IBM STORAGE FOR

DATA RESILIENCE
-
PROTECTION
DISCOVERY
RECOVERY

Yang How TUNG

ASEAN Storage Technical Specialist
tungyh@[Link]
 Impact timeline

DETECT RESPOND
1 day 2 days
3 days
Secure & Resilient

10 Hours
1 week
Hours

Minutes
2 weeks

Seconds
RECOVER
ATTACK Zero 23 DAYS

2
 Production Snapshots
workloads

1 001 11 01 001 11 01 001 11 01 001 11 01 001 11 0

0 0 0 0 0
1 110 00 11 110 00 11 110 00 11 110 00 11 110 00 1
0 0 0 0 0 6:00 9:00 12:00 15:00 18:00
1 000 00 11 000 00 11 000 00 11 000 00 11 000 00 1
0 0 0 0 0
Secure & Resilient

Backup
All production workloads Nothing to
stopped and corrupt recover from
Without
Data Resilience

Cyber Security

3
Copyright © 2024 IBM
 Active Threats - Data Encryption/Destruction over time 24 Hours
2.5PB data
2.5PB

Recovery speed AND amount

of data to recovered are
crucial to business recovery
Secure & Resilient

Capacity

1.25PB

1TB

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Time (hrs)

4
Copyright © 2024 IBM
5
Data Resiliency is like strength training.
Takes building muscle and team work

Automation

SOC Integration
Safe Recovery Rapid Recovery
Early threat detection Discover Threats
Preparation Secure Immutable Copies

Foundational Security

IBM Storage
6 IBM Institute for Business Value © 2023 IBM Corporation
 Steps to Data Resilience
Secure & Resilient

2.5x
increase in attacks
$5m
SECURITY & DATA Est. average annual cost
PROTECTION
of a Cyber Attack in 2024
01
Predict, prevent, and respond
SOC Integration
Protect from infrastructure
failures and Natural disasters 7
Copyright © 2024 IBM
 Steps to Data Resilience

49%
of Cyber Attacks are
ransomware (24%) or
Secure & Resilient

destructive (25%)

IMMUTABILITY

02
Recoverable data points
Incorruptible, data can not be
deleted

$5m
SECURITY & DATA Est. average annual cost
PROTECTION
of a Cyber Attack in 2024
01
Predict, prevent, and respond
SOC Integration
Protect from infrastructure
failures and Natural disasters 8
Copyright © 2024 IBM
 Steps to Data Resilience

43% DISCOVERY
66%
incidents with of breaches were not
deployment of malware identified by the
20% of incidents involve 03 organization's internal
Secure & Resilient

Find active threats

ransomware Find & prevent dormant threats security teams and tools

IMMUTABILITY

02
Recoverable data points
Incorruptible, data can not be
deleted

$5m
SECURITY & DATA Est. average annual cost
PROTECTION
of a Cyber Attack in 2024
01
Predict, prevent, and respond
SOC Integration
Protect from infrastructure
failures and Natural disasters 9
Copyright © 2024 IBM
 Steps to Data Resilience
23 days
days, average
RECOVERY
recovery after a
DISCOVERY
ransomware attack
04
03
85%
Rapid operational recovery in
seconds, minutes, hours
Secure & Resilient

Find active threats Avoid paying ransoms

Find & prevent dormant threats
not able to fully
restore data from
IMMUTABILITY back up after an
attack
02
Recoverable data points
Incorruptible, data can not be
deleted

$5m
SECURITY & DATA Est. average annual cost
PROTECTION
of a Cyber Attack in 2024
01
Predict, prevent, and respond
SOC Integration
Protect from infrastructure
failures and Natural disasters 10
Copyright © 2024 IBM
 Steps to Data Resilience

DISCOVERY
RECOVERY <1%
of data tested for
04 recovery by
03 Rapid operational recovery in
seconds, minutes, hours businesses
Secure & Resilient

Find active threats Avoid paying ransoms

Find & prevent dormant threats
AUTOMATION &
TESTING
IMMUTABILITY
05
02 Simplified operations plus ability
to test and prove recoverability
Recoverable data points Integration between Cyber
Incorruptible, data can not be Security & Cyber Resiliency
deleted

$5m 93%
SECURITY & DATA Est. average annual cost
PROTECTION of businesses
of a Cyber Attack in 2024 report a shortage
01 of technology
Predict, prevent, and respond
SOC Integration
skills.
Protect from infrastructure
failures and Natural disasters 11
Copyright © 2024 IBM
 Operational resilience priorities

Minimum Full
Viable Company
Company Recovery
Secure & Resilient

Workloads that are making the business All workloads including non-critical
money every second of the day workloads for back-office etc.

