Superna Eyeglass® Ransomware Defender

Feature Summary

Ransomware Defender is a highly scalable real-time event processing solution, it provides User Behavior Analytics to detect and halt a Ransomware attack on business critical data stored on Dell EMC Isilon storage arrays. Read the Dell EMC Solution Brief.

This add-on for Superna Eyeglass DR edition offers a last line of defense to critical data with real-time monitoring of user file access behaviors to detect Ransomware events. Active defenses enable lockout of users per SMB share across all managed clusters, providing a rapid response to protect data.

  1. Stops Ransomware real-time across all managed clusters

  2. User behaviour based detection 

  3. Monitor Isilon audit CEE logs for file activity related to Ransomware attacks

  4. Security Guard Feature - Simulated Ransomware attack validates response actions to an attack are functioning as expected with alerts to administrators to ensure all security components are ready and tested daily.

  5. Detects user path, file and share, IP address where the attack originated, captures last hour of user activity before the attack. To assist with recovery.

  6. Customizable rules engine to tune false positives

  7. Integrated with automated DR Failover for Recovery

  8. Self Serve User Data Recovery portal simplifies recovery using snapshot and DR copies 

  9. Administrator alerts, logging on suspicious activity

  10. Active Defense:

    1. Lockout users from shares real-time or delayed 

    2. Timed Auto lockout rules if administrator not available to review a security incident

    3. Automatic Escalated response if multiple infections detected in parallel (massive attack on multiple user infection) 

  11. Whitelist support file system path, user account or source ip address ranges

  12. Distributed processing and centralized rules and decision actions with Agents colocated with cluster and centralized Superna Eyeglass® appliance for actions

  13. Active, Active, Active 3 node cluster highly available security event processing

  14. Multi cluster aware monitoring -- detect on one cluster lockout on all clusters globally

What is Real-time Reponse? 

Its important to understand what Real-time response means and how Ransomware Defender stands out from legacy file audit platforms.

Ransomware Defender Sets the Bar for Real-time Event processing

  1. Availability: 3 nodes with survival of a process or complete node failure and continue to process incoming events

  2. Load Sharing: Support incoming events and ensure each node is actively processing incoming events

  3. Rebalancing: Under heavy load or failure conditions ensure events are redistributed between surviving nodes

  4. Active Cluster: Each node is capable of independent event processing and analytics

  5. Scalability: For large enterprise environments, scaling all Real-time functions is required. Ransomware Defender is built on big data technologies that operate at scale using the compute and storage node concept. For example HADOOP clusters

  6. Eliminate Ingestion: Multi stage ingestion platforms with store, process, transform and relate data architectures are not able to perform these functions at the same time. These legacy platforms serialize these steps which eliminates real-time processing and analytics potential. Ransomware Defender eliminates the ingestion phase and operates analytics at memory and CPU speeds using a parallel architecture throughout.