Cleondris - IT Press Tour #47 Dec. 2022

Add-on Software for NetApp Customers NetApp Founder Dave Hitz &
Cleondris Founder Dr. Christian Plattner Swiss Quality

2 Cleondris® and SnapGuard® are registered trademarks of Cleondris GmbH
in the United States, EU, China, Switzerland and/or other jurisdictions. 2010 Backup for ONTAP 2011 Alliance Partner 2012 ClusteredONTAP +

in the United States, EU, China, Switzerland and/or other jurisdictions. + 2010 Backup for ONTAP 2011 Alliance Partner 2012 ClusteredONTAP

in the United States, EU, China, Switzerland and/or other jurisdictions. 2014 SnapDiff v1 2016 FPolicy 2020 SnapMirror Cloud +

in the United States, EU, China, Switzerland and/or other jurisdictions.

in the United States, EU, China, Switzerland and/or other jurisdictions.  Backup & Restore  NAS & VMware  Stealth Backups  File Katalog  «Norton Commander» Storage Browser

in the United States, EU, China, Switzerland and/or other jurisdictions.  Ransomware Protection  Detection of defect files  Volume Analysis  Audit Log Management  Splunk Integration  Differential Restore CIFS Clients Cleondris Appliance Tier-2 DMT Tier-3 DMT Tier-3 CIFS Clients Cleondris Appliance Tier-1 SNMP/Syslog Reveiver NetApp ONTAP Cluster NetApp ONTAP Cluster Customer Location A Customer Location B Customer Location C Customer Location D Administrator

in the United States, EU, China, Switzerland and/or other jurisdictions. Failover

in the United States, EU, China, Switzerland and/or other jurisdictions. Failover MCC, SnapMirror (BC), SVM-DR

in the United States, EU, China, Switzerland and/or other jurisdictions. Cleondris Appliance  Comes as an .OVA file (630MB) ISO for non-virtual (physical or custom Linux) deployments available on request  Installed within minutes  Basic setup on console (network & initial web password, SSL etc)  Remaining configuration with browser  Updates can be deployed via browser (<80MB), takes less than 1 min  Inside: CentOS, PostgreSQL, Cleondris SW  Established technology since 2010

in the United States, EU, China, Switzerland and/or other jurisdictions. Cleondris: Big Picture – All Products in one SW Appliance NetApp NearStore VMware ESX 4/5/6 Virtualized Physical NetApp OSSV Web GUI NetApp Storage • Administrators • Backup Operators • Restore Operators • Security Officers LDAP/SSO Kerberos NetApp 7-Mode (Single, HA, Metro) ONTAP 8/9 (FAS, AFF, MCC, Select) FC/iSCSI NFS/CIFS SVM/vFiler SV, SM, QSM DP + XDP SnapMirror SnapVault+OSSV vCloud Director LUNs AltaVault SolidFire + HCI Indexing SnapGuard HCI Audit Backup Virtual Appliance Restore

in the United States, EU, China, Switzerland and/or other jurisdictions. So what is inside the Cleondris appliance? CENTOS 7.7 MINIMAL INSTALLATION PostgreSQL 9.6 Cleondris Software Database Requiring admins to have Linux know-how to be able to configure network & web ui credentials is not acceptable!

in the United States, EU, China, Switzerland and/or other jurisdictions. So what is inside the Cleondris appliance? CENTOS 7.7 MINIMAL INSTALLATION PostgreSQL 9.6 Cleondris Software Database Console Configurator

in the United States, EU, China, Switzerland and/or other jurisdictions. Basic appliance settings on the virtual console  Network Settings  IP/Subnet/Default Route  DNS  NTP Servers  Initial password for the web UI  Optional:  Enable SSH + password for root account  Protect console configurator with a password  Expand disk

in the United States, EU, China, Switzerland and/or other jurisdictions. How we can quickly support our customers A support bundle can be downloaded via the UI. It contains logs, but most importantly, it contains a full dump of the PostgreSQL database of the customer (minus credentials). This allows Cleondris support to «load» the dump and «see» the customer’s environment. CENTOS 7.7 MINIMAL INSTALLATION PostgreSQL Cleondris Software Database SupportBundle.zip «SQL Dump» Cleondris Support Installation runs in «passive» mode (no active scanning, failover, backup, ...) basically a readonly version of the software PostgreSQL Import

in the United States, EU, China, Switzerland and/or other jurisdictions. Linux RHEL/CentOS VMware OVA Cloud Container Physical Server AWS Marketplace Cleondris Software

