2672 - AI Infused - IBM FCM4 and Storage Defender Extending Ransomware Detection v3.pdf

《2672 - AI Infused - IBM FCM4 and Storage Defender Extending Ransomware Detection v3.pdf》由會員分享，可在線閱讀，更多相關《2672 - AI Infused - IBM FCM4 and Storage Defender Extending Ransomware Detection v3.pdf（30頁珍藏版）》請在三個皮匠報告上搜索。

1、October 21-24,2024Mandalay Bay Convention CenterLas Vegas,NevadaSession#2672AI Infused-IBM FCM4 and Storage Defender Extending Ransomware DetectionChristopher Vollmar,IT Specialist Storage-Principal Cyber and Data ResiliencyIBMErin FarrSenior Technical Staff Member,Storage CTO OfficeIBMAI Infused IB

2、M Storage for Data Resiliency and AI#IBMTechXchangeAI and Machine Learning are woven throughout IBM Storage for Data Resiliency2IBM TechXchange|2024 IBM CorporationArtificial Intelligence(AI)Human intelligence exhibited by machinesMachine Learning(ML)Systems that learn from historical dataDeep Learn

3、ing(DL)ML technique that mimics human brainfunctionAIcanbe defined asa technique that enables machines tomimic cognitive functions associated with human minds cognitive functionsinclude all aspects of learning,reasoning,perceiving,and problem solving.ML-based systems aretrained onhistorical data to

4、uncover patterns.Users provide inputs to the ML system,which thenapplies these inputs tothe discovered patterns and generates corresponding outputs.DLis a subset of ML,using multiple layers of neural networks,which are interconnected nodes,which work together toprocessinformation.DLis well suited to

5、 complex applications,like image and speech recognition.Foundation ModelGenerativeAI systemsAImodel built using a specific kind of neural networkarchitecture,called a transformer,which is designed to generate sequences of related data elements(for example,like a sentence).1950s1980s2010s2020sAgenda0

6、10203040506Architecture for Data ResDefense in Depth-DetectionIBM Defender SensorsIBM Ransomware DetectionIBM Storage SentinelIBM Data Management ServiceIBM TechXchange|2024 IBM CorporationIBM Storage Defender provides end to end data resiliencyEarly Threat DetectionEarly Threat DetectionFast&SafeFa

7、st&SafeRecoveryRecoveryData ManagementData ManagementDefender goes beyond Point ProductsDefender goes beyond Point ProductsAI-powered Early Threat Detection Early Threat Detection-app and data awareData Management Data Management across the data estate to establish resiliency standards for data reco

8、veryFast and Safe Recovery Fast and Safe Recovery from the safest backup or snapshot for each workloadData Resilience ConsoleData Management APICloud and ContainerSaaS apps,K8sData CenterVMs,modern DBsCore Enterprise Applications3rdParty Backup3rdParty PrimaryIBM PrimaryIBM Backup 2024 IBM Corporati

9、on-Storage for Data ResilienceEarly Threat DetectionEarly Threat DetectionRansomware Threat DetectionRansomware Threat DetectionProvides entropy-based anomaly detectionOccurs at the array level through array SWPrimary Storage Anomaly DetectionPrimary Storage Anomaly DetectionApplication aware anomal

10、y scanning of Immutable HW Snapshots(SGCs)Notifies of anomalies and finds the latest clean snapshot(latest snapshot without anomaly)Backup Anomaly DetectionBackup Anomaly DetectionLeverages AI and ML to identify anomalies in size of data written,data reduction rates(dedup&compression)Clean RoomClean

11、 RoomSafe place to recover and scan data,find golden copies for recoveriesScan for malware using existing productsIBM Defender SensorsIBM Defender SensorsDetects anomalies on a live system by analyzing attack patterns against file metadata and deep file analysis 2024 IBM Corporation-Storage for Data

12、 ResilienceSIEM Alerts triggered for downstream reporting and automationFast and Safe RecoveryFast and Safe RecoveryFast RecoveryFast RecoveryInstant mass restore from optimized clustersApplication aware snapshot recoveryIndexed,targeted search and restoreSafe RecoverySafe RecoveryIdentify your clea

13、n golden data copiesIdentify your clean golden data copiesTest and verify in protected,isolated clean roomTest and verify in protected,isolated clean roomPhysically or logically isolated from productionPhysically or logically isolated from productionRestore from immutable snapshot,air gap,archive,an

14、d a tapeRestore from immutable snapshot,air gap,archive,and a tapeFlexibilityFlexibilityOrchestration across all copies,whether backup or snapshotsEnsure data recoverability matches required business SLAsRecover back to primary or alternate siteMultiple backup copies provides Recovery GroupsRecovery

