Cohesity and VMware NSX: Slayers of Ransomware – WannaCry

Last week the world witnessed the impact of a malicious cyberattack which affected several organizations and institutions across the globe. Hospitals, airports, courier delivery service, telecommunications, government agencies, and others all fell victims to what is being described as one of the worst and most extensively spread ransomware attacks in history as reported by CNN Tech called WannaCry. The WannaCry ransomware is a severe threat that is exposing several global organizations to the potential risks of losing access to business intellectual property and customer related information. To make matters worse, the impact of WannaCry is putting lives at risk. As reported by CNN Tech, sixteen National Health Service (NHS) organizations in the UK were impacted and as a result, some hospitals were forced to cancel outpatient appointments and informed patients to avoid emergency departments for the time being if possible.

At this point, it is safe to say that the impact of WannaCry exceeds the financial burden of impacted organizations but it also exposes human lives at risk when hospitals and health institutions are forced to refrain from seeing patients because they don’t have access to their personal health records.

It would be remiss of me not to mention the fact that it takes more than just technology and tools for organizations to proactively protect their infrastructures and data from cyberattacks such as WannaCry. This has very much to do with the aptitude and maturity of the management team responsible for the IT infrastructures. The lack of operational maturity and reliance on antiquated policies around system patching is also one of the biggest reasons as to why WannaCry has been so impactful. All of the tools and technology in the world can’t really fix human ignorance.

There are many technology solutions available that can help organizations protect their infrastructures against these types of cyberattacks. Before I provide a couple of recommendations to keep the ransomware from spreading and how to quickly get access to infected systems and the data being held at ransom, let me provide some information on what the WannaCry cyberattack is doing, what it does, how does it do, and what has already been done to mitigate the risk of infection.

WannaCry is a global ransomware attack that is spreading throughout the world by exploiting a Windows operating system vulnerability which was described in. The vulnerability allows remote code execution of malicious develop code that sends messages to a Microsoft Server Message Block (SMB) Server over a network of connected Windows systems. According to Microsoft, a security patch to fix the Windows operating system vulnerability that is being exploited by the WannaCry ransomware was released in March. They have also recommended and instructed for everyone to path their windows operating systems and enable Automatic Windows Update to be safe and overcome the risks of being impacted by the WannaCry ransomware cyberattack.

WannaCry spreads over networks, and it locks down all the files of an infected system by encrypting them and preventing access to any data. The demanded ransom to gain access to files is a payment of $300 per infected system in Bitcoin currency. After the ransom is paid, a private key is then provided which would then be used to decrypt the files and regain access. In the event, the payment is not paid in a defined period the files on the infected systems will remain encrypted and will be permanently lost.

Now that I’ve provided information about the cyberattack and the vulnerability that is being exploited, the operating systems that are being targeted, and its overall purpose I can provide some technological recommendations to be considered for proactive preparation against cyberattacks like WannaCry.

WannaCry Attack Points and Infrastructure Responsibilities Impacted:

  • WannaCry is targeting Windows operating systems exploiting a vulnerability found in the Microsoft Server Message Block 1.0 (SMBv1) Server – Patching, Network, Security
  • WannaCry is designed to gain control of information and data by encrypting any file that it finds in an infected system – Data Protection, Immutability
  • WannaCry data access or data loss demands are based on time – Low RTO and RPO

With most the world’s enterprise data centers being highly virtualized they are all likely to be hosting an exponential number of virtual machines running Windows operating systems. While I have no data to validate this next statement, I’m going to assume that the WannaCry ransomware cyberattack has impacted or could impact a significantly large number windows virtual machines that are being hosted on virtualized infrastructures. The virtualization platforms may vary ranging from VMware vSphere, Microsoft Hyper-V, KVM, etc. There are several solutions available to each one of those platforms to combat against cyberattacks but I’m going to focus on the platform I know best which is VMware vSphere. VMware vSphere and their partner ecosystem is also the most adopted virtualization platform in the enterprise today.

