This video highlights anomaly detection for PowerStore snapshots in PowerProtect Data Manager 20.1 release. Our mission focuses on security and resilience. A key part of this is ensuring unified data center resilience for both production and backup storage. This approach keeps resilience consistent across the entire data center, making it easier to manage snapshots and backups while boosting defenses.
Cyber resiliency must be integrated wherever critical data is managed. With PowerProtect Data Manager, anomaly detection support for Power Store snapshots, we provide a unified, reliable, and consistent cyber resilience experience. Anomaly detection with PowerProtect Data Manager provides a robust layer of security by offering early detection of anomalies from every backup. This means one can gain immediate insights into potential security threats, allowing issues to be addressed proactively. Now, how does it achieve this? The software uses proactive machine learning to continuously analyze patterns within the backup data environment. This helps identify suspicious activity as it arises, securing the IT environment from threats before they have the chance to escalate.
One significant advantage is the lightweight nature of its detection process. It operates seamlessly within the existing infrastructure of PowerProtect Data Manager. This ensures on-remise detection is both efficient and resource conscious allowing optimal system performance. Additionally, the comprehensive evaluation ensures the integrity of the backup data by identifying anomalies quickly. PowerProtect Data Manager empowers you to act before challenges become significant issues. Anomaly detection enhances the security and integrity of the data environment with PowerProtect Data Manager. By leveraging advanced machine learning, anomaly detection offers proactive security that identifies cyber threats in the protection backup environment. This capability ensures early threat detection by scanning metadata after backup completion to provide immediate insights into potential risks without any additional licensing cost. Here's how it works. It uses detection techniques such as pattern matching, which leverages Dell's extensive library to recognize known ransomware indicators. This method scans backup metadata to identify suspicious file names, paths, and extensions, prioritizing alerts based on severity.
Next is behavior analysis. This takes a closer look at the backup file metadata, evaluating details like name, modified time, and created time. By applying a time series model with moving averages, this approach helps detect anomalies that might signify a ransomware attack, even those not covered by pattern matching. The next technique is system configuration analysis. It scans system settings during the backup process to pinpoint vulnerabilities that could be exploited. It currently supports Windows systems, checking for common issues and identifying known configuration weaknesses along with specific ransomware related settings to enhance overall security. These techniques provide fast detection and enable immediate responses, allowing organizations to address threats before they escalate. PowerProtect Data Manager is therefore empowered to protect valuable data seamlessly, fostering a resilient and secure business environment. In 20.1 release, PowerProtect Data Manger introduces support for P Store snapshots, which deliver integrated resilience across snapshots, backup, and storage direct workflows. With anomaly detection now extended to Power Store snapshots, PowerProtect Data Manager provides unified and consistent resilience management for both primary and backup data, all while reducing tool complexity through a common resilience plane and shared anomaly detection services. Note anomaly detection for powers store snapshots is supported only for PowerProtect data manager at this time.
Anomaly detection on powers store block volume snapshot copies allows detection of ransomware patterns behavioral and system configuration anomaly supported scope is listed over here. It does support powers store snapshot copies and fiber channel protocol only at this time. Here are a few of the limitations that needs to be considered while configuring anomaly detection for powers store snapshots. Also, the key prerequisite is to have fiber channel zoning configured between powers store array and the ESXi cluster hosting the search nodes. After prerequisites, we first enable the P store asset source and then add P store asset by providing details such as the name, address, certificate verification, credentials, asset type selection as P store block. P store is now added as an asset source. Before creating the protection policy, we begin by initiating the creation of the anomaly detection rule.
Every environment evolves, so anomaly detection needs to be tuned accordingly. From the anomaly detection landing page under the settings tab, we initiate the default rule creation. At this stage, there are no policies associated with the rule. A default rule framework allows fine-tuning of anomaly detection parameters like detection mechanism, sensitivity, file patterns, exclusion, and more to reduce noise for all assets globally with a single rule. When we create the protection policy, we can select this rule so that anomaly detection parameters can be fine-tuned as per the environment. We'll create the protection policy by selecting the type as power store block and choosing the assets to be protected. We then schedule the snapshot creation. Enable anomaly detection from this page. And since only one anomaly detection rule exists, it is selected by default while creating the policy. Once the protection policy is ready and the protection job runs, three jobs are triggered. Backup, indexing, and anomaly detection. Since anomaly detection completed with exceptions, we can click on the job ID for details. Here we see that suspected files were found and anomaly detection completed with exceptions. We can view the impacted copy by selecting view copy. This takes us to the anomaly detection landing page where we can analyze the impacted copy by generating and downloading the report and reviewing the impacted data.
After downloading, we can open the suspected file list and review the columns to understand what each represents, enabling an informed decision on whether to mark the copy as safe or quarantined. We can also view the impacted assets and select them to configure exclusions for tuning anomaly detection parameters. By choosing the configuration options, we can either apply the anomaly detection rule parameters or tune asset specific parameters as required. We can include or exclude file patterns, adjust the detection mechanism or modify the sensitivity. All such parameters can be fine-tuned. We can also view impacted copies from the assets and review all copies from this page. If needed, we can restore from the last clean copy directly from this landing page.
If you have just logged into PowerProtect Data Manager and see that anomaly alerts have triggered in the anomaly alerts widget, you can drill down into the alert count to view the anomaly detection alerts. From here, you can check the alert details and navigate to the impacted copy by clicking on view copy. This again takes you to the anomaly detection landing page where you can analyze the copy, generate and download the report, and make an informed decision about marking the copy as safe or quarantined. You can also review impacted assets, view all copies, and restore from this page. This is the same landing page we saw earlier, and all previously discussed actions are available here. In the settings tab, the default rule now shows the associated protection policy where anomaly detection is enabled. Policies can be edited or cloned. While editing, anomaly detection parameters can be tuned as required. Under option section, quiet mode can be enabled by setting the duration during which alerts are suppressed. This is useful during planned maintenance or major changes, helping temporarily reduce alert noise while retaining full tracking capability. Quiet mode supports configurable start and end dates, making it easy to schedule around migrations or patch windows.
Anomalies found during quiet mode are still tracked under analysis and shown in reports, but alerts remain suppressed. That's how the anomaly detection rule operates with quiet mode enabled. We can also create custom rules from this page to tune parameters for a set of protection policies having anomaly detection enabled. These capabilities make anomaly detection more configurable, predictable, and operationally aligned. In summary, with anomaly detection extended to P store snapshots, PowerProtect Data Manager strengthens unified and proactive cyber resilience.
These capabilities help detect risks early, safeguard critical data, and maintain a secure environment across snapshots, backup, and storage direct workflows. And that's how with the anomaly detection feature in PowerProtect Data Manager, one can have peace of mind knowing that potential threats are addressed before they impact the organization. Overall, anomaly detection enhances the ability to maintain business continuity and secure data from potential breaches or ransomware attacks, empowering resilience and supporting organizational success. Thank you all for watching.
