Raz-Lee Debuts Anti-Ransomware For IBM i
June 18, 2018 Alex Woodie
Despite its reputation as a secure digital fortress for back office automation, the IBM i server is subject to all manner of modern security threats. That includes ransomware, which can work its way onto mapped IFS drives and render business documents stored on the IBM i server useless. Raz-Lee Security recently launched a new solution aimed at combatting the spread of ransomware on IBM i.
Today’s business environment rewards companies that embrace openness. Companies are encouraged to open up their mainframes and IBM i servers and leverage the data and business processes they contain using APIs, microservices, and modern user interfaces. Much of the new software developed for these back-office systems is either open source itself or written using open source tooling.
All this openness represents both an opportunity and a threat to proprietary systems like IBM i. “IBM‘s initiative is to bring as much open source software to the IBM i,” says Schmuel Zailer, the CEO of Raz-Lee Security. “This exposes us more and more to the real world outside.”
Unfortunately, today’s real world is rife with ransomware, which can infect PCs and encrypt data in Windows file systems until the victim pays a ransom. (Linux file systems may also be vulnerable but the incidence of ransomware infections on Linux systems is much lower than Windows PCs.)
Ransomware was a $5 billion business in 2017, according to Cybersecurity Ventures, which represents a 15x increase in just two years. While ransomware incidents have leveled off a bit following the massive NotPetya attacks in 2017 (which some attribute to the fluctuation in Bitcoin, the currency most cyber pirates use for ransoms), ransomware is poised to remain a security threat for the foreseeable future.
IBM i shops are increasingly falling subject to ransomware attacks. While the IBM i operating system is not vulnerable to X86 malware such as ransomware strains, the Windows-like Integrate File System (IFS) is vulnerable to X86 malware. In all publicly reported cases of IBM i ransomware infection, the ransomware was introduced through a PC that had a mapped network drive to the IFS. (There is some debate as to whether Db2 for i files could be harmed through a ransomware attack. The consensus seems to be that it is possible.)
Raz-Lee Security used COMMON‘s recent POWERUp18 conference as the venue to launch iSecurity Anti-Ransomware. According to Raz-Lee, Anti-Ransomware uses a series of techniques to thwart the spread of ransomware in IBM i networks. It comes down to three distinct steps:
- Detect the ransomware attack and determine the best way to respond
- Suspend the attack and isolate the threat
- Alert security officers and SIEMs
Detection is done by watching for unusual behavior on the IBM i server, including anomalous behavior surrounding files, names, and extensions, and of course the presence of encryption routines. The company follows the “duck rule” in determining what is ransomware and what is not, Zailer says. “If it walks like duck and it swims a duck and it quacks like a duck, it’s probably a duck,” he says.
The software can be configured to respond to positive identifications of ransomware in several manners, including alerting the human security officers or automatically taking action. If the customer chooses to have the software take automatic action, they can choose to have those actions be more or less aggressive.
A customer could configure the software to automatically disconnect the IP address that’s the source of the attacks (less aggressive), or it can shut down all file serving activities on the IBM i (more aggressive). If the company is concerned about false positives unnecessarily shutting down operations, they can configure the software to close down network connections only after it’s positive of what’s going on, but at the risk of losing two to three files to encryption, according to Zailer.
The software automatically sends alerts in email, SMS, and Syslog formats. It also integrates with security information and event management (SIEM) products, including LEEF and CEF formats.
Anti-Ransomware is the first member of a new software suite from Raz-Lee. Dubbed iSecurity Advanced Threat Protection (or ATP), the new software suite is aimed at neutralizing advanced security threats on the IBM i server. The next module in iSecurity ATP will be a honeypot, Zailer says.
The iSecurity ATP solution will be aimed at addressing the full spectrum of advanced malware types that can impact IBM i, Zailer says. “What we protect users from is not only existing ransomware, but we try also to protect against future unknown ransomware and other kind of malware which has some similarity to this,” he says.