Use Cases for Ransomware Protection
The following explains how using CipherTrust Transparent Encryption with Ransomware Protection can enhance the protection of your data:
Note
Ransomware Protection is applied on a GuardPoint. The GuardPoint is at the directory level for Linux.
Protect the File Server with both CipherTrust Transparent Encryption and Ransomware Protection
Use Ransomware Protection to improve data protection by encrypting sensitive data using CTE standard and LDT policies. Combining CTE encryption policies with Ransomware Protection strengthens your security posture. In this scenario, both CipherTrust Transparent Encryption and Ransomware Protection licenses are installed on the same server. All of the customer sensitive data is on this server. Data may be on a local drive, or on a CIFS/NFS share mounted on this server. Users are using a CTE policy to encrypt the data, provide CTE access control and protect the data from Ransomware Attacks. For this use case:
-
Install and register CipherTrust Transparent Encryption with Ransomware Protection.
-
Ensure RW license is available on CM.
-
Ensure the policy is pushed by looking a the CipherTrust Manager GUI and ensuring that the GuardPoints display as Healthy and Green.
Adding Trusted Processes in the Ransomware Protection policy
Users can create a white list of trusted processes, and exclude these processes, files, and directories from Ransomware protection monitoring in any client that supports Ransomware Protection by specifying a Trusted Process Set in the Client Profile on CipherTrust Manager. The Process set now allows for including Signature sets, and Directory path mappings, which contain individual processes, as well as all of the directories to be exempted.
A Trusted Process Set specifies one or more processes specified with their full paths. The path is a concatenation of the directory and file.
-
The Trusted Process Set can also specify a signature set and/or a resource.
-
The process set entry can have a resource without a process path and a signature set.
-
A resource can have one or more paths. The path can have wild-card (asterisk) in middle or at the end.
-
A signature set is associated with one or more process paths.
To display a Trusted Process Set, type:
voradmin rwp exempt-processes
- See Setting Ransomware Protection Configuration in CipherTrust Manager for more information.
Best Practices for Adding Trusted Processes in the Ransomware Protection policy
-
Provide an entry for each process to be exempted in the process set.
-
Remove any double slashes in the path (Best practice is to browse to the path on CipherTrust Manager).
-
Do not use ., use only single star as a wildcard.
-
Provide a resource set only if you are sure that the processes will not access anything outside of the paths in the resource set; otherwise leave it unspecified.
-
If providing a signature set, make sure that each process path is included in the signature set.
-
You must specify the action taken on all other processes that attempt to access the sensitive data.
-
Always add your anti-virus software to your exemption list (process set). Ransomware Protection intermittently flags anti-virus software as ransomware and blocks it.
-
Thales recommends exempting database processes from RWP protection.
-
If you use a TDE (Transparent Encryption software) other than CTE for any database encryption, then you must add the application to the exemption list (process set). On initial encryption, SQL Server, for example, reads in all of the clear data and writes it back out as encrypted data, during Transparent Data Encryption (TDE). As such, it exhibits ransomware-like behavior and therefore, must be added to the CipherTrust Transparent Encryption Ransomware Protection exempted process list.
-
Add a resource set if the process set is used as the Trusted Process Set in the Setting Ransomware Protection Configuration.
