A ransomware attack is a disaster. When ransomware infects an organisations IT systems, stored and backup data are encrypted and made unavailable.

The IT system is unable to function and in many cases that means the organisation cannot function either until it remedies the attack. In essence there are two ways to do this: paying the ransom to decrypt the files or getting clean files restored from a disaster recovery (DR) facility.

Affordable and fast DR is a good way to defeat a ransomware infestation. Datrium, a hyperconverged systems vendor, has recognised this and in August 2019 launched its own DRaaS (disaster recovery as a service), incorporating home-grown HCI system backup technologies.

Historically, disaster recovery has been a hugely expensive but relatively niche aspect of customer storage and system buying strategy. But the massive increase in ransomware attacks in recent years has expanded the DR vulnerability surface. At the same time availability of the public cloud to provide a form of remote DR facility has brought costs tumbling.

A September 2016 FBI alert said: New ransomware variants are emerging regularly. Cyber security companies reported that in the first several months of 2016, global ransomware infections were at an all-time high. Within the first weeks of its release, one particular ransomware variant compromised an estimated 100,000 computers a day.

Data protection vendor Acronis reported the Spring 2017 WannaCry outbreak afflicted over 200,000 computers in over 150 countries. Global costs were estimated to total $8bn.

A second FBI alert in October 2019 said: Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.

Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.

Indeed ransomware is now so prevalent that automated failover to a recovery site is becoming table stakes for all data protection suppliers. In that sense ransomware recovery is a killer feature, and suppliers without this capability will be in trouble.

Many data protection suppliers already offer DR facilities, including Cohesity, Commvault, Dell EMC, Druva, Rubrik and Zerto. And more are sure to follow.

Datriums background is somewhat different. Founded in 2012, the company is a venture-backed startup that has raised $165m to date, including $60m in the most recent round in September 2018.

Datrium pioneered a middle way between converged and hyperconverged systems with hyperconverged nodes running storage controller software that linked them to a shared storage box. However, it faced enormous competition and the HCI market consolidated rapidly around two leading suppliers: Dell EMC, with VxRail, and Nutanix.

Datrium then moved in to unified hybrid cloud computing and protecting its DVX systems, specifically backup to the cloud. The company announced Cloud DVX in August 2018, claiming up to 10 times lower AWS costs for cloud backup, and CloudShift, a SaaS-based disaster recovery orchestration service for VMware.

This hit the market as the necessity of dealing with ransomware became even more pressing, and Datrium realised it had a potential killer app for VMware users.

CEO Tim Page told Blocks & Files in a phone interview that Datrium has gained 60 new accounts in under two months since launching its disaster recovery as a service. DR is catapulting our business revenues upwards.

He said the reason for this is that Datriums DRaaS preserves the VMware environment, is affordable and lightning fast, failing over in minutes when an attack takes place.

Datrium offers DR as a Service (DRaaS) using the VMware Cloud on AWS. In other words it protects VMware virtual machines (VMs) by spinning up DR copies in AWS. Page told me the time between attack detection and recovery should be as short as possible i.e. the DR copy VMs should be spun up quickly.

He said backups, even air-gapped backups such as tape, are inferior to a DR facility. It takes time to restore backup files and the ransomware infestation must be removed from the affected IT site. With a DR facility in place, the victim can use clean files while the ransomware is found, removed and infected files deleted. Post clean-up, the DR facility can fail back to the main site.

Datrium stores backup immutable snapshots in Amazons S3 storage, which lowers cost, but in a form that means they can be immediately spun up without rehydration or conversion as VMs running in the VMware cloud. Admin staff at the ransomware-infected customer just switch from one VMware environment to another; there is no difference.

Immutability means that the snapshotted data cannot be altered subsequently. Any ransomware infection after the date the snapshot was taken will not infect that snapshot.

Datrium offers a short RTO (Recovery Time Objective) because it has selectable restore points. This short RTO is made feasible by automating the recovery process, which can involve hundreds or thousands of separate operational steps to get a large suite of VMs up and running in the right order.