Cleondrisfully supports Amazon FSxfor NetApp ON-Prem Ransomware Protection Backup &
Restore VMware Support Blockchain Audit File Catalog Coming soon: Directly from the AWS Marketplace

in the United States, EU, China, Switzerland and/or other jurisdictions. CDM – Cleondris™ Data Manager  Snapshot based backups for NetApp since 2010 (ONTAP 7.3.3)  Flexible graphical scheduler incl. SnapMirror support  VMware: Restore complete VMs, disks, or individual files  NAS: Indexing + graphical file browser / NDMP frontend  Stealth mode (native scheduled ONTAP backups, but restore with CDM)  All functions from a simple Web UI  Replace tape backup with SnapMirror-Cloud

in the United States, EU, China, Switzerland and/or other jurisdictions. vCenter Admin XDP Storage/Backup Admin VMware on ONTAP

in the United States, EU, China, Switzerland and/or other jurisdictions. vCenter Admin Storage/Backup Admin vCenter Admin Storage/Backup Admin Helpdesk

in the United States, EU, China, Switzerland and/or other jurisdictions. CDM works in large Environments (10K+ VMs) Primary Storage Storage Virtual Machines Backup Storage Storage Virtual Machines XDP SnapVault Restore via FlexClone+NFS ESX Server NFS Datastores MCC MCC Data Manager Appliance

in the United States, EU, China, Switzerland and/or other jurisdictions. CDM works out of the box in complex setups vFiler/SVM NetApp Primary Storage vFiler/SVM vFiler/SVM ESX in DMZ Zone A ESX in DMZ Zone B VMware vCenter vFiler/SVM SnapVault/XDP NetApp Secondary Web GUI ZAPI vFiler0 (SSL) ZAPI vFiler0 (SSL) vSphere SDK (SSL) (SSL) Data Manager Appliance

in the United States, EU, China, Switzerland and/or other jurisdictions. VMware Restore Options with Cleondris  Full VM Restore It is perfectly valid for the VM to not exist anymore or being disfunctional, the restore is very solid.  VM Clone Same as VM restore, but with a new name (do not replace existing VM).  VMDK Restore Replace selected VMDKs.  VMDK Attach Attach selected VMDKs either to the VM or a proxy VM (used for single file restore).  Datastore Clone Used for datastore inspection.  Disaster Recovery (HCC Product) Mass-VM Restore to DR Site with orchestrated VM Boot, includes Sandbox Option.

in the United States, EU, China, Switzerland and/or other jurisdictions. Stealth Backups for ONTAP  World’s only passive backup mode for VM environments  Snapshots and SnapMirror transfers are scheduled locally on ONTAP.  CDM is acting passively and constantly monitors ONTAP  …and keeps a file catalog of the contents of new snapshot copies  …and keeps an inventory of VMware objects inside the snapshots  However, complex restores (VMs, files, folders) can be done using the CDM UI as if the backups (snapshots and snapmirror transfers) had been generated by CDM.

in the United States, EU, China, Switzerland and/or other jurisdictions. vCenter Admin Storage/Backup Admin vCenter Admin Storage/Backup Admin Helpdesk

in the United States, EU, China, Switzerland and/or other jurisdictions. vCenter Admin Storage/Backup Admin vCenter Admin Storage/Backup Admin Helpdesk SFTP Self-Service Restore

