Proactively Discover Anomalies with Data Protection Advisor

How you can use the Data Protection Advisor Analysis Engine to spot anomalies and protect yourself against possible cyberthreats.

In the last few years, we have seen increasingly sophisticated and well-developed security breaches. Organizations have become more vulnerable to cyberthreats, as digital information and technology become more integrated into day-to-day work. The dependence on the internet, cloud computing, big data, IoT devices and remote working means organizations of all types and sizes are now vulnerable.

As these threat and attack patterns becomes more evolved, organizations must develop more proactive cyber intelligence. Cyber intelligence allows organizations to prevent or mitigate cyberattacks by studying the data and metrics within an organization’s data infrastructure and providing information that can help identify, prepare and prevent attacks.

What is Dell Data Protection Advisor?

Data Protection Advisor is a reporting and analytics platform that provides full visibility into a modern data protection infrastructure. Through this visibility, you can gain actionable insights and predictability across your diverse data protection environment. Data Protection Advisor enables you to measure backup and recovery SLAs, track compliance and recoverability, measure performance and review the utilization and protection status of data and applications across your environment.

How Does Data Protection Advisor Help You to Become Proactive to Detect Anomalies?

Dell Data Protection Advisor has inbuilt stateful Analysis Engine that continuously monitors backup appliances activities and detects anomalies based on customer-defined rules. IT owners can protect critical data from cyberattacks by creating simple rules getting immediate alerts via email, call local script, send SNMP trap and Event Log Entry.

DPA’s Analysis Engine provides a pre-emptive method of detecting the anomaly based on predefined rules and send alerts immediately. This is more effective than reporting, as reports are sent at scheduled intervals and an operator must manage them. In case of a cyberattack, we want to be informed of the attack as soon as we detect the threat.

This proactive approach to anomaly detection is a form of information security management that focuses on anticipating and preventing potential threats with the help of analyzing backup appliance activities. It is a strategy that includes the following:

    • Identifying potential threats
    • Preventing attacks before they happen
    • Detecting attacks as soon as possible
    • Responding to attacks in an appropriate way

Here are few examples of useful rules you can implement right now to detect anomalies and possible cyberthreats.

Cyber Attack Vector: Ransomware

In Data Protection Advisor’s deduplication environment, metrics are collected regarding the “size” of a given backup job (i.e., the amount of data sent for backup after deduplication) and “size scanned” (i.e., the amount of data before deduplication). Typical ransomware or malware attacks require a fair amount of unique, encrypted data to succeed. Therefore, an increase or deviation of job size based on that job’s historical two-week average may indicate encryption at play. Setting alerts to flag such increases in data can alert administrators to possible malicious code. As a start, we can use this rule to detect a 50% increase in the current job compared to its two-week historical size and trigger an alert. If necessary, we can customize both the time frame of the average and the percentage of deviation during assignment based on your specific needs.

Cyber Attack Vector: Insider Attack or Remote Execution

During an internal malicious attack or a similar attack using remote execution, a malicious actor would most likely make configuration changes to the backup application (e.g., disable backups, disable schedules, disable workflows and shut down server).

Data Protection Advisor can detect changes to a backup application’s configuration – typically used for change management – but could also be used a means to detect foul play or human error.

Data Protection Advisor’s Analysis Engine can trigger an alert when it detects configuration changes. By default, Data Protection Advisor collects configuration data from the backup application twice a day and is customizable.

These are some of the many rules available in Data Protection Advisor that you can leverage out of the box. By enabling them in Analysis Engine, they can become proactive in detecting environment anomalies and detecting threats effectively. To learn more about useful Analysis Engine Rules and policies for your organization, please refer to the Dell Data Protection solutions site and the Data Protection Advisor data sheet.

Sonali Dwivedi

About the Author: Sonali Dwivedi

Sonali Dwivedi is a technology and goal-oriented product manager with 12 years of IT experience in various fields, including data protection, storage, virtualization, big data, cyber security and data analytics. She has been a part of Dell Technologies since 2013 and currently functions as the Product Manager for Data Protection Advisor and PowerProtect Data Manager’s reporting functionality. She is passionate about learning emerging technologies and helping people and organization achieve their goals with the use of technology.