Regulatory Compliance

Risk Mitigation
Critical Non-critical
workloads Cost workloads

Forensic Analysis

12
Copyright © 2024 IBM
 Data Encryption/Destruction over time
24 Hours
2.5PB data
2.5PB
Recovery speed AND amount A Breakthrough in
of data to recovered are Cyber Security
crucial to business recovery
Secure & Resilient

Capacity

1.25PB

ACTIVE
THREAT

1TB

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Time (hrs)
What if you knew the problem here?
Discover in <1 min, only 1.7TB impacted
13
Copyright © 2024 IBM
 Threat detection
Are YOU finding your Malware? IBM Defender Sensors
- Detects anomalies on a live system by analyzing attack patterns
against file metadata and deep file analysis

Inline Data Corruption Detection

Secure & Resilient

- Provides entropy-based anomaly detection

- Occurs at the array level through array SW

Primary Storage: Anomaly Detection

- Application aware anomaly scanning of Immutable HW Snapshots
(SGCs)
- Notifies of anomalies and finds the latest clean snapshot (latest
snapshot without anomaly)

Backup Storage: Anomaly Detection

- Leverages AI and ML to identify anomalies in size of data written,
data reduction rates (dedup & compression)

Isolated Environment: Malware Scan

- Scans mounted data for known malicious files and executables
- Provides ability to clean or quarantine found malware

3
1 2 Discovery 4 5
Copyright © 2024 IBM
 Prevent and minimize operational impacts

1 day 2 days
RECOVER 3 days
Secure & Resilient

10 hours
Minimized
1 week
RESPOND Hours

Automation
Minutes
DETECT 2 weeks
Active threats

Seconds

ATTACK Zero 23 DAYS

PREVENTION
Detect dormant threats
before they become active 15
 Production Secure immutable copies
workloads discovery scanning and clean room
Clean room

1 001 11 0 1 001 11 0 1 001 11 01 001 11 01 001 11 0

0 0 0 0 0
1 110 00 1 1 110 00 1 1 110 00 11 110 00 11 110 00 1
0 0 0 0 0
1 000 00 1 1 000 00 1 1 000 00 11 000 00 11 000 00 1 6:00 9:00 12:00 15:00 18:00
0 0 0 0 0
Secure & Resilient

Deep scan
Backup
Disruption Avoided With IBM
Data Resilience
Inline Data Corruption detection Minimum Viable QRadar SOAR
Company SOAR Playbook
Request action

Isolate workload
Metadata
Machine Learning
corruption detection Recover/clean copy
16
Copyright © 2024 IBM
 Production Secure immutable copies
workloads discovery scanning and clean room
Clean room

1 001 11 0 1 001 11 0 1 001 11 01 001 11 01 001 11 0

0 0 0 0 0
1 110 00 1 1 110 00 1 1 110 00 11 110 00 11 110 00 1
0 0 0 0 0
1 000 00 1 1 000 00 1 1 000 00 11 000 00 11 000 00 1 6:00 9:00 12:00 15:00 18:00
0 0 0 0 0
Secure & Resilient

Deep scan
Disruption minimised Backup
With IBM
rapid recovery
Data Resilience
Inline Data Corruption detection Minimum Viable QRadar SOAR
Company SOAR Playbook
Request action

Isolate workload
Metadata
Machine Learning
corruption detection Recover clean copy
17
Copyright © 2024 IBM
 Why IBM is the right choice

Open Platform and Open Architecture

IBM Cyber Security IBM Data Resilience

Prevent business impacts
M Unique Minimize business impacts
Secure & Resilient

IB
On Prem
Predict attacks Protect Data

Secure
Cyber-attack prevention & Threat discovery
Resilient

Respond to cyber-attacks Accelerated recovery

Pub
li c C l o u d

End to end cyber capability (IBM+ Ecosystem)

18
Copyright © 2024 IBM
Integrated
Ransomware
Detection
New IDCD within Storage Virtualize

20
Workload anomaly alerts in 2Q23

Using FlashSystem Entropy is used to

controller CPU, detect highly random
Storage Insights calculate entropy on data, such as
incoming write I/Os encrypted data written
in by ransomware

Entropy

Entropy is calculated (byte by byte) in the write

cache destage, but it is computationally
intensive.
To reduce performance impacts, it is sampled in
1 in ever 100 IOs