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS XDP

in the United States, EU, China, Switzerland and/or other jurisdictions. Indexing for NAS Data on ONTAP  Unified indexing support for ONTAP 9/8/7  Easy to configure, even with hundreds of volumes  Allows offloading indexing to XDP/DP secondary volumes  Enables helpdesk team to locate + restore CIFS/NFS data (i.e., no expert knowledge needed)  New in Q4/2020:  Support for FlexGroups (OK)  SnapDiff V3 (OK)  Include size and mtime in the catalog (enables refined search)

in the United States, EU, China, Switzerland and/or other jurisdictions. File Version Screen

in the United States, EU, China, Switzerland and/or other jurisdictions. Restoring a File

in the United States, EU, China, Switzerland and/or other jurisdictions. Restores will be logged (forever)

in the United States, EU, China, Switzerland and/or other jurisdictions. «Norton Commander» View

in the United States, EU, China, Switzerland and/or other jurisdictions. Backup… SMB, NFS SG5712 SnapMirror Cloud Snapshot Metadata Multi-Versioned Directory Tree Control SnapDiff

in the United States, EU, China, Switzerland and/or other jurisdictions. …and Restore SMB, NFS SG5712 SnapMirrorCloud Restore Snapshot Metadata Multi-Versioned Directory Tree Control

in the United States, EU, China, Switzerland and/or other jurisdictions. Enterprise Customers trust in CDM  CDM is used in the largest NetApp environments  CDM is easy to integrate and use (e.g., helpdesk!)  Some large NetApp accounts successfully using CDM:  International Bank, Germany (since 2010)  International Insurance Company, Germany/Italy (since 2011)  International Pharma Company, Germany & Worldwide (since 2012)  International Pharma Company, Basel, Switzerland (since 2013)  National Telco, Switzerland (since 2014)  Telco, Germany/Ireland (since 2015)

SnapGuard™ ONTAP Ransomware Protection

in the United States, EU, China, Switzerland and/or other jurisdictions. SnapGuard – Ransomware Protection and Audit for ONTAP PROTECT • World’s fastest distributed FPolicy engine for SMB + NFS - scales up to 300k FPolicy messages and 16k ransomware checks per sec and CPU core • Detects zero-day attacks with generic file damage checks (via privileged FPolicy connection) • Airgap Backup Check: verifies data on SnapMirror destination volumes («SnapScan») – competes with Dell EMC PowerProtect Cyber Recovery and IBM Spectrum Protect REACT • Automatic Emergency Snapshots • Different user blocking modes • «Emergency Stop Button»: One-click read-only mode for ONTAP shares • Differential Restore: rapid restore of affected files from latest good snapshot with single file clones World’s first FPolicy based Ransomware protection for ONTAP (Premiere at NetApp Insight 2016) Compatible with ONTAP FAS, AFF, Select, CVO and Amazon FSx for ONTAP – On-prem and/or Cloud Enterprise Grade, customers have deployed it to environments with 50+ clusters (single control pane!) CIFS Clients Cleondris Appliance 1 embedded FPE DMT 1 FPE / DMT Instance DMT 1 FPE / DMT Instance CIFS Clients SNMP/Syslog Reveiver NetApp ONTAP Cluster NetApp ONTAP Cluster Administrator ALARM • Native SIEM (Splunk, IBM Q-Radar, etc) integration • Configurable E-Mail Reports ANALYZE • Examine CIFS and NFS client activity in real-time • CVTX: Integrated blockchain-based file auditing • Audit Viewer with filter and aggregation mode ROCK SOLID • 100% engineered in Switzerland • Depends on very few third-party components (no log4j bugs or Elasticsearch licensing dramas) • Cleondris offers ONTAP add-ons since 2010 • Cleondris is self-funded without venture capital CONTACT • [email protected] / [email protected] • https://www.cleondris.com

in the United States, EU, China, Switzerland and/or other jurisdictions. Ransomware 5 years ago…

in the United States, EU, China, Switzerland and/or other jurisdictions. CryptoWall Team Lazarus Gandcrab Leakware Doxware Cr1ptTorm Emotet Spear-Fishing […] Internetbrowser E-Mail BYO Device Social Engineering Cloud Services Evil Staff James Bond Future Attacks […] A never ending stream of new ransomware uses a plethora of attack vectors to enter the customer’s environment ... and today – the situation is much more complex!

in the United States, EU, China, Switzerland and/or other jurisdictions. No matter what kind of attack you face, in 95% of cases the central NAS storage is affected! Vulnerability Damage Repair Storage Team, go fix it!