Recommendations Against WannaCry for Cohesity and VMware NSX Customers

  • WannaCry is targeting Windows operating systems that haven’t been patched since March. This is not an entirely technology driven problem but an inefficient security and vulnerability patching operating model and procedure. Even with the right tools in place organizations may fall victims to these types of attacks all because of the lack of operations maturity and inadequate procedures for rolling out patches.
    • Recommendation – do a better job arranging the roll out of patches. This is more on the infrastructure management and operations policies and procedures than anything else.
  • WannaCry is exploiting a vulnerability found in the Microsoft Server Message Block 1.0 (SMBv1) Server, and it is spreading over the network. The right network and security tools can help secure and lockdown application ports and networks interfaces to eliminate the exploit being use by the cyberattack.
    • Organizations using VMware NSX can easily configure NSX to block and isolate infected virtual machines automatically and prevent the WannaCry from spreading over the network by defining a security group for Windows virtual machines that can use to quarantine the state of all windows virtual machine via a system security policy.

  • Use NSX Microsegmentation to block the ports that are being exploited by the vulnerability by creating a security policy at placing it at the top of the NSX distributed firewall rules.
    • Create a rule blocking the following ports to prevent WannaCry from spreading:
      • 137 UDP NETBIOS Name Service
      • 138 UDP NETBIOS Datagram Service
      • 139 TCP NETBIOS Session Service
      • 445 TCP Microsoft CIFS

  • WannaCry is designed to encrypt files located on infected systems. A limited time is provided before the price of the ransom to regain access to the files is increased to a larger cash amount. If the ransom is not paid the encrypted files are at risk of permanent loss. From a data recoverability perspective, organizations that are using Cohesity DataPlatform for converged data protection and recovery and other secondary storage functions can overcome the impact of ransomware cyberattacks such as WannaCry.
    • Cohesity provides robust protection and recoverability capabilities against ransomware cyberattacks by keeping data (virtual machines or files) that are backed up onto the platform secure. With Cohesity backups are performed and protected via time-based snapshots and the primary backups are kept in an immutable format that is stored in logical presentation abstraction known as Views which are never exposed and inaccessible for operating system mount functions.
    • As WannaCry spreads throughout an infrastructure infecting Windows virtual machines, it is only infecting the running instance of the virtual machines and not its clone counterparts. Once Cohesity has protected the Windows virtual machines, an administrator can quickly restore the infected files of virtual machines from an immutable copy of the files of virtual machines to a point in time before the virtual machines were infected. This approach is also applicable to database applications.

  • WannaCry file encryption can be quickly mitigated by organizations using Cohesity because of the DataPlatform’s ability to perform near-instant recoverability and infinite recovery points due to its space and time efficient fast snapshotting capabilities.

  • Below is a simulated ransomware cyberattack demonstration which showcases the effectiveness and efficiency of Cohesity by highlighting how quickly organizations can recovery from ransomware cyberattacks such as WannaCry. For more details on how Cohesity can protect organizations against ransomware cyberattacks read the article “Ransomeware meets its match in Cohesity”

We are at the precipice of the world’s digital transformation and as we digitize more information and depend on it more than ever we can expect cyberattacks that are aimed at gaining control of your data to continue happening. It is important to improve organization operating process and procedures. Look for modern solutions for patching, network, security and data management (protection, archival, retention) to help with modern threads of the digital era. VMware NSX modern networking and security features and capabilities and Cohesity’s modern DataPlatform together and individually provide significant ways to proactively and reactively eliminate the impact of cyberattack from a network, security and data accessibility and recoverability perspective but the fight will continue. Stay Alert!

-Enjoy

For future updates about Cohesity, Data Management, Primary and Secondary Storage, Cloud Computing, Networking, VMware vSAN, vSphere Virtual Volumes (VVol), vSphere Integrated OpenStack (VIO), and Cloud-Native Applications (CNA), and anything in our wonderful world of technology be sure to follow me on Twitter: @PunchingClouds.

