Ransomware is a growing problem for IT organizations, in several ways. In fact, the Cybersecurity & Infrastructure Security Agency (CISA) just released an advisory specifically about cybercriminals targeting the public health sector with hacking and ransomware variants such as Ryuk. Organizations cannot afford to ignore this. Deploying tools to detect and recover from attacks can introduce new complexity in your environment. Most IT infrastructure monitoring tools don’t have support for troubleshooting performance problems introduced by ransomware monitoring. You do want to make sure that your ransomware protection and monitoring is working as it should, right?
NetApp’s Matt Trudewind has an excellent series of blogs about ransomware. In the fourth installment, Matt describes how user behavior analytics tools plug into NetApp® ONTAP® storage to provide zero-day protection. These tools constitute an additional workload that consumes ONTAP compute resources. When these tools aren’t tuned properly, performance problems quickly follow. NetApp Cloud Insights software can help you keep the NetApp FPolicy-dependent tools in ONTAP running smoothly. The next section is abbreviated from Matt’s post—thanks, Matt!
What is FPolicy, the NetApp Zero Trust engine?
NetApp FPolicy (derived from the name “File Policy”) is a file-access notification framework that you use to monitor and manage file access over the NFS or SMB/CIFS protocol. It’s been part of ONTAP for over a decade, and it’s incredibly useful in helping you detect and prevent ransomware. This Zero Trust engine is valuable because you get extra security measures beyond permissions in access control lists (ACLs).
FPolicy has two modes of operation: native and external. You can read about native mode here. External mode integrates with external servers that provide user behavioral analytics along with artificial intelligence and machine learning (AI/ML), enabling detection of more advanced ransomware. For example, NetApp Cloud Insights Premium Edition includes NetApp Cloud Secure with ransomware protection based on the FPolicy engine.
What FPolicy metrics should be monitored?
As they say, it depends: on what you’re responsible for and what your goals are. Storage administrators want to understand the impact of the FPolicy external mode workload on the ONTAP system—additional workload from FPolicy might increase I/O latency and change the cluster IOPS optimal point. Security administrators want to understand how well their tools are working and plan for capacity growth.
Here’s a sample dashboard used by storage administrators:
This dashboard brings together a small set of metrics—eight in total—in a way that helps you understand health and utilization. Eye-correlate the FPolicy performance metrics of latency and operations with the relevant storage workload metrics of IOPS and file open/close activity. You can see how the FPolicy workload (here, it’s from a security system) is affecting the overall load on storage. Comparing to storage CPU utilization and optimal point helps you understand whether storage is underutilized or overutilized. In this example, the 4 a.m. spike in audit work drove higher yet acceptable CPU utilization.
Because Cloud Insights can monitor compute, it can chart the security server’s KPIs alongside the storage to help you keep the security solution running well:
This dashboard shows CPU and disk use of the security server VM charted alongside the FPolicy metrics. Any swapping incurred by the security VM would show up as traffic light yellow or red in the widget on the right. This server is healthy.
Keeping your security and compliance solution healthy
With the ability to collect, monitor, and alert on KPIs related to your security and compliance solution, Cloud Insights can help you maintain the effectiveness of your architecture. Can your solution handle your peak workloads? Cloud Insights helps you answer this with certainty. When your security server is affecting your environment and generating user complaints, you can quickly and easily determine where the problem lies. Is it a configuration issue? Is the storage too busy? Maybe the security server needs more memory? Cloud Insights has in-depth visibility into the ONTAP FPolicy server; together with VM monitoring, Cloud Insights can help you keep your environment running smoothly.
Do you want to learn more about how Cloud Insights can help you run your ONTAP storage–based environment? Visit the Cloud Insights webpage and take advantage of a free 30-day trial to check it out in your own environment.