefense, a smartInfrastructure solution for narrowing threat vectors, detecting ransomware breaches, and accelerating recovery. It is intended to complement what organisations have in place for their cybersecurity framework, adding a solution for the deep server-storage application infrastructure. smartDefense protection relies on Nebulon ImmutableBoot, which maintains a known good version of the OS and application stack within the Secure Enclave of every server. With every reboot, the server reverts to this trusted software instance, eliminating errant firmware updates or dormant malware in the process.

smartDefense detection and recovery capabilities leverage TripLine and TimeJump. TimeJump can rapidly recover OSs, application configurations, and data, reducing recovery time from days to less than 4mn for multiple clusters simultaneously. With the addition of TripLine to the smartDefense solution, customers can precisely identify the point of attack within their infrastructure and revert to a secure state using TimeJump, resulting in a reduction in overall threat response and recovery time.

“The focus is shifting from perimeter-level protection to comprehensive solutions that cover the entirety of an organisation’s infrastructure, and there are woefully few options to protect the server-storage infrastructure,” said Siamak Nazari, CEO, Nebulon. “Since powerful detection and recovery services are architecturally built-in, not bolt-on, CISOs and CIOs should demand such capabilities be an inherent part of any modern infrastructure deployment.”

⁽¹⁾ Palo Alto Networks Unit 42, Cloud Threat Report March 2023

Resource:
Blog: Ransomware Detection – A Question of DNA