15、 GroupsDefine prioritized recovery actionsMonitor backup compliance and critical attacksCoordinated restore actionsWorkloadsWorkloadsRecoveryRestoreReal-timeanomaly detectionImmutableHardware SnapshotsHardware SnapshotsScanCopiesDBOSOSOSAPPAPPAPPVMCONTAINERSCLOUDIsolatedScan CopiesClean RoomClean Ro

16、omOn-PremCloudAnomalyScanBackupsImmutableRecovery 2024 IBM Corporation-Storage for Data ResilienceWorkloadsIBM Storage for data resiliency workflowPrimary WorkloadsSecondary WorkloadsDBOSOSOSAPPAPPAPPVMCONTAINERSCLOUD Tape,cloud,and other mediaAir-gap/tiering Short to long termdata copies Short term

17、 data retentionfor rapid recoverySecure Immutable CopyInline data corruption detectionIsolated EnvironmentOn-PremCloudDefender SensorsTest/Identify recovery copyRecoveryRestoreSIEMSIEMSOARSOARSOC SOC IntegrationIntegrationView/OrchestrateView/OrchestrateView/OrchestrateView/OrchestrateAnomalyScanAno

18、maly ScanMalware ScanWorkloadsIBM Storage for data resiliency workflowPrimary WorkloadsSecondary Workloads Copyright IBM Corporation 2024-IBM&IBM Business Partners Only-DBOSOSOSAPPAPPAPPVMCONTAINERSCLOUD Tape,cloud,and other mediaAir-gap/tiering Short to long termdata copies Short term data retentio

19、nfor rapid recoverySecure Immutable CopyInline data corruption detectionAnomalyScanAnomaly ScanIsolated EnvironmentOn-PremCloudMalware ScanSIEMSIEMSOARSOAREarly Threat DetectionEarly Threat DetectionDefender SensorsVMVMVMVMDefender Sensor File System DetectionAI powered real time lightweight ransomw

20、are detectionIBM Storage DefenderLayer of detection on file systemsInstalls at the file system layer of the hostFinds suspect file(s)in the filesystem Applies IBM patented technology to detect at host layer vs storage device layerLightweight deploymentReal TimeDetects within 30s2-pass analysis-AI pa

21、ttern detection-False positive reductionVM 2024 IBM Corporation-Storage for Data ResilienceSupported Platforms-Red Hat Enterprise 9-SUSE Linux Enterprise 15sp2-Ubuntu 24.04DetectionIBM Defender Sensors:IBM Research DrivenNear Real-timeStorageLight-weightScalableSpeed up DetectionSpeed up DetectionRa

22、nsomware detected in seconds-minutes can minimize data lossFile-system LevelCompatibleScalable Scalable DeployableDeployableUsable across infrastructure to protect VMs with their state-less architectureMinimal overheadMinimal overheadLight-weight process does not consume storage bandwidthFirst in Ma

23、rketFirst in MarketIn market solutions typically take hours to scan.Linux ReadyLinux ReadyRelies only on telemetry and does not need to be in the critical I/O pathsRich ExtendibilityRich ExtendibilityPython based process makes integration easyAI DrivenAI DrivenSelf-supervised models and user feedbac

24、kIBM Defender IBM Defender SensorsSensorsIBM Storage Defender SensorsIBM advanced AI technology for real-time ransomware detectionImpact IdentificationImpact IdentificationHelp pinpoint impact range and inform Security Operations Live Threat DetectionLive Threat DetectionDetects anomalies on a live

25、system by analysing attack patterns against file metadata and deep file data analysisFaster ReactionFaster ReactionLeads to less potential data loss and better RPO options 2024 IBM Corporation-Storage for Data ResilienceStorage Defender Senor stackStorage Defender Senor stackLinux file system real t

26、ime sensor METADATA(ML)BehavioralPattern DetectorValidator(Reduce FalsePositives)DATAVMsensorAny StorageHWVMLinuxFile SystemsensorIBM Storage Defender LinuxFile SystemRansomware can impact an entire environment in 2 hoursSIEMSIEMSOARSOARDetection and Alerting IBM Storage Defender SensorsVMVMVMVMVMIB

27、M Storage DefenderStorage DefenderVM Adds an additional layer of detection Installs at the file system layer of the host Finds infected file(s)in the local filesystem Applies IBM patented and trade secret techniques to find corruption host layer vs storage device layer Low overhead install Agent sty