With the orchestration routine in place, the DRaaS facility is told via a mouse click to fail over to the cloud DR site when a ransomware attack or other disaster happens, and that takes just minutes. DR recovery can then start a few minutes later at the source site.

Backed-up VMs exist in a timeline. Some time before an attack with its file locking-by-encryption and ransom notification, ransomware infects a system and starts started encrypting files. This event can be located by checking file activity records.

In a recent incident a Midwest US municipality was attacked (the town is unwilling to reveal its identity, Datrium said). The IT department had backed up its VMs to a Datrium DVX system but without the DRaaS option in place. Admin staff and Datrium consultants checked the incoming snapshots to the target DVX system and found a sudden size increase:

The highlighted snapshots in the image above have sizes of 23.6Gib, 80.2Gib, and 80.7Gib, while prior and subsequent snapshots are 6.1Gib and 3.6Gib in size. This enlargement was caused by Ryuk ransomware encrypting files.

To combat the attack, a prior snapshot from a day earlier was used and powered up on a quarantined network. It was verified malware-free by a security team and became a so-called recovery golden copy.

The recovery team restored individual VMs in priority order and verified each one was clean with an anti-virus scanner before restoring the next one. This took almost two days to complete. A mass update restoration of all their VMs would have taken less time and a DRaaS option would have been quicker again.

Datrium initially provided cloud backup for its own on-premises DVX semi-hyperconverged system semi, because the storage repository was separate from the compute nodes. It extended this to source systems from Dell EMC, NetApp, Nutanix, Pure Storage and others, and also to VMware running in AWS.

Datrium can provide DR with failover to VMware Cloud on AWS so long as the source site is a VMware site. Datrium uses its own backed up VMs and data from the source site.

VMware is accommodating Kubernetes and containers and Page pointed out that as VMware embraces Kubernetes we can do so too.

He said Datrium DRaaS will work with Microsoft Azure cloud by the end of 2020.

And what about the rising tide of cloud-native applications that do not use VMware? We have a CSS login for bare metal servers, Page said. He suggested Datrium could develop this ability to backup bare metal Kubernetes environments to the public cloud, and reinstantiate containers there for DR, in the same way as it spins up VMs today.

As long as ransomware infections exists Datrium should prosper by offering a simple and fast recovery option, viable both for virtual machines and containerised environments.

View original post here:
Ransomware protection is killer app for Datrium DRaaS - Blocks and Files

Next-gen security specialist Sophos has revealed details of a sophisticated new attack known as Cloud Snooper, which enables malware on servers to communicate freely with its command and control (C2) servers through its victims firewalls, and may have been developed by a nation state actor.

The attack technique was uncovered by SophosLabs threat research manager Sergei Shevchenko whilst investigating a malware infection of some AWS hosted cloud servers. However, it is not an AWS-specific attack, but rather it represents a method of piggybacking C2 traffic on legitimate traffic to get past firewalls and exfiltrate data.

Cloud Snooper uses three main tactics, techniques and procedures (TTPs) in tandem. These consist of a rootkit to circumvent firewalls, a rare technique to gain access to servers while disguised as legitimate traffic essentially a wolf in sheeps clothing and a backdoor payload that shares the malicious code between both Windows and Linux systems. Each of these elements has been seen before, but never yet all at once.

This is the first time we have seen an attack formula that combines a bypassing technique with a multi-platform payload targeting both Windows and Linux systems,said Shevchenko.

IT security teams and network administrators need to be diligent about patching all external-facing services to prevent attackers from evading cloud and firewall security policies.

IT security teams also need to protect against multi-platform attacks. Until now, Windows-based assets have been the typical target, but attackers are more frequently considering Linux systems because cloud services have become popular hunting grounds. Its a matter of time before more cyber criminals adopt these techniques.

Shevchenko said that the complexity of the attack and the use of bespoke advanced persistent threat (APT) toolkit strongly suggested that the malware and its operators are highly advanced and possibly being backed by a nation state actor.