HyTrust KeyControl (KMS) for vSphere and vSAN

While working on a new Cohesity project idea which required the test of encryption capabilities from a primary storage solution, I was faced with the challenge of needing to have access to a key management service (KMS) solution. KMS solutions aren’t always found just laying around the data center, and I needed something fast and straightforward. Immediately reached out to a couple of friends over at HyTrust for some assistance since I had worked with them in the past while I was VMware. In typical HyTrust fashion, the were helpful and immediately responded with what I needed, giving me access to one of their encryption and key management service solution called HyTrust KeyControl.

I’m not entirely new to HyTrust and their security solutions, back in March of 2015 I published an article and a demonstration of how to use HyTrust DataControl with vSAN. That was a solution I developed before vSAN supported encryption at rest – “VMWARE VIRTUAL SAN 6.0: DATA ENCRYPTION WITH HYTRUST DATACONTROL”

I was a supporter of HyTrust DataControl then, and I’m now a supporter of HyTrust KeyControl especially after the incredible news the folks from HyTrust have just shared with me. HyTrust has made their KeyControl product available as a free of charge trial for just about every vSphere and vSAN customer. This is extremely useful for vSphere Admins and IT Professionals looking to evaluate the new encryption capabilities offered by VMware with vSphere VM Encryption for VMFS and NFS storage abstractions and vSAN.

HyTrust KeyControl is a robust enterprise-grade key management solution designed for the modern data center. Encryption has become a standard requirement for on-premises and cloud infrastructure and managing encryption keys can become a challenging process with the responsibility of having to track keys for each workload and then have to rotate those keys as required by various regulatory environments – all while ensuring the secure creation and destruction of the keys. From an operations perspective, HyTrust KeyControl is operationally easy to setup, use, and scale. It provides built-in high availability and unlimited key issuance – never worry about HyTrust KeyControl going down or suffer service disruption.

HyTrust KeyControl simplifies the process of encryption key management for deployments that do not require sophisticated policy-based key management – but still need to perform to scale to enterprise grade level performance.  And all this is done without costly physical appliances or license fees.  HyTrust KeyControl has been certified to work with VMware vSphere VM Encryption and will be certified shortly with vSAN Encryption.

VMware admins can easily use this solution for both vSphere VM Encryption or vSAN encryption. The HyTrust KeyControl setup and use are both very simple. Here is a demonstration of the simple deployment and configuration procedures of both HyTrust KeyControl and vSphere: While working on a new Cohesity project idea which required the test of encryption capabilities from a primary storage solution, I was faced with the challenge of needing to have access to a key management service (KMS) solution. KMS solutions aren’t always found just laying around the data center, and I needed something fast and straightforward. Immediately reached out to a couple of friends over at HyTrust for some assistance since I had worked with them in the past while I was VMware. In typical HyTrust fashion, the were helpful and immediately helped me with what I needed and gave me access to one of their encryption and key management service solution called HyTrust KeyControl.

At the moment, HyTrust has a #keyforfree offering called HyTrust KeyControl for VMware vSphere VM Encryption and HyTrust KeyControl for VMware vSAN Encryption that provides the software without cost (100% discount) – and only charges for support services. For anyone interested in obtaining HyTrust KeyControl for VM Encryption or HyTrust KeyControl vSAN Encryption can request information directly from this link -> HyTrust KeyControl Request Form

VMware admins can easily use this solution for both vSphere VM Encryption or vSAN encryption. The HyTrust KeyControl setup and use are both very simple. Here is a demonstration of the simple deployment and configuration procedures of both HyTrust KeyControl and vSphere:

-Enjoy

For future updates about Cohesity, Data Management, Primary and Secondary Storage, Cloud Computing, Networking, Virtual SAN (VSAN), vSphere Virtual Volumes (VVol), vSphere Integrated OpenStack (VIO), and Cloud-Native Applications (CNA), and anything in our wonderful world of technology be sure to follow me on Twitter: @PunchingClouds.