28、le installation Only VMs in Recovery Groups can get sensorsIBM Defender Sensor IBM Defender Sensor with Analysis and Alerting lives at the file system layer of the VM Guest OS above the storage device3-layer analysis3-layer analysis-Layer 1:Encryption detection-Layer 2:ML based pattern recognition-L

29、ayer 3:False positive reductionHeartbeatHeartbeatAlerts feed into Detection engine every 30 secondsDetectionDetectionengineengineSupported Platforms-Red Hat Enterprise 9-SUSE Linux Enterprise 15sp2-Ubuntu 24.04VMVMVMVMSAN/iSCSI NetworkIBM Storage DefenderStorage DefenderFlash Core ModuleInline Data

30、Corruption DetectionIBM Storage Defender Sensors+Flash Core ModuleStorage Defender Sensors+Flash Core ModuleHigher Fidelity alerts,lower false positives,inference,one integrated response planIBM Storage InsightsStorage Insights 2024 IBM Corporation-Storage for Data ResilienceDetectionDetectionIBM Fl

31、ashCore ModulesComputational storage devicesUnique IBM flash technologyHardware compression(GZIP)with no performance impactHardware encryption(FIPS 140-3)with no performance impactZero Zero BurnoutBurnoutNo FlashCore Module has worn into failure.IBM FlashCore leverages extensive IP with focus on min

32、imal maintenance and enterprise performance.Tier 0 Tier 0 EverywhereEverywhereWith the economics and endurance of FlashCore,use cases now include logging,backups,and video in addition to OLTP and ML/AISmart data placement Leverages Storage Class Memory(STT-MRAM)and dynamic allocation of SLC and QLCD

33、ata placement based on access and change frequenciesExclusive hints as dialog between FCMs and IBM Storage Virtualize OSTier 0 under all workloadsAvailable in Usable Capacities of 4.8TB-9.6TB-19.2TB-38.4TB per driveRansomware Threat Detection With FlashCore ModuleCompression StatisticsEncrypted payl

34、oad detectionChi-SquaredLBA Addressing and Sequencing PatternsChanges in Read/Write ThroughputShannon EntropyProcessed on EVERYEVERY write with ZERO performance impact!40+data statistics analyzed in detection engineRansomware Monitoring Architectural Overview17IBM FlashCore ModulesIBM Storage Virtua

35、lizeInferencing EngineGranular data analyticsTrends/SummaryLearn From DataShow Real-Time Data And TrendsStorage Insights ProExternal ToolsResponses/ActionsVolume StatisticsResponses/ActionsSecurity OperationsIBM Storage Defender Other IntegrationsEx:Create SGC Snap to limit scopeBrought to you by:IB

36、M ResearchIBM Storage VirtualizeIBM FlashCoreIBM Storage Insights ProIBM Storage Defender and FlashSystem integration for ransomwareIBM Storage DefenderStorage DefenderDetectionDetectionengineengineStorage Insights ProRansomware hits and and starts encryptingFlash Core detects and contacts Storage I

37、nsights ProDefender detection kicks in!New case is open!Defender triggers Safeguarded copy to mitigateSafeguardedCopyWith inline ransomware detection from FlashSystem and Flash Core Module analysis Defender proactively protects data from further damageThis helps speed remediation with less damage to

38、 repairIssue/AlertTriggerVMVMVMVMVMIBM Storage Defender Storage SentinelIBM advanced AI technology recovery point validationML Impact IdentificationML Impact IdentificationIBM Storage Sentinel scan engine trained to identify malware corruptionActive Threat DetectionActive Threat DetectionDetermine i

39、f the FlashSystem Safeguarded Copies are valid recovery pointsWorkload ValidationWorkload ValidationML driven workload training for VMWare,EPIC,SAP HANA and Oracle 2024 IBM Corporation-Storage for Data ResilienceProduction Data1235AttackDetectedSafeguarded CopySentinel Scan06:0009:0012:0015:0018:001

40、)Safeguarded immutable copies created throughout the day2)Cyber Vault with IBM Storage Sentinel checks copies for corruption as they are created(or specify doing the check every x copies)3)Attack and/or corruption detected by anomaly scanning software 4)Security Alert created5)Clean copy known for f

41、astest recovery4IBM FlashSystem Safeguarded CopyImmutable,Policy driven,logical air gap recovery points 2024 IBM Corporation-Storage for Data ResiliencePrevent sensitive point in time copies of data from being modified or deleted due to errors,malicious destruction or ransomware attacks.Create Safeg