in the United States, EU, China, Switzerland and/or other jurisdictions. „Ransomware protection at the storage level is an absolute must today because it is the last line of defense and can be critical to a company's survival. The cost of such protection is not only low, but even insignificant compared to a damaging event where important data is no longer available.“ Christian Plattner, CEO Cleondris

in the United States, EU, China, Switzerland and/or other jurisdictions. SnapGuard: 3 pillar principle Protection Analysis Repair

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS XDP FPolicy

in the United States, EU, China, Switzerland and/or other jurisdictions. Syslog (Splunk or CEF) SNMP Notifications E-Mail SMB/CIFS Administrator SnapGuard Firewall Principle AD / KRB FPolicy NAS Documents

in the United States, EU, China, Switzerland and/or other jurisdictions. SnapGuard™ Protects your NAS data!  First FPolicy based CIFS/NFS Firewall for Data ONTAP  Rule-based: blocks access based on patterns, access rate, ...  Interesting possibilities:  Pattern blocking with continuous learning  Emergency snapshots (in response to suspicious behavior)  Analyze changed .docx, .xlsx, and .pdf files  Integrated alarming via Syslog (Splunk/CIM), SNMP and e-mail  Architecture scales up to hundreds of controllers

in the United States, EU, China, Switzerland and/or other jurisdictions. FPolicy is powerful: you can block any user

in the United States, EU, China, Switzerland and/or other jurisdictions. Blocking Users based on Filename Patterns

in the United States, EU, China, Switzerland and/or other jurisdictions. Known Ransomware Pattern Management using FSRM List The FSRM list contains over 4000 ransomware file extensions and file name patterns.  The list changes on a daily basis  Which patterns can I use?  How secure is an auto-update?  Manual administration effort?

in the United States, EU, China, Switzerland and/or other jurisdictions. SnapGuard: Automatic Pattern Management

in the United States, EU, China, Switzerland and/or other jurisdictions. Pattern Management New incoming Patterns E-Mail Notifcation

in the United States, EU, China, Switzerland and/or other jurisdictions. File Verification – automatically check changed files

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS XDP FPolicy Snapshot Backup Verification

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS VMware XDP Roadmap 2023 Snapshot Verification next-gen, can detect: - Encrypted VMDKs (ESXi Ransomware) - Encrypted Files in VMDKs (Preview) - PostgreSQL Databases NFS + Inside VMDK - Microsoft SQL Databases CIFS + Inside VMDK (Preview) Airgap

Ruleset Bogus Filenames File Verification Custom On-Access Rules File Verification
Bogus Filenames Pattern Pool SVM File Index Volume 1 Volume 2 Ruleset Ruleset Fpolicy Settings SVM Exceptions Specify which snapshots (*daily*, *weekly*) EVTX Monitoring On-Access Rules Snapshot Scan Rules Roadmap: Behavior Analysis

in the United States, EU, China, Switzerland and/or other jurisdictions. CIFS Clients Cleondris Appliance 1 embedded FPE DMT 1 FPE / DMT Instance DMT 1 FPE / DMT Instance CIFS Clients SNMP/Syslog Reveiver NetApp ONTAP Cluster NetApp ONTAP Cluster Administrator Scalability

in the United States, EU, China, Switzerland and/or other jurisdictions. CIFS Clients Cleondris Appliance 1 embedded FPE DMT 1 FPE / DMT Instance DMT 1 FPE / DMT Instance CIFS Clients SNMP/Syslog Reveiver NetApp ONTAP Cluster NetApp ONTAP Cluster Administrator FPolicy Engines (FPE) can run inside the appliance or on external servers which are running the Data Manager Tools (DMT). FPEs can be shared by many ONTAP SVMs.

in the United States, EU, China, Switzerland and/or other jurisdictions. Lockdown Mode

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS NetApp ONTAP native NAS Audit Log (EVTX) EVTX Splunk, CEF Syslog (UDP/TCP/TLS) SIEM ▪ SVM Audit config ▪ SACL entries (1) (2, optional) (3, optional)

