alphaspirit - stock.adobe.com

Nebulon aims Tripline at ransomware detection in storage

Tripline claims ransomware detection from samples every 30 seconds and works in conjunction with snapshots to deliver recovery from an attack in four minutes

Nebulon has launched Tripline, a ransomware detection capability that samples input/output (I/O) every 30 seconds to test for unusual volumes of encrypted data, with claims it can send the first alerts of a ransomware attack after 2.5 minutes.

Tripline fits into an existing portfolio of ransomware protection and recovery tools from Nebulon, which it claims can help customers recover from an attack within four minutes.

“Generally, if customers are CIOs and CTOs, top of mind for them is ransomware and protecting their organisations from it,” said Craig Nunes, chief operating officer at Nebulon. “According to Gartner, 75% of organisations have had to deal with ransomware threats, so we had to have an offering with certain capabilities around security and resilience.”

Tripline samples data frequently and uses machine learning (ML) to identify anomalous patterns that indicate unusual levels of encryption. In so doing, it can alert customers of an attack and give details about when and precisely where the attack has affected data.

Nebulon is following a common theme among storage providers that have focused on the ransomware threat. In most cases, storage suppliers make more of a deal of recovery and the ability to restore data from protected snapshots. Nebulon is possibly unusual in focusing on ransomware detection, albeit in concert with recovery from snapshots.

Tripline functionality is built into the core of Nebulon’s offer – its services processing units (SPUs), which offload data services and storage management from the server, and which are managed via a cloud-based controller and admin interface. SPUs and connected flash drives form Nebulon pods and are effectively a hyper-converged infrastructure (HCI) solution.

Nebulon’s anti-ransomware functionality addresses the potential weaknesses of HCI, said Nunes.

“With HCI, data services and the storage operating system are connected. If one part becomes the attack surface, everything can be compromised. So if you can detect ransomware in data volumes and the OS [operating system], it’s going to be better.”

Tripline is intended to work with Nebulon’s Timejump to provide its claimed four-minute recovery. Tripline is enabled within the so-called Nebulon Secure Enclave, which is an isolated infrastructure domain that includes server management, data services, boot and data volumes, and attached solid-state drives (SSDs) as well as the Nebulon ON cloud control plane. 

Timejump is based on snapshots held in the secure enclave that can be recovered from when a ransomware attack has been detected. The claimed four-minute recovery is therefore dependent on the rapid detection promised by Tripline.

“Being able to detect encryption patterns quickly allows for quick recovery,” said Nunes. “It shrinks the window, which is beneficial when the average time to respond to such attacks is six days, according to research.”

But what about ransomware attacks that lead to exfiltration of data and ransom demands? Nebulon is yet to tackle that threat, but is working on it.

“Currently, the ML works around encryption,” said Nunes. “But exfiltration looks different, and the ML needs to identify different patterns, namely sequential bursts, and that’s something we’re working on.

“What we offer is very much near real time. Other tools such as those offered by the backup vendors are very good but they’re not real time and protect data only,” he added.

“Attacks often unfold from the OS, BIOS, which we watch, but we also watch application data too. The idea is that if you had a faulty electrical outlet in your home, you’d want to know when it started smoking and deal with it then rather than wait for your whole house to be engulfed in flames.”

Read more about storage and ransomware

Read more on Hyper-converged infrastructure