42、uarded Backups for a production volume stored in SafeGuarded Backup Capacity,which is not accessible to any server.The data is accessible only after a SafeGuarded Backup is recovered to a separate recovery volume.Recovery volumes are used with a data recovery system for:Data validation Forensic anal

43、ysis Restore production dataSafeGuarded Backup 5SafeGuarded Backup 4SafeGuarded Backup 1Backup CapacitySafeGuarded Backup 2BackupProduction SystemCyber Vault SystemSafeGuarded Backup 3Production VolumeRecovery VolumeRecoverRestore6:00 9:00 12:00 15:00 18:00 CorruptGood copyCorruption found200+conten

44、t-based analytics provide comprehensive insight into dataMachine learning model trained to recognize behavior of thousands of variantsTesting is performed on tens of millions of infected and uninfected datasets,critical updates via iFix+quarterly code bundlesObjective is to maintain a 99.5%level of

45、confidenceResults in minimized false positives and false negativesMetadata:Types the file and validates the extension Epic,Iris,etc.Integrity:Validates structure based on the type of databaseValidates page signatures in the allocation map;validates header;and moreContent:Validates page headers.Ident

46、ifies pages found corrupted/encryptedCompares page entropy,similarity and signatures vs previous versionIBM Storage SentinelIBM Storage Sentinel Analytics for DB and VMWare workloadsApp4 App 3App 2App 1Defender Data Management Service File System DetectionAI driven anomaly detection from backupIBM S

47、torage DefenderDetectionAnalyze Backup meta-data once a backupConceptually the same as detecting anomaliesOver 20 backup meta data signalsReal TimeDetects within 30sBack-upsMature Detection Model-Detects Ransomware,Encryption-Based on 20 signals from backup-Detects across all backup workloads 2024 I

48、BM Corporation-Storage for Data ResilienceIBM Storage Data Management Service File System DetectionAI driven anomaly detection from backupImpact IdentificationImpact IdentificationHelp pinpoint what workloads are being impactedThreat DetectionThreat DetectionDetects anomalies after every backupFaste

49、r ReactionFaster ReactionLeads to less potential data loss and better RPO options by identifying active threats in your environment Storage Defender Senor stackStorage Defender Senor stackLinux file system real time sensor Data ExtractorReconcilerPredictorAny StorageHWVMs,select DB and applications,

50、NAS and SmartTargetSIEMSIEMSOARSOARAnalytics EngineProtection run metadataProtection run statistics Protection run metadata of the files in the backupIBM Defender Data Management Service File detection 2024 IBM Corporation-Storage for Data ResilienceIBM Defender Data Management Service File detectio

51、n 2024 IBM Corporation-Storage for Data ResilienceIBM Defender Data Management Service File detection 2024 IBM Corporation-Storage for Data Resilience#IBMTechXchange27Q&AIBM TechXchange|2024 IBM CorporationErin FarrSenior Technical Staff Member,Storage CTO Office,IBM#IBMTechXchange28Thank YouErin Fa

52、rrIBMSenior Technical Staff MemberStorage CTO OfficeIBM TechXchange|2024 IBM Corporation#IBMTechXchangeNotices and disclaimersCertain comments made in this presentation may be characterized as forward looking under the Private Securities Litigation Reform Act of 1995.Forward-looking statements are b

53、ased on the companys current assumptions regarding future business and financial performance.Those statements by their nature address matters that are uncertain to different degrees and involve a number of factors that could cause actual results to differ materially.Additional information concerning

54、 these factors is contained in the Companys filings with the SEC.Copies are available from the SEC,from the IBM website,or from IBM Investor Relations.Any forward-looking statement made during this presentation speaks only as of the date on which it is made.The company assumes no obligation to updat

55、e or revise any forward-looking statements except as required by law;these charts and the associated remarks and comments are integrally related and are intended to be presented and understood together.2024 International Business Machines Corporation.All rights reserved.This document is distributed“

56、as is”without any warranty,either express or implied.In no event shall IBM be liable for any damage arising from the use of this information,including but not limited to,loss of data,business interruption,loss of profit or loss of opportunity.Customer examples are presented as illustrations of how t

57、hose customers have used IBM products and the results they may have achieved.Actual performance,cost,savings or other results in other operating environments may vary.Workshops,sessions and associated materials may have been prepared by independent session speakers,and do not necessarily reflect the

58、 views of IBM.Not all offerings are available in every country in which IBM operates.Any statements regarding IBMs future direction,intent or product plans are subject to change or withdrawal without notice.IBM,the IBM logo,and are trademarks of International Business Machines Corporation,registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at“Copyright and trademark information”at: TechXchange|2024 IBM Corporation29