Home > Storage > Data Storage Essentials > DataIQ and CloudIQ > Dell APEX AIOps Infrastructure Observability: A Detailed Review > Ransomware Incidents
Ransomware Incidents enables users to monitor for cybersecurity ransomware incidents in near real time. At the time of publication, ransomware incidents is supported on PowerMax systems. Coverage will continue to expand to other platforms. This feature is also considered Beta at the time of this publication, meaning support and feedback for this feature is accomplished through the Feedback Form link in the Observability UI.
In the event of a ransomware attack, the attackers encrypt the data which requires an encryption key to essentially unlock the data. One of the effects of encryption is that the data becomes uncompressible or irreducible. By establishing an expected range of the reducible data, and then continuously monitoring the level of it, one can identify variances outside of normal patterns which are referred to as anomalies. Through various algorithms and analysis, Observability can then identify potential ransomware incidents in near real time.
The Ransomware Incidents page is accessed from the Cybersecurity menu on the left side of the Infrastructure Observability user interface. This page shows all identified incidents and puts them in one of three categories: New, Investigate, or Closed. When an incident is first identified, it appears in the New tab. Each incident has an incident ID, a confidence level, the system identifier, the location, the number of affected storage groups, and the created and updated times. There is also the ability to add notes to each incident. When the incident is ready to be analyzed, the user selects it and clicks Acknowledge & Investigate.
At this point, this incident is “frozen” and moved under the Investigate tab. Any new anomalies will trigger a new incident. While in the investigate state, the user can look at the potentially affected hosts and applications to determine if the incident is a true ransomware attack. If so, they can take appropriate action to isolate and recover.
To help investigate, the user can click the incident ID link and see the details of which storage groups experienced anomalies and when the anomalies were created and last updated.
Users can select up to three storage groups at a time to see charts of the reducible data, the historical seasonality, and the anomalies.
The Anomalies tab provides a list of anomalies, also called logs, with their timestamps.
Once the investigation is complete, the user determines if the incident was a valid ransomware attack that was resolved or a false incident. Selecting an incident and then clicking Close gives the user the option to close it with either of these two options.
Ransomware incident monitoring is enabled from the Settings link on the Cybersecurity Incidents page. The Cybersecurity Incidents Settings page lists the supported systems for ransomware incident monitoring.
Clicking Configure on one of the systems opens the Configure Cybersecurity Incidents window. In this window, the user can choose to enable or disable any of the storage groups and can set an Incident Sensitivity Level. Users can also see the detection mode, either Learning or Detecting. Learning occurs when the storage group is first enabled or after an incident is closed as a valid incident. During this mode, Observability learns the expected range of reducible data to establish normal behavior. Once the expected behavior is established, the mode switches to detecting and Observability starts monitoring the storage group for ransomware incidents. The sensitivity level lets users tune the detection algorithm. A low sensitivity level results in a lower likelihood of triggering an incident. A high sensitivity level results in a higher likelihood of triggering an event. Users may want to set a sensitivity level of low for less critical applications or for applications that have a higher variation of reducible data. Users may set a sensitivity level of high for more critical applications or applications that have a lower variation of reducible data.