A security company says it has developed a flash drive with built-in support for ransomware prevention that can protect any data stored on it from being stolen or encrypted by malware.
We’re pretty sure you’ve heard claims about this sort of thing before, so we’ve taken a closer look at these last few things.
Cigent Secure SSD+ has a built-in processor that uses machine learning algorithms to constantly monitor disk accesses and will step in to block access if it detects ransomware activity, we’re told.
Cigent also says this differs from existing approaches to fighting ransomware by providing organizations with a preemptive solution rather than dealing with an attack that has already occurred.
Endpoint Detection and Response (EDR) products are all about detecting and responding after an attack has already occurred, the company’s Chief Revenue Officer Tom Ricoy said in a statement.
Instead, he said, Cigent has put automated attack prevention as close as possible to the data in the storage itself, where it can consistently prevent attackers from redeeming files, even if the EDR has been bypassed.
Cigent already offers a Secure SSD line that safeguards data through full-disk encryption and multi-factor authentication support, and the company also sells a data defense SaaS (Software as a Service) platform to protect data on endpoint systems.
We asked Professor Bernard van Gastel of the Institute for Computing and Information Sciences in Nijmegen, the Netherlands, how plausible it was to think that such a thing could be organised.
Prof van Gastel told us he could answer “from a conceptual point of view” and added: “To make something like this feasible, you need to (1) detect ransomware correctly (2) have effective measures in place to act on it it.
“For the former, the usage patterns of a drive can be detected. If all data is overwritten, this is an indicator that ransomware is active. You can even detect it in advance, if within minutes a significant portion of the data are written to the disk. But as with all of these detection mechanisms (such as with spam, intrusion detection, etc.), proper calibration of false negatives and false positives is required. A false positive means that the data is locked and the the system will experience downtime. A false negative implies that the ransomware may actually work.”
“For the second, it is necessary to ‘fix’ the content of the unit,” added the professor. “At least make sure no additional data is changed. But there may already be data loss, because detection always happens ‘after the fact’.”
He said the company itself states this “in point 3 under ‘Some important notes’ of their datasheet. So it’s not complete protection, because there could be false negatives and they can kick in too late, so some damage has already been done.” And that can cost you the availability of your systems due to false positives.”
Prof van Gastel warned that: ‘In the end, high-quality backup and recovery procedures are still needed. So I wouldn’t consider such a new approach as a silver bullet to fix ransomware. But we live in a less than perfect world, where backups and restore procedures often don’t work as they should. So this type of ransomware detection on a drive can work and I see it could help organizations in practice.”
Brian Honan of BH Consulting echoed this cautionary note, saying, “I have to say I’m skeptical of these claims, not least that the act of encrypting data as part of a ransomware attack is the last step in a long chain of events. Before this happens your systems are already compromised and your data may have been exfiltrated.
“So, as with everything related to security, there is no silver bullet to protect our systems, but it does require many different layers of defense.”
Connection of services
It would appear that Secure SSD+ is actually designed to work with the Data Defense Platform, as the company believes this allows it to initiate an enterprise-wide data lockdown in response to ransomware detections.
This triggers a Shields Up state that automatically requires multi-factor authentication to access all protected les, Cigent said, while the drive itself can optionally be placed in read-only mode to protect data from being modified, deleted, or from cryptography.
cigent said The register that each Secure SSD+ includes a client license for Cigent Data Defense software.
Meanwhile, Data Defense’s SaaS platform allows security and IT personnel to monitor and manage drives and set policies, reset PINs and receive ransomware alerts, Cigent said.
It can also be used to manage data defense software on the rest of your organization’s PCs and enable Shields Up status to protect them from ransomware, even if they don’t have a Secure SSD+ drive.
The Secure SSD+ is said to have protections against disabling security checks, namely a built-in storage firmware heartbeat that detects if Cigent software is disabled. Access to protected data is blocked in this situation, we are told.
Scheduled updates are set to include features to prevent the drive from being cloned, erased, or accessed if the system is booted from another disk.
Cigents CEO and co-founder John Benkert is a USAF and NSA intelligence veteran, according to the company’s website, and also the CEO of data recovery company CPR Tools. The company caters to both commercial and public sector organisations, including government entities.
We asked Cigent for more details on Secure SSD+ and its integrated processing. The company told us it uses a dedicated MCU (microcontroller unit) to inspect low-level telemetry data from the SSD controller, analyzing it with machine learning algorithms for indications of ransomware activity.
The MCU is separate from the SSD controller, but connects to it via a dedicated communication bus separate from the data path. This is designed to ensure the drive is able to maintain performance, Cigent said.
By analyzing telemetry stored outside the SSD controller, there is virtually no impact on normal read/write operations, he says.
However, the product datasheet is pretty clear on the specs, not stating the exact read/write performance. Cigent has confirmed the drives will be available in 480GB, 960GB and 1920GB capacities when they are ready to purchase, expected in May 2023.
The spec sheet reveals that the Secure SSD+ comes in a double-sided M.2 2280 form factor, meaning it’s 22mm wide by 80mm long and may not fit some ultra-thin laptops.
University of Surrey computer scientist and security expert Professor Alan Woodward told us this device sounds like a fascinating concept, but one that raises several questions.
What exactly is onboard AI tracking? Are you looking for patterns that look like malware? I wonder how effective this approach is. AI and machine learning are making progress in blocking malware of all kinds, but it’s not 100% accurate, she said.
In fact, that footnote in the datasheet warns that a small percentage of files may be encrypted by ransomware before drive countermeasures respond.
But Cigent says its machine learning algorithms have been proven and can provide protection against even the latest ransomware, while detection sensitivity can be dynamically adjusted to reduce false positives.
Prof van Gastel added: “Such a ransomware detection needs to be proven in time. All this assuming they have implemented it correctly. As I found with my previous SSD research, many implementations are missing. an external party are essential to increase confidence in proper functioning.”
The datasheet also specifies that Secure SSD+ must be installed as a boot drive in an endpoint system and support currently only includes Windows, but Linux support is coming soon.
Drives that integrate some computing capabilities in this way are sometimes considered an emerging field called Computational Storage. A typical example is Samsung’s SmartSSDs. Such devices may integrate a CPU, FPGA, or ASIC to provide acceleration of some storage function, such as compression, decompression, or erase coding.
