Superna Eyeglass® Ransomware Defender Feature list

Release 2.5.9

  1. Ransomware Defender Cyber Recovery Manager 

    1. Rollback User State before the cyber incident is now possible with a single click.

      1. Users data is rolled back with a complete audit trail of each recovered file, exported to CSV

      2. User Data Recovery Percentage scored based on available snapshots

      3. Uses Ransomware Defender and System snapshots to build the recover plan on a file by file bases.

      4. Summarizes each files data manipulation showing how a file was attacked.

      5. Automatically restore data from the correct snapshot.

      6. Automatically detects the correct snapshots to recover data for each event.​

      7. Review and approve recovery plan and click recovery!!  Simple easy data recovery with intelligence in a couple of clicks

    2. NFS features​

      1. Now it is possible to enable NFS client processing and globally enable monitor mode (no lockout) OR enable NFS client processing plus snapshots on or off for NFS.  This simplifies global configuration for NFS client monitoring.  This will be a CLI enabled feature.​

    3. Historical Affected Files now uses historical threat detection data in the ECA cluster to provide historical file list long before the attack triggered a detection.   This means the downloaded CSV will include files before the attack and will allow inspection of additional data touched by the user without needing Easy Auditor.​

    4. Carrier Grade Upgrade!!!​

      1. Enterprise software that can run while it's upgraded!!!!​

      2. Yes you stay in production protection while upgrades rolls through the the nodes.

      3. No downtime, no maintenance window.

Release - Enterprise Airgap for Object Only 

  1. In-band managed Enterprise vault agent

    1. Dell ECS hardware alarm monitoring​

    2. Dell ECS disk space monitoring

  2. S3 to S3 Airgap support

  3. CAS to CAS Airgap support (dot release coming soon)

  4. Available with inside the vault automation.

  5. Enterprise Airgap - Inside the vault hardened solution offers in-band management and full automation from a VM within the cyber vault.

  6. Leverages Smart Airgap technology to only sync data when it’s safe to replicate using Ransomware Defender for Object behaviour based detection.

  7. Per S3 bucket level replication

  8. Supports immutability with ECS object lock and bucket versioning
    rapid recovery allows the vault ECS cluster to present an immutable copy of data at PB scale.  The object lock feature keeps the object data safe from modifications in a recovery scenario.

  9. Many to one support for protection of multiple source ECS clusters to a single ECS Vault cluster.

Release ​

  1. Zero Trust API - user lockout API support for remote applications to request a user lockout. critical path snapshot job monitoring api support to allow remote security tools to  proactively snapshot application data and block replication to the Cyber vault.

    1. License key required​

  2. Airgap Sync policy audit - Monitors any changes to the airgap policies with alerts to the administrator on any changes of any properties of the policy.   This feature diffs all properties of the policy every 5 minutes.

  3. NFS v4 NFS mount support for ECA VM's will be the default

  4. Enterprise Airgap

    1. multi vault support

    2. push only from vault to production for log gather, alarms, disk usage

    3. Vault agent CLI to push logs on demand during CLI session with the vault agent ​​

    4. Configuration Monitoring - monitoring of synciq policies on production clusters for any modification and alerting on any changes to the Airgap policies

  5. ECA audit rate ingestion and audit database save rate alerting to detect network issues or NFS mount issues that block processing of audit data

  6. Ransomware Defender Read only role for RBAC allowing a role to login and view events but not make any changes.

  7. GUI option to Restore user data access from the Event History tab.  Allows retrying restore user access without needing the CLI commands.

  8. Enterprise Airgap Fiber cutter offering the maximum data separation with full optical light broken with a layer 0 device that is a bump in the wire device, no ip address, no mac address device that sits inline between the production and vault cluster.   Fully managed by Enterprise airgap.  Requires purchase of 3rd party device from Echola.  

Release 2.5.8 GA build 2.5.8-21288

  1. Includes Updated log4j CVE patch - no requirement for remediation steps.

  2. New Ransomware Behavior Detectors

    1. 2 new behavior detectors in this release adding ​additional protection for file based attacks.

    2. New detectors support learning mode and flag as false positive.

    3. On upgrade it is possible new detections will occur.  Recommended to switch to learning mode after upgrade. NOTE: Learning mode offers full file system protection.  