He added that is was possible, indeed highly likely, that the specific package of TTPs would trickle down to the lower rungs of the cyber criminal hierarchy, and eventually form a blueprint for widespread firewall bypass attacks.

This case is extremely interesting as it demonstrates the true multi-platform nature of a modern attack, said Shevchenko.

A well-financed, competent, determined attacker will be unlikely ever to be restricted by the boundaries imposed by different platforms building a unified server infrastructure that serves various agents working on different platforms makes perfect sense, he added.

Shevchenko said that in terms of prevention against this or similar attacks, while AWS Security Groups (SGs) provide a robust boundary firewall for EC2 instances, this does not in and of itself remove the need for network admins to fully patch all their outward-facing services.

He added that the default installation for the SSH server also needs extra steps to harden it, turning it into a rock-solid communication daemon.

Sophos shared a number of steps proactive admins should be taking. These include creating a full inventory of all network-connected devices and keeping their security software updated; fully-patching outward-facing services above and beyond what Amazon or your cloud service of choice might provide; check and double-check all cloud configurations; and enable multi-factor authentication on security dashboards or control panels to stop attackers disabling your defences, or at least to make it harder for them to do so.

Continued here:
Cloud Snooper firewall bypass may be work of nation state - ComputerWeekly.com

With two use cases for its containers, and five different container models, it would seem that Microsoft's container strategy is ripe for confusion. But that's not the case.

Microsoft offers many different container models on Windows. If you're running Windows 10 you're running several without even realising it: wrapping and isolating all your UWP apps; using thin virtual machines to deliver security; and, if you're a developer, either Windows or Linux Docker instances.

That layered container model is key to the future of Windows -- one that reaches into the upcoming Windows 10X and out into the wider world of public and private clouds, with Docker Windows containers now officially part of Kubernetes. Microsoft is working on shrinking Windows Server to produce lightweight container base images with a more capable Windows.

While the desktop containers are intended to both simplify and secure your desktop applications, providing much-needed isolation for apps installed via appx or MSIX (and in Windows 10X for any other Win32 code), Windows 10's containers are based on Windows' own process isolation technology. It's not the familiar Docker model that we find in our cloud-hosted enterprise applications.

That's not to say Windows 10 can't run Docker containers. Microsoft is using Docker's services to underpin its Windows Server containers. You can build and test code running inside them on Windows PCs, running either Pro or Enterprise builds, and the upcoming 2004 release of Windows 10 brings WSL2 and support for Linux containers running on Windows.

Docker has been developing a new version of its Docker Desktop tools for Windows around WSL2, making it as easy to develop and test Linux containers on Windows 10 as it is to work with Windows' own containers. With Microsoft positioning Windows as a development platform for Kubernetes and other cloud platforms, first-class Docker support on Windows PCs is essential.

It's not only Linux containers in the cloud. Windows containers have a place too, hosting .NET and other Windows platforms. Instead of deploying SQL Server or another Windows server application in your cloud services, you can install it in a container and quickly deploy the code as part of a DevOps CI/CD deployment. Modern DevOps treats infrastructures (especially virtual infrastructures) as the end state of a build, so treating component applications in containers as one of many different types of build artifact makes a lot of sense.

What's important here is not the application, but how it's orchestrated and managed. That's where Kubernetes comes in, along with RedHat's OpenShift Kubernetes service. Recent releases have added support for Windows containers alongside Linux, managing both from the same controller.

While both OpenShift and Kubernetes now support Windows containers, they're not actually running Windows containers on Linux hosts. There's no practical reason why they can't use a similar technique to that used by Docker to run Linux containers on Windows. However, Windows Server's relatively strict licensing conditions require a Windows licence for each virtual machine instance that was hosting the Windows containers.

