Security Notifications

View security notifications, which might indicate that one or more clients are infected with file-encrypting ransomware.

After a backup session for a client completes, IBM Spectrum Protect compares certain backup metrics with recent historical data to determine if the client is possibly infected with ransomware. Ransomware encrypts files, rendering them unusable, and attempts to extort money in exchange for a cryptographic key that can decrypt the files. Because a ransomware attack creates encrypted copies of the client files, a significant increase in the backup workload might indicate that a client is infected. Because encrypted files are not deduplicated, a significant decrease in deduplication savings can also indicate that a client is infected. IBM Spectrum Protect analyzes these statistics after each client backup session and notifies you if changes in workload or deduplication savings are significant.

Respond to a security notification by determining if the client is infected or if the cause of the workload or deduplication changes is benign. If a client is infected, you can try to contain the ransomware from spreading. The infected client can be removed from the network, so the ransomware is no longer able to infect other vulnerable systems. Other clients can be checked for infection or vulnerabilities, and operation system patches can be applied. After the ransomware attack is contained, you can restore the client files to a point in time before the attack.

IBM Spectrum Protect examines backup session data for backup-archive clients and for IBM Spectrum Protect for Virtual Environments clients. The Security Notifications table contains one entry for each client for which at least one security incident was detected. A security incident is either a significant workload change or a sharp decrease in deduplication savings. Click a notification in the table to display more information about the security incidents that were detected.

The following actions and configuration details are available on the page:

Acknowledge

Acknowledges security notifications for selected clients. Use this action to show that you are aware of the security incidents that are reported, and that the client was examined for possible infection. Acknowledging a notification adds a check mark icon in the Acknowledged column of the Security Notifications table for the selected client. If another security incident is detected for a subsequent backup session, the Operations Center removes the acknowledged check mark, and updates the number of client notifications in the Occurrences column.

Reset

Resets security notifications for selected clients. The recent historical data that was used for baseline comparison with current backup sessions is deleted, and a new historical baseline data is calculated going forward. Use this action if backup characteristics for the client no longer resemble the recent historical data. When backup characteristics for the client do not resemble the historical data, you might get security notifications that are false positives. You can also use this action to delete notifications that you no longer need to track.

The Operations Center determines whether to report a security incident in a client backup session by comparing the workload and deduplication rates in the session to recent historical data for the client. The baseline workload and deduplication rates that are used for comparison are rolling averages that are calculated from up to five of the most recent backup sessions. A significant change in the normal backup characteristics, as exemplified by the rolling averages, triggers a security notification. However, atypical workload and deduplication rates that trigger a security notification might have benign causes. Significant changes to the amount of data that is being backed up for a client, or in the amount of client data that is unsuited for deduplication, might result in notifications that are false positives. If you do not reset security notifications for the client, the Operations Center might issue notifications for the same false positives after subsequent backup sessions. It might take up to five backup sessions before the rolling averages represent normal backup characteristics again.

When you reset security notifications for a client, the client row in the Security Notification table is deleted. The Operations Center cannot detect security incidents in the next client backup session, but records new workload and deduplication rate baselines. After the second client backup session, the observed workload and deduplication rate are compared to the baselines for possible security incidents and are included in the new baseline averages. After enough backup sessions, the rolling averages are again calculated from the five most recent backup sessions.

Assign

Assigns the selected notifications to an administrator ID that you specify. The administrator who is assigned to the notification is responsible for investigating the security incidents that were reported to determine if the notification is a false positive or an actual ransomware attack. If necessary, the owner attempts to resolve the problem.

After you assign the notification, the owner is shown in the Security Notifications table. The owner is not automatically notified about the assignment.

Acknowledged

Indicates whether a security notification was acknowledged by an administrator. An administrator acknowledges a notification by selecting it in the table and clicking Acknowledge. The standard by which a notification can be acknowledged is determined by your organization. However, the intention of the acknowledged check mark is to show that the client was examined for possible infection, and that necessary actions are being taken to resolve any problems.

Assigned

Shows the administrator ID of the notification owner, who must investigate the security incidents and resolve any problems.

Administrators must log in to the Operations Center to view the notifications that are assigned to them. Owners are not automatically notified when they are assigned a security notification.

Timestamp

The start time of the client backup session in which a security incident was detected.

Symptoms

After a client backup session ends, IBM Spectrum Protect calculates workload and deduplication statistics, which are compared to the average statistics for recent backup sessions. The averages that are used for baseline comparisons are calculated from the five most recent backup sessions for the client. The averages might be calculated from fewer than five backup sessions if the data in not available or security notifications for the client were reset. Significant differences between the current measurements when compared to the recent averages are recorded as the following security incidents:

Workload Increase

If the number of bytes that were backed up during the client backup session is 25% greater than the average number of bytes that were backed up during recent client backup sessions, a workload incident is reported. Click the table entry for the notification to display the number of bytes that were backed up and the backup average.

A workload increase might indicate that the client is infected with ransomware because ransomware typically creates encrypted copies of local files before it deletes the original files and displays a ransom demand. A significant increase in the number of files that are backed up might indicate that many encrypted files were recently created on the client.

A workload increase incident might also have a benign cause. For example, the following situations might trigger workload increase incidents. In both of these example situations, the security notification is a false positive.

A new drive was added to a client since the previous backup session. The additional data that is backed up from the mounted file system might be large enough to trigger a security notification.
The include-exclude list in the client options file was changed since the last client backup session, and a significant number of files that were previously excluded are now backed up. The amount of data that is newly included for backup might be large enough to trigger a security notification.

Deduplication Decrease

The deduplication rate for a client backup session is the deduplication savings for the client across all backup sessions, and is a percentage of the total bytes protected for the client. As files are added or updated on the client, the deduplication rate can increase or decrease based on how suited the data is to deduplication. If the relative change in the deduplication rate for the client backup session is 25% lower than the average deduplication rate for recent client backup sessions, a deduplication decrease incident is reported.

Each backup session's deduplication rate is a percentage that is calculated from the following values as logged in the activity summary table:

(DEDUP_SAVINGS / BYTES_PROTECTED) * 100

Click the table entry for the notification to display the deduplication rate for the backup session and the average deduplication rate.

A deduplication decrease might indicate that the client is infected with ransomware because encrypted data is not deduplicated. A significant decrease in the deduplication rate might indicate that ransomware has encrypted client files.

A deduplication decrease might also have a benign cause, such as a change to client data that makes it unsuitable for deduplication. For example, if you have encrypted a client directory since the last client backup session, the number of newly encrypted files might be significant enough to trigger a security notification.

Occurrences

The number of times a security notification was issued for this client. Click the table entry for the notification to display when the first and most recent incidents were detected.

The security notification history is determined from the server activity summary log and depends on the data that is available in the log. Security notifications that are not retained in the activity summary log are not included in the occurrences count.