  3. Granularity of protective snapshots

    1. Snapshot quota - a limit of snapshots that can be created at any one time by Ransomware Defender.  The limit will be applied after expired snapshots created by Ransomware Defender and will allow additional snapshots to be created up-to the configurable limit.  Default snapshot expiry in 48 hours

    2. Critical Paths - This will allow listing paths to get snapshots if any detection is found anywhere in the file system.   This will address environments that use ACL security vs share level security and allow protection of critical application data if Ransomware is detected in other parts of the file system.

      1. Modes

        1. snapshot only critical paths from a detection ​

        2. snapshot critical paths and user SMB share paths per user

        3. snapshot only SMB share paths per user

  4. Airgap Enhancements​​​

    1. Auto detection of the Airgap nodes for in-band vault alarm management​

    2. Enterprise vault OVF with automated log push during airgap syncs

    3. Airgap basic automation API for external on demand airgap job execution

    4. Smart Airgap API available for 3rd party integration or monitoring the threat level from SIEM tools.

    5. Airgap maintenance request CLI command (disabled by default) to allow a request to open the vault for x minutes for maintenance activity on the vault. 

    6. Vault cluster disk monitoring returns available space into proxy alarms each time the a data sync occurs.  

Release Update 1 GA

  1. Robustness

    1. Automatic stale mount detection on ECA nodes will reconnect the mount if network issues cause NFS mount issues

    2. Turbo Audit disk quota for audit data rollover processing to ensure the disk will not fill due to many rollover files being processed.  Automatic rate limiting of rollover file processing.

    3. New threat detectors around file renames that cover more potential scenarios ​

​Release 2.5.7 Ransomware Defender 

  1. AirGap 2.0 - A complete solution to protect your data with protractive behavior monitoring of the source data access combined with Smart AirGap technology to manage SyncIQ policy replication to a 3rd AirGap Isilon.

  2. Smart AirGap is unique solution to Ransomware Defender that suspends copy operations when an active threat to your data is detected.  Unlike other solutions that will copy encrypted data to the offline copy.

  3. Ransomeware Defender manages the AirGapped Isilon in-band  over the replication network ensuring your isolated Isilon is never exposed on your network.

  4. Automated AirGap Management ensures the AirGap is open and closed automatically before and after SyncIQ block level incremental copies complete.  Fastest AirGap solution allows your 3rd copy to be an hour behind production.  Not days like other solutions.  

  5. Virtual AirGap manages the network to ensure your data is offline and not accessible over the network when no data sync's are in progress.

  6. New Behavior detections expands behavior analysis combined with honeypot and managed banned list of 2500+ extensions provides the highest level of data protection.

  7. Support for Authenticated User SMB Share permissions will now lock on shares that grant access to users using this well known AD group.

  8. Major Feature Updates

    1. Learning Mode.  Automates the process of monitoring user behavior and apply settings needed to adjust settings needed.  This will manage user behaviors and extension based detections from the banned list of files.​

    2. Monitor mode by user, path or IP address.  Removes the need to whitelist and allows monitor mode applied to a path, IP address or an AD user name.  This retains detection, and snapshots without any lockout.   This provides new method that will replace whitelisting in most cases.

    3. Updated threat detector settings for user behavior detection - new detection vector

    4. Banned file list versioning 

      1. Multiple file versions allows transitioning to a new file version with latest extensions or roll back to a previous version​

    5. Banned file hosted in a new location compatible with phone home URL's​

      1. Eyeglass deployments that use phone home will now be able to leverage phone home url to retrieve the banned list to simplify firewall and url white listing.​

    6. Allowed File Extension List Redesigned to File Filter Feature

      1. The Banned file list is now managed get by Eyeglass and not the ECA.  This means proxy and phone home will allow retrieving the updated dated file list from the Internet.​

      2. Now all banned files are displayed with a searchable interface.  Each file can be enabled, disabled or monitor mode status.

      3. Ability to add custom file extensions is supported.

      4. CLI command to convert whitelist entries to new monitor mode settings.

    7. Dual Vector Warning detection - A new behavioral detection option looks for different behaviors within the Warning severity.  This new option will add one additional pattern of suspicious user activity that is designed to ignore spikes in user detection signals and provides a new analysis vector on user IO behavior to generate warnings.

Key Features previous releases:

  1. No HDFS needed!!!! We have redesigned Ransomware Defender to no longer needed HDFS. Easier to install with fewer dependancies

  2. New GUI for flag as false positive to view users that have been flagged and reset the a user to factor default detection settings

  3. Allow file list add UI for whitelisting files on the dynamic extension list

  4. SIEM Integration - audit data real-time syslog forwarding