Cohesity Featured in vSpeaking Podcast

This week while in between flights I got a chance to catch up with my good buddies John Nicholson (@lost_signal) Pete Flecha (@vPedroArrow) and joined them on their incredibly successful vSpeaking Podcast for a conversation about Cohesity and secondary storage.

The boys entertained a couple of important topics that go beyond products that are pretty close to my chest. I really enjoyed the conversation with John and Pete and its something that I think it’s worth listening to. We cover many topics as part of our conversation ranging from what’s new with Cohesity 4.0, all the way to vSAN, VMware Cloud Foundation, Amazon, Google, Azure, Cloud adoption, Cloud Consumption, IoT, availability, enterprise and cloud architectures, Cisco, HP and more.

If you have the time are interesting in listening to the conversation, take a quick break and listen to episode 42 of the vSpeaking Podcast. I have to say that John and Pete are extremely entertaining and knowledgeable I guarantee that you will enjoy them have a listen.

-Enjoy

For future updates about Cohesity, Data Management, Primary and Secondary Storage, Cloud Computing, Networking, and anything in our wonderful world of technology be sure to follow me on Twitter: @PunchingClouds.

Cohesity World Tour: North America – San Diego & South Florida VMUG Usercons

In continuation with the Cohesity World Tour, the US portion of the tour will continue this upcoming week of April 17th and it will be going from coast-to-coast. I’ll be attending two consecutive VMUG Usercon events that will take place on the west coast and the other on the east coast. Back-to-Back!!! The first stop will be on Tuesday, April 18th in California at the San Diego 2017 Usercon, then on Wednesday, April 19th in Florida at the South Florida VMUG Usercon 2017. I will be present at those two events interacting with our community members, customers, and partners. I’ll be ready to engage with anyone who wants to talk and discuss the revolution of secondary storage and what Cohesity is bringing to market. Additionally, I will also be delivering the afternoon keynote at both events where I will be presenting on a topic that been observing for the past 18 months “The Art of Data Management for the Next Industrial Revolution”.


For anyone that can attend the events and interested in potentially engaging in some discussions on the importance of modern data platform for VMware vSphere infrastructures in the evolving enterprise data centers, what’s available now, and what’s coming. I happy to discuss the importance of simplifying the current complexities surrounding enterprise data centers around the management of information and the importance of secondary storage for VMware virtualized infrastructures.Let me show you how Cohesity complements organization’s primary storage (traditional and converged) platforms ranging from Pure Storage to VMware vSAN for their Tier-1 mission-critical workloads and how we complement and simplify infrastructure management with our solutions.

I happy to discuss the importance of simplifying the current complexities surrounding enterprise data centers around the management of information and the importance of secondary storage for VMware virtualized infrastructures.Let me show you how Cohesity complements organization’s primary storage (traditional and converged) platforms ranging from Pure Storage to VMware vSAN for their Tier-1 mission-critical workloads and how we complement and simplify infrastructure management with our solutions.

Fortunately, not everything will be strictly business, Cohesity has co-sponsored and after event party for the community, customers, partners, and events attendees. This is a small token of appreciation from Cohesity for the support and appreciation shown by the VMUG community, customers, partners, and all in attendance. Make sure that if you are attending the South Florida VMUG Usercon make time to attend the party. Guaranteed to be a lot of.

After Event Party Venue and Location:
Banko Cantina 114 S Olive Ave,
West Palm Beach, FL 33401

I have a couple of surprises lined up for what I think it is going to be a phenomenal week of VMUG Usercon events that you won’t want to miss it.Mark your calendars and attend as it will be a fun and learning experience. I hope to you see everyone there.

-Enjoy

For future updates about Cohesity, Data Management, Primary and Secondary Storage, Cloud Computing, Networking, and anything in our wonderful world of technology be sure to follow me on Twitter: @PunchingClouds.

Page 1 of 5912345...102030...Last »

Sponsors

X