March 6 2022
Anomaly Detection with Retrospect Backup
The rise of ransomware, and ransomware-as-a-service more recently, poses a huge threat to businesses around the world with a projected $20B payout in 2021, a 100% year-over-year increase for the last four years. Ransomware is now a vast ecosystem with many different forms of attacks. Many attackers have their own versions of ransomware, and these are called variants. Each variant has the same purpose, but it uses a different mechanism or simply a different naming convention. The majority of ransomware variants and all of the top 10 forms for 2021 followed the same attack pattern: infiltrate a computer, encrypt its files, and then rename the files with a different extension. Businesses need to detect ransomware as early as possible to stop the threat and remediate those resources.
Anomaly detection in Retrospect Backup 18.5, launched last month, identifies changes in an environment that warrant the attention of the IT team. Administrators can tailor anomaly detection to their business’s specific systems using customizable filtering and thresholds for each of their backup policies, and those anomalies are aggregated on Retrospect Management Console across the entire business’s Retrospect Backup instances or a partner’s client base with a notification area for responding to those anomalies.
Retrospect Backup detects all of the major ransomware variants using an algorithm that focuses on file metadata anomalies for behavior-based monitoring. According to Coveware, the top variants are always changing, with over 50% changing every quarter. The key to detection is combining technologies such as signature detection in processes with file-based irregularities. Using a multi-pronged defense, with immutable backups, anomaly detection, and other security layers, businesses will know when they’re being attacked and will have the tools to remediate it and move on.
Technical Deep Dive
As a data protection solution, Retrospect Backup has a significant footprint in a business’s computer environment with visibility into endpoints, servers, NAS volumes, and even cloud storage. To detect anomalies, Retrospect Backup provides a per-policy option for filtering and threshold to decide whether or not certain file changes are an anomaly with options for notifications. Let’s walk through each:
- Filtering: Configure a filter to identify the files to observe. Retrospect lets administrators tailor this to file types, paths, dates, or specific attributes, and the built-in filter focuses on office documents, photos, and movies.
- Threshold: Set the threshold for the alert. If the percentage of files new or changed out of the total number of files matched by the filter is greater or equal to the threshold, Retrospect will create an anomaly event.
- Notification: Access notifications on Retrospect Management Console, receive them immediately in an email, and find them in the Execution History and Backup Report. Retrospect surfaces the notification for anomaly detection in the best place for an organization.
The diagram shows the volume being monitored as a whole, the subset of files that match the “Anomaly Detection” filter, and the files that are new or changed within that subset. Retrospect generates an alert if the percentage exceeds the threshold.
Customers can simply enable “Anomaly Detection” in each policy, select the appropriate filter, and assign a threshold. Retrospect takes care of the rest.
When an anomaly is detected, Retrospect can generate an email notification and surface the anomaly in the application and on Retrospect Management Console. It also provides API integration for businesses to tailor the workflow to their processes using Script Hooks, so the organizations can take further actions, like posting to a Slack channel or even stopping the backup until the problem is assessed.
Congratulations to the Retrospect Engineering team for releasing such a huge update! Retrospect Backup 18 included immutable backups for ransomware protection, and with this free update, we’re extending that ransomware focus to anomaly detection.