Configuring IBM Cloud Pak® for Security for real-time ransomware threat alerts

IBM Storage Insights provides unparallel visibility across your storage environment to manage complex storage infrastructures and make cost-saving decisions. It combines the proven IBM data management leadership with proprietary analytics from IBM Research. As a cloud-based service, it enables you to deploy quickly and save storage administration time while optimizing your storage. It also automates the support process to enable faster resolution of issues. It supports setting up conditions that trigger alerts and the actions to take when alerts are triggered, such as notifies these alerts to an email address.

About this task

IBM Cloud Pak® for Security (CP4S) provides a platform to quickly integrate security tools and generate deeper insights into threats across hybrid, multicloud environments.

Threat management capabilities in IBM Cloud Pak for Security deliver robust, open, process-wide visibility, detection, investigation, and response. This platform also offers security, orchestration, automation, and response (SOAR).

SOAR helps organizations to automate and orchestrate incident response workflow, and helps to ensure that specific processes of organizations are consistent, optimized, and measurable.

The ransomware threats can include anomalies noticed such as sudden changes to the compression ratios on your storage systems, pools, and drives. Significant drops (30%-50%) in the ratios between consecutive metadata collection. The ransomware threats can include anomalies that are noticed through a malware act on the system like ransomware.

IBM Storage Insights sends email alerts to a specific email address based on ransomware threat events. Further, IBM Cloud Pak® for Security detects these alerts and automatically initiates a response.

Procedure

Enabling ransomware threat detection alert in IBM Storage Insights

By default, all IBM Storage Virtualize systems with firmware version 8.6.0.0 or later are enabled for ransomware threat detection alert. You can enable or disable the alert for a specific storage system.
1. Login to IBM Storage Insights. Go to Resources > Block Storage Systems. Select a storage system for which ransomware threat detection alert must be enabled.
2. Right-click on the selected storage system and select Ransomware Threat Detection. Toggle the Detection icon to enable the ransomware threat detection.
  If needed, enter specific email addresses in the Email Override box to receive alerts individually, overriding the global notification settings.
3. Click Save Changes.
IBM Cloud Pak for Security (CP4S) configuration
1. IBM Cloud Pak for Security configuration requires an IMAP server or username and password.
2. Email server configurations are added to IBM Cloud Pak for Security configuration. The Case Management application on IBM IBM Cloud Pak for Security retrieves email details from the email server and generates a case or a security incident.
3. Ensure that you have administrator permission on IBM Cloud Pak for Security to make configuration changes.
4. On the Cloud Pak for Security page, go to Application Settings > Case Management > Permissions and Access.
5. Click the Organization tab to configure the ‘Inbound Email Connection’.
6. Select the IMAP option and provide details that are shown in the figure. Enter relevant information such as the IMAP link, email address, and password.
7. Learn more about creating connections.
A ransomware threat alert is triggered in IBM Storage Insights that sends an email alert
1. IBM Storage Insights sends an email alert when a ransomware threat alert in triggered.
2. Alternatively, alerts are displayed at Dashboard > Alerts in the IBM Storage Insights GUI.
IBM Cloud Pak for Security reads alert
1. When Inbox receives ransomware threat alert, IBM Cloud Pak for Security reads this email alert.
2. IBM Cloud Pak for Security can take a subsequent action as a response to this alert. For example, it can trigger a case in the Case Management application of IBM Cloud Pak for Security.