A security startup claims to have created a flash drive that prevents ransomware from stealing or encrypting data.
According to Cigent, the Secure SSD+’s on-board processor utilizes machine learning techniques to monitor disk accesses and inhibit ransomware activities.
Cigent believes this prevents ransomware attacks rather than responding to them.
“Endpoint Detection and Response (EDR) products rely on ‘detecting and responding’ after an attack,” stated the company’s Chief Revenue Officer Tom Ricoy.
He said, “Cigent has put automated attack prevention as close to the data as possible – in the storage itself – where it can consistently prevent attackers from ransoming files, even if EDR has been circumvented.”
Cigent sells a Data Defense Software as a Service (SaaS) platform and a Secure SSD line with full-disk encryption and multi-factor authentication.
We asked Professor Bernard van Gastel of the Nijmegen Institute for Computing and Information Sciences how feasible this would be.
Prof. van Gastel replied “from a conceptual standpoint”: “To make something like this workable, you need
(1) properly detect ransomware (2) have effective measures to act on it.”
The first one detects drive usage patterns. All data wiped indicates ransomware. If a large amount of disk data is written in a few minutes, you can discover it early. As with spam, incursion, and other detection techniques, false negatives and positives must be calibrated. False positives lock data, causing downtime. False negatives imply malware works.”
“For the second one, you need to ‘fixate’ the contents of the drive,” the lecturer said. At least ensure no extra data is updated. “Detection is always ‘after the fact’, so data loss can already have occurred.”
“In point 3 under ‘A Few Important Notes’ of their data sheet,” the corporation says. False negatives and late activation mean it may not provide full protection. False positives can reduce system availability.”
“You still need high-quality backup and recovery procedures,” Prof. van Gastel advised. So this new strategy won’t solve ransomware. In a non-perfect world, backups and recovery techniques routinely fail. Thus, ransomware detection on a drive can function and may benefit enterprises.
“I have to say I am sceptical of these claims not least that the act of encrypting data as part of a ransomware attack is the last step in a long chain,” said Brian Honan of BH Consulting. Your systems may have been infiltrated and data exfiltrated before this.
“So as with everything in security, there is no one silver bullet to protect our systems but it requires many different layers of defense.”
The company believes the Secure SSD+ works with the Data Defense platform to lock down data enterprise-wide when ransomware is identified.
Cigent stated this activates a “Shields Up” status that automatically needs multi-factor authentication to access any protected files, and the drive can be put into read-only mode to prevent data from being edited, erased, or encrypted.
Cigent told The Register that every Secure SSD+ comes with a Cigent Data Defense client license.
Cigent claimed the Data Defense SaaS platform lets IT and security