Compression

21
Characteristics found in IO traces from ransomware
• Malware such as ransomware attacks can be detected from storage IO patterns and data analysis
• Example “Wannacry”:
Encrypted payload (– avg, – max, – min):
8.0
(high)
6.4

4.8
Payload encrypted – before and after
attack:
3.2 22

1.6

0.0
(low)

IOPS (– read, – write):

28.04 %
Of data modified after the
attack

© 2024 IBM Corporation IO activity of ransomware

Under Embargo until Announce Feb 28th
How statistics will be used
Time Window

Normal Traffic

Ransomware Traffic
Drive level
Compressibility

High Avg Window

Normal IO

8 Encrypted IO
Entropy of
Incoming 5
Writes

23
Ransomware Monitoring Architectural Overview
Production IBM Storage Virtualize
Workload
Trends / Summary
Statistic Collection

Data And Trends

Show Real-Time
Workload Anomaly
Alert

IBM Support 2Q23

External Tools Customer facing in 3Q23
Storage Insights Pro

Responses / Actions
QRadar / Defender
24
FCM4 (FlashCore Module 4)

Important Sales Info

FCM4 Planned GA:
March 8 , 2024
th

FCM3 Planned Withdrawal:

March 29 , 2024
th

25
FCM4 as a Drive

FCM4 is PCIe 4.0 across all drives FCM4 is transparently compatible with FCM3
(FCM3 was S/M: PCIe 3.0, L/XL: PCIe 4.0) for existing systems

FCM4 is supported in • Able to extend current FCM3-DRAIDs

• FlashSystem 5200* • Able to run as additional pool
• FlashSystem 7300* • Already as FCM3 field replacements
• FlashSystem 9500

* PCIe 3.0 auto negotiation

27
FCM4 Endurance

FCM4 is officially rated for 1 DWPD FCM4 Model Total Bytes Written 2:1 Compression
for 7 Years
Small: 4.8 TBu 12.2 PBu 24 PBe

Traditional DWPD measure is 5 Medium: 9.6 TBu 24.5 PBu 49 PBe

years Large: 19.2 TBu 49.0 PBu 98 PBe

Market now measures on Total Bytes Written
(We put emphasis on Usable Capacity, direct benefit
XLarge: 38.4 TBu 98.1 PBu 196 PBe
with reduction)

At 1:1, no compression, FCM4 is at

5K Erase cycles on the NAND Because endurance is wear-leveled, using less
usable capacity results in higher endurance at the
drive level (adding capacity = adding endurance)
Standard 176-layer QLC at 300
cycles 28
FCM4 leverages Quantum Safe Cryptography

Reminder: Starting with IBM Storage Virtualize v8.6.2+

• Data at rest is AES-256 encrypted (just like FCM 1 & 2 before)

• Security PINs are sent to the drive in encrypted form over the PCI bus
with SKP (Secure Key Passing)
• FCM3: RSA public key cryptography
• FCM4: RSA and CRYSTALS Kyber cryptograph
• Secure Key Passing (SKP) data is encrypted twice, once by each cypher
• CRYSTALS Kyber is a Quantum Safe Cryptography (QSC) algorithm

• Reminder: v8.6.2 also has Extent Aware Rebuilds

29
End-to-End Data Resiliency
with IBM Storage
The value of your data should be continually
safeguarded.
▪ Q: Can your array detect threats before they happen?
IBM FlashSystem can, and it keeps on getting better.

▪ Only IBM FlashSystem offers cyber threat awareness,

defense, detection, response, and recovery.

▪ IBM Flashsystem is designed to ensure your data is

accessible and secure. That's why we continuously
innovate to create the most robust storage solutions.
IBM is developing technology not
just to recover from attacks

SafeGuarded Copy(SGC)
Cyber Resilience feature

But to detect them early!

IBM released inline corruption detection capability in 2Q 2023

• Entropy and compressibility statistics sent back to the
cloud-based Storage Insights (SI).
• SI looks for trends and will send alerts if anomalous
behavior is discovered.
But How Do You
Detect Ransomware
Threat Signature Sample Hash Comparison

Detection Data Behavior Signals Block Level Monitoring for Anomalies

By

Network Signals Network-Level Monitoring for Anomalies

32
Ransomware Threat Detection with
FCM4: Requirements

• Pool must be ONLY FCM4s, updated to FW v4.1

• Pool must be created with v8.6.2+
• Only a single FCM DRAID in the pool (pre-existing req)
• DRAID6
• Storage Insights Pro alerting
• 128GB+ RAM per node
• Standard Pools only (and Fully Allocated in DRP is OK)