Using Windows containers in Kubernetes means building a hybrid infrastructure that mixes Linux and Windows hosts, with Windows containers running on Windows Server-powered worker nodes. Using tools like OpenShift or the Azure Kubernetes Service automates the placement of code on those workers, managing a cross-OS cluster for your application. .NET code can be lifted into a Windows Docker container and deployed via the Azure Container Registry. You can manage those nodes from the same controller as your Linux nodes.

SEE:Serverless computing: A guide for IT leaders(TechRepublic Premium)

There's no need to learn anything new, if you're coming to Windows containers from Linux. You're using familiar Docker tools to build and manage your container images, and then the same Kubernetes tooling as you'd use for a pure Linux application. Mixing and matching Windows and Linux microservices in a single application allows you to take advantage of OS-specific features and to keep the expertise of existing developer teams, even as you're switching from a traditional monolithic application environment to a modern distributed system.

Microsoft is building a suite of open-source tools to help manage Windows containers, with a GitHub repository for the first one, a logging tool. Improving logging makes sense for a distributed application, where multiple containers interact under the control of Kubernetes operators.

Outside of Kubernetes, Windows containers on Windows Server have two different isolation modes. The first, process isolation, is similar to that used by Linux containers, running multiple images on a host OS, using the same kernel for all the images and the host. Namespaces keep the processes isolated, managing resources appropriately. It's an approach that's best used when you know what all the processes running on a server are, ensuring that there's no risk of information leaking between different container images. The small security risk that comes with a shared kernel is why Microsoft offers a more secure alternative: isolated containers.

Under the hood of Windows Server's isolated containers is, of course, Hyper-V. Microsoft has been using it to improve the isolation of Docker containers on Windows, using a thin OS layer running on top of Hyper-V to host a Docker container image, keeping performance while ensuring that containers remain fully isolated. While each container is technically a virtual machine with its own kernel, they're optimised for running container images. Using virtualization in this way adds a layer of hardware isolation between container images, making it harder for information to leak between them and giving you a platform that can host multiple tenant images for you.

It's easy enough to make and run a Hyper-V container. All you need to do is set the isolation parameter in the Docker command line to 'hyperv', which will launch the container using virtualisation to protect it. The default on desktop PCs is to use Hyper-V, for servers it's to use Docker isolation. As a result, you may prefer to force Hyper-V containers on your Windows Server container hosts.

Microsoft has been working hard to reduce the size of the Hyper-V server image that's used for Windows containers. It's gone down from nearly 5GB with Windows Server 1809 and 1903, to half the size at 2.46GB in the upcoming 2004 release. And that's Windows Server Core, not Nano! Building on Windows Server Core makes sense as it has a larger API surface, reducing the risk of application incompatibility.

With two use cases for its containers, and five different container models, it would seem that Microsoft's container strategy is ripe for confusion. But that's not the case. Windows' own application isolation technologies are managed automatically by the installer, so all you need to consider is whether your server applications run using process isolation or in Hyper-V. And that's a decision best made by whether you're running your applications on your own servers in your own data centre, or in the public cloud.

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

See more here:
Windows 10: Containers are the future, and here's what you need to know - TechRepublic

source: shutterstock

Edge computing specialist SolidRun and ASIC solutions company Gyrfalcon Technology this week announced an Arm-based AI inference edge server that the companies say outperforms GPU performance for less cost and power consumption.

The server, called the Janux GS31, can be configured with up to 128 Gyrfalcon Lightspeeur SPR2803S neural accelerator chips, delivering a maximum of 24 TOPS per watt, outperforming SoC- and GPU-based systems by orders of magnitude, while using a fraction of the energy required by systems with equivalent computational power, the companies said in a joint announcement. The hardware supports low latency decoding and video analytics of up to 128 channels of 1080p/60Hz video designed for such edge AI use cases as monitoring smart cities and infrastructure, intelligent enterprise/industrial video surveillance applications and tagging photos and videos for text-based searching.

"AI is rapidly moving to the edge of the network to address the performance and security needs of many applications, said Jim McGregor, founder and principal analyst, Tirias Research. As a result, new networks will drive increasing demand for processing performance and efficiency. The SolidRun platform, leveraging the GTI AI acceleration technology, will provide a powerful and efficient way to build a new intelligent network bridging the gap between devices and the cloud."

