This article is more than 1 year old

Let's take a closer look at these claims of anti-ransomware SSDs

Inevitably, there's AI involved. Could it work?

A security company is claiming to have developed a flash drive with built-in ransomware prevention support that can protect any data stored on it against being stolen or encrypted by malware.

We're pretty sure we've heard claims of this sort of thing before, so we took a closer look at this latest stuff.

The Cigent Secure SSD+ has an on-board processor that uses machine learning algorithms to constantly monitor disk accesses and will step in to block access if it detects ransomware activity, we're told.

Cigent also claims this differs from existing approaches to combating ransomware by providing organizations with a preventative solution rather than tackling an attack that has already happened.

“Endpoint Detection and Response (EDR) products rely on ‘detecting and responding’ after an attack has already occurred,” the company’s Chief Revenue Officer Tom Ricoy said in a statement.

By contrast, he claimed, “Cigent has put automated attack prevention as close to the data as possible – in the storage itself – where it can consistently prevent attackers from ransoming files, even if EDR has been circumvented.”

Cigent already offers a Secure SSD line that safeguards data through full-disk encryption and support for multi-factor authentication, plus the company sells a Data Defense Software as a Service (SaaS) platform to protect data on endpoint systems.

We asked Professor Bernard van Gastel of the institute for computing and information sciences in Nijmegen in the Netherlands how plausible he thought it would be to set something like this up.

Prof van Gastel told us he could answer "from a conceptual standpoint" and added: "To make something like this workable, you need to (1) properly detect ransomware (2) have effective measures to act on it.

"For the first one, you can detect patterns in how a drive is used. If all the data is overwritten, that is a indicator that ransomware is active. You can even detect it early on, if in a few minutes a significant chunk of data on the disk is being written. But as with all these detection mechanisms (such as with spam, intrusion detection, etc), there needs to be proper calibration of false negatives and false positives. A false positives means data is locked, and the system will have downtime. A false negative implies ransomware can actually work."

"For the second one, you need to 'fixate' the contents of the drive," the professor added. "At least make sure no additional data is being modified. But there can already be data loss, because detection is always 'after the fact'."

He said the company itself indicates this "in point 3 under 'A Few Important Notes' of their datasheet. So it is not full protection, because there might be false negatives and can kick in too late so some damage is already done. And it can cost you availability of your systems because of false positives."

Prof van Gastel cautioned that: "In the end, you still need high quality backup and recovery procedures. So I would not view such an new approach as a silver bullet that solves ransomware. But we live in a non-perfect world, in which backups and recovery procedures are often not working as they should. Therefore this kind of ransomware detection on a drive can work, and I see it might help organizations in practice."

Brian Honan of BH Consulting echoed this note of caution, saying: "I have to say I am sceptical of these claims not least that the act of encrypting data as part of a ransomware attack is the last step in a long chain of events. Before this happens your systems are already compromised and your data may have been exfiltrated.

"So as with everything in security there is no one silver bullet to protect our systems but it requires many different layers of defense."

Services tie-in

It would appear that the Secure SSD+ is really designed to work with the Data Defense platform, as the company reckons this lets it initiate a company-wide lockdown of data in response to ransomware being detected.

This triggers a “Shields Up” status that automatically requires multi-factor authentication in order to access all protected files, Cigent said, while the drive itself can optionally be put into read-only mode to protect data from being modified, wiped, or encrypted.

Cigent told The Register that every Secure SSD+ includes a client license for the Cigent Data Defense software.

Meanwhile, the Data Defense SaaS platform allows IT and security personnel to monitor and manage the drives and set policies, reset PINs, as well as receive ransomware alerts, Cigent said.

It can also be used to manage Data Defense software across the rest of the organization’s PCs and trigger “Shields Up” status to protect them from ransomware, even if they don't have a Secure SSD+ drive.

Secure SSD+ is said to have safeguards against security controls being disabled, namely an embedded “storage firmware heartbeat” that detects if the Cigent software is disabled. Access to the protected data is blocked in this situation, we're told.

Planned updates are set to include features to prevent the drive from being cloned, wiped, or accessed if the system is booted from another disk.

Cigent’s CEO and co-founder John Benkert is a veteran of USAF Intelligence and the NSA, according to the company website, and also CEO of data recovery outfit CPR Tools. The company targets both commercial and public sector organizations, including government bodies.

We asked Cigent for some more details on the Secure SSD+ and its on-board processing. The company told us that it uses a dedicated MCU (microcontroller unit) to inspect low level telemetry data from the SSD controller, analyzing it with machine learning algorithms for indications of ransomware activity.

The MCU is separate from the SSD controller, but links to it via a dedicated communications bus separate from the data pathway. This is designed to ensure the drive is able to maintain performance, Cigent said.

By analyzing the stored telemetry outside of the SSD controller, there is virtually no impact on normal read/write operations, it claims.

However, the product datasheet is somewhat light on specifications, not indicating exact read/write performance. Cigent did confirm the drives will be available in capacities of 480GB, 960GB and 1920GB when they are ready for purchase, set to be sometime in May 2023.

The datasheet does disclose that the Secure SSD+ ships in a M.2 2280 double-sided form factor, meaning it is 22mm wide by 80mm in length and may not fit some ultra-thin laptops.

Professor Alan Woodward, a computer scientist at the University of Surrey and a security expert, told us that this device looks like a fascinating concept, but that it raises several questions.

“What exactly is the on board AI monitoring? Is it looking for patterns that look like malware? I wonder just how effective this approach is. AI and machine learning are making headway into stopping malware of all sorts but it’s not 100 percent accurate,” he said.

Indeed, that footnote in the datasheet warns that “a small percentage of files may be encrypted by the ransomware before the drive countermeasures respond.”

But Cigent claims that its machine learning algorithms have been proven and can provide protection even against newer ransomware, while the detection sensitivity can be dynamically tuned to reduce false positives.

Prof van Gastel added: "Such a ransomware detection needs to be proven in time. This all assuming they properly implemented this. As I found with my previous SSD research, many implementations are lacking. Reference implementations that are audited by an external party are essential to increase trust in the correct working."

The datasheet also specifies that Secure SSD+ needs to be installed as the boot drive in an endpoint system, and support currently includes only Windows, but Linux support is coming soon.

Drives that integrate some processing capability in this way are sometimes regarded as an emerging field labelled Computational Storage. A typical example is Samsung’s SmartSSDs. Such devices may on-board a CPU, FPGA or ASIC to provide acceleration of some storage functions, such as compression, decompression or erasure coding. ®

More about

TIP US OFF

Send us news


Other stories you might like