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS Cleondris CVTX Blockchain FPolicy CVTX (1) (2) SIEM (3, optional)

in the United States, EU, China, Switzerland and/or other jurisdictions. CVTX EVTX ONTAP Configuration Tasks • SACL configuration inside file system • Provision a log volume for EVTX storage Not required. SnapGuard configures FPolicy automatically Time intensive configuration required. FPolicy Integration Optional active ransomware protection YES NO Encryption + Compression AES-CTS/HMAC-SHA2 (RFC 8006 style) NO Blockchain based verification YES (SHA256) NO DSGVO/GDPR (no clear text usernames, just SIDs in persistent storage) YES NO Search in history for user, path, extension, volume, .. YES Limited 10-year guarantee, S3 archival (roadmap) YES NO Export to CSV Command line toolkit to access files YES Limited

in the United States, EU, China, Switzerland and/or other jurisdictions. Events in the Blockchain  SMB Operation («Open», «Create», «Rename/Move», «Delete», «Set Attributes», «Open Dir», «Create Dir», «Rename/Move Dir», «Delete Dir»)  Timestamp  Client (SID + IP)  File Type (Normal, Directory, Stream, Symlink)  ONTAP SMB share, ONTAP volume  Path in the volume (+ target path for «Rename/Move» operation)  SMB «Open»: mode (RO, RW, Delete_at_close), (desired Access + create Options)  SMB «SETATTR»: type of changed attribute(s) (owner, size, etc.)  Whether the access was blocked by a Cleondris firewall rule

in the United States, EU, China, Switzerland and/or other jurisdictions. Screenshot: Configuring CVTX Auditing for an SVM  Auditing can be easily configured with just a few clicks in the Cleondris UI  The necessary configuration is automatically applied on ONTAP Roadmap 2023 Q1

in the United States, EU, China, Switzerland and/or other jurisdictions. SMB/NFS Cleondris CVTX Blockchain FPolicy CVTX (1) (2) SIEM (3, optional) Roadmap: automatic long-term archival to S3

in the United States, EU, China, Switzerland and/or other jurisdictions. Quering the Audit Log

in the United States, EU, China, Switzerland and/or other jurisdictions. Analyzing/Aggregating Events in the Audit Log Roadmap 2023 Q1

in the United States, EU, China, Switzerland and/or other jurisdictions. Possible queries in the blockchain In the event of a major Incident:  Which users were most active in the last X hours?  Who created/read/modified/deleted the most files?  At what point did the NAS traffic increase exactly?  On which shares did we observe the most activity? On a case-by-case basis:  Who has deleted file X?  Who has worked with file X in the last few days?  Where has file Y been moved to?

in the United States, EU, China, Switzerland and/or other jurisdictions. Volume Analysis

in the United States, EU, China, Switzerland and/or other jurisdictions. Attack Detection Repair Back Online NetApp: Repair Scenario («Full Restore» with SnapRestore) M: «Last Good Backup» With SnapRestore all current data (good or bad) is reset… M:

in the United States, EU, China, Switzerland and/or other jurisdictions. Attack Detection Repair Back Online NetApp: Repair Scenario («Backwards») M: \\zha51\backup_20161121_0800 (readonly export of the snapshot directory) Single-File Clone (manually, Powershell, …) – OR you use the automated Cleondris Differential Restore! M:

in the United States, EU, China, Switzerland and/or other jurisdictions. SnapGuard Differential Restore

in the United States, EU, China, Switzerland and/or other jurisdictions. CVTX SMB/CIFS Roadmap: Restore using Blockchain Audit Log (Q1/2023) FPolicy DFR

in the United States, EU, China, Switzerland and/or other jurisdictions. Roadmap: 2023-JAN

in the United States, EU, China, Switzerland and/or other jurisdictions. Licensing Options  Cleondris Data Manager (CDM) Backup & Restore for ONTAP, NAS & VMware, SnapMirror-Cloud, Indexing  Indexing (IDX) Indexing + NAS-Restore only, subset of CDM  SnapGuard (SGEE) Ransomware Protection, Differential Restore Cleondris software is always licensed per-node (ONTAP / ESXi). There are no per-user, per-TB, per-Disk-Shelf, per-VM, … licenses needed!

Thank you! https://www.cleondris.com

Cleondris - IT Press Tour #47 Dec. 2022

Cleondris - IT Press Tour #47 Dec. 2022

More Decks by The IT Press Tour

Other Decks in Technology

Featured

Transcript