Milpitas, CA-based Gyrfalcon bills itself as a developer of high-performance AI accelerators that use low power small-sized chips. SolidRun is an Israeli Arm and x86 computing and network technology company focused on AI edge deployment and 5G.

"Powerful, new AI models are being brought to market every minute, and demand for AI inference solutions to deploy these AI models is growing massively," said Dr. Atai Ziv, CEO at SolidRun. "While GPU-based inference servers have seen significant traction for cloud-based applications, there is a growing need for edge-optimized solutions that offer powerful AI inference with less latency than cloud-based solutions. Working with Gyrfalcon and utilizing their industry-proven ASICs has allowed us to create a powerful, cost-effective solution for deploying AI at the Edge that offers seamless scalability."

Related

Go here to see the original:
Arm-based AI Inference Edge Server Takes on GPU Price/Performance - EnterpriseAI

Overall shipments of personal computing devices (PCD) will decline 9% in 2020, reaching 374.2-million by the end of this year, as a result of the impact of coronavirus, or COVID-19, on manufacturing, logistics and sales.

According to new projections from the Worldwide Quarterly Personal Computing Device Tracker,International Data Corporation (IDC) has lowered its forecast for PCDs, inclusive of desktops, notebooks, workstations, and tablets.

The long-term forecast still remains slightly positive, with global shipments forecast to grow to 377.2-million in 2024, with a five-year compound annual growth rate (CAGR) of 0.2%. However, this is based on an IDC assumption that the spread of the virus will recede in 2020. Since the figure represents only marginal growth, the ongoing impact of the virus could quickly reduce long-term forecasts into negative expectations. IDC did not provide alternative scenariosshould this occur.

The decline in 2020 is attributed to two significant factors; the Windows 7 to Windows 10 transition creates tougher year-over-year growth comparisons from here on out and, more recently, the spread of COVID-19 is hampering supply and leading to reduced demand. As a result, IDC forecasts a decline of 8.2% in shipments during the first quarter of 2020 (1Q20), followed by a decline of 12.7% in 2Q20 as the existing inventory of components and finished goods from the first quarter will have been depleted by the second quarter. In the second half of the year, growth rates are expected to improve, though the market will remain in decline.

We have already forgone nearly a month of production given the two-week extension to the Lunar New Year break and we expect the road to recovery for Chinas supply chain to be long with a slow trickle of labour back to factories in impacted provinces until May when the weather improves, saidLinn Huang, research vice president, Devices & Displays. Many critical components such as panels, touch sensors, and printed circuit boards come out of these impacted regions, which will cause a supply crunch heading into Q2.

Theres no doubt that 2020 will remain challenged as manufacturing levels are at an all-time low and even the products that are ready to ship face issues with logistics, addedJitesh Ubraniresearch manager for IDCsWorldwide Mobile Device Trackers. Lost wages associated with factory shutdowns and the overall reduction in quality of life will further the decline in the second half of the year as demand will be negatively impacted.

Assuming the spread of the virus subsides in 2020, IDC anticipates minor growth in 2021 as the market returns to normal with growth stemming from modern form factors such as thin and light notebooks, detachable tablets, and convertible laptops. Many commercial organizations are expected to refresh their devices and move towards these modern form factors in an effort to attract and retain a younger workforce. Meanwhile, consumer demand in gaming, as well as the rise in cellular-enabled PCs and tablets, will also help provide a marginal uplift.

Worldwide Topline Personal Computing Device Forecast Changes, Year-Over-Year Growth %, 2020-2021 (Annual)

Worldwide Topline Personal Computing Device Forecast Changes, Year-Over-Year Growth %, 2020 (Quarterly)

Source: IDC Worldwide Quarterly Personal Computing Device Tracker, February 19, 2020

Read the rest here:
Cloud demands new way of thinking about IT - Gadget