33
 FCM4 and Ransomware Detection

• FCM4 calculates entropy (estimate of randomness)

and change in compression on every IOP
• FCM4 keeps statistics on each IOP like block size,
LBA , Rd
• FCM 4 has 2 small RISC cores process all this
information
• All this information is statistically summarized into a
relatively small amount of information per volume
• These summaries are passed every 2 seconds to an
inference engine in Storage Virtualize.
IBM & Partner Confidential
 FlashSystem ransomware detection conceptual model

Storage Virtualize
Stats
Sending and
Collector
receiving data
(CCH), others
from IBM
security prods Support Anomaly Ransomware Detect
is probably too Detector
much of a The Revealer
stretch for 4Q. (Inference SI stats
Aggregator Engine)

DRAID
LB

NVMe NVMe NVMe NVMe NVMe NVMe NVMe

Circ buf Circ buf Circ buf Circ buf Circ buf Circ buf Circ buf
Entropy Entropy Entropy Entropy Entropy Entropy Entropy

CMP
Summarizer
CMP
Summarizer
CMP
Summarizer
CMP
Summarizer
CMP
Summarizer
CMP
Summarizer
.... CMP
Summarizer

Words in Words in Words in Words in Words in Words in Words in

Page Page Page Page Page Page Page

FCM 1 FCM 2 FCM 3 FCM 4 FCM 5 FCM 6 FCM N

IBM & Partner Confidential
Cyber Attacks: Similar IO Access Sequences
EXFILTRATE READ ENCRYPT DELETE READ ENCRYPT OVERWRITE

File File File File File File File

Locked Locked

Open Open Open Open Open Open Open

Read Read Write Delete Read Write Read

(encrypted) (encrypted)

Delete Close Close Close Close Close Write

(encrypted)

Close Close

36
FCM4 RTD In-fight
Checksum & Tags
Data Originally a standard T10DIF PI Scheme
Guard CRC + Application ID (RAID) + Geometry Reference

Now, all I/Os are passed as Volume-Aware

Pool
DRAID
Guard CRC + Volume ID + LBA of Vdisk

TAG – 8 Byte

Data
Preserves the in-flight data checksum of NVMe
No additional structures or bandwidth costs

XOR-Aware
Data is preserved across rebuilds/expansions
System I/O does not invalidate Host I/O Tagging

37
Ransomware Monitoring Architectural Overview
Brought to you by:
IBM Research
IBM Storage Virtualize IBM Storage Virtualize
IBM FlashCore
IBM Storage Insights Pro Inferencing Engine
Trends / Summary
Granular data analytics

Volume Statistics
Responses / Actions

Data And Trends

Show Real-Time

Learn From Data

Ex: Create SGC Snap
to limit scope

IBM FlashCore Modules External Tools

Storage Insights

Responses / Actions
Qradar SOAR / Defender
38
39
 IBM Cyber Resiliency Assessment
Project Kickoff Engagement Design Implementation
Workshop includes:
• Two-hour virtual consulting workshop with IBM
Storage, Security, & Resiliency POV Client
Cyber Resilience
SME Analysis
Final Report
Prioritize & implement suggested
Exploratory improvements across Storage &
• Assessment probes over 100 different controls across Session Maturity Workshop & Presentation
Resiliency enterprise
23 key categories from a Cyber Resilience standpoint
• Delivered using technology / vendor neutral
Typically 2 hours 1-12+ Months depending
framework Phone call to Identify Typically 1 hour on output
participants & customize
• Audience – IT Director / Storage Management teams +
member of the Client Security Team
Sample Deliverables
agenda 2-5 Days

Client Outcomes:
• Identification of blind-spots and recommended areas
for improvement
• Discovery of the utilization of various existing
solutions, integrations and overlaps that can be fine-
tuned
• Customized Cyber Resilience strategy fitting the
client’s vision & mission

Deliverables:
• Detailed assessment report
• Management presentation
• Prioritized list of recommended improvements &
considerations 40
Assess your risk and architect steps to protect your business ([Link])
The Cyber Resiliency Assessment (aka CRAT)

• IBM or BP led assessment

• Evaluate your current cyber resilience posture

• Based on the NIST Cybersecurity Framework

• Includes your storage, security, and infrastructure teams

▪ Vendor agnostic evaluation

▪ Identify strengths and weaknesses

▪ Provides recommendations to strengthen cyber resilience

▪ IBM FUNDED