Monitoring security notifications

Ransomware is a serious security threat that can result in data loss and render systems unusable. Because a ransomware attack typically creates encrypted copies of many client files, certain changes in backup data might indicate that a client is infected. When the security notifications feature is enabled, the Operations Center can help you detect possible ransomware attacks. The Operations Center looks for signs of ransomware infection by examining backup statistics for indicative changes to the backup workload and data deduplication rate. A significant increase in the workload might indicate that ransomware encrypted many files on the client. A significant decrease in deduplication savings might indicate a ransomware attack because encrypted files are not deduplicated.

A security notification can show only that significant changes in the workload or data deduplication rate were observed in the most recent client backup session as compared to recent history. The Operations Center cannot determine the causes of significant changes in the backup data, so a security notification does not necessarily mean that the client is infected. The client might be backing up more data, or backing up more data that is unsuited for data deduplication, for harmless reasons. For example, the client might be backing up many new files because it recently mounted a new file system. Or the client might have encrypted files, making them unsuitable for deduplication.

IBM Spectrum Protect examines backup session data for backup-archive clients and for IBM Spectrum Protect for Virtual Environments clients. Security notifications are issued in the Operations Center so that you can investigate further, and determine why the statistical anomaly occurred. Open the Security Notifications page to view the notifications by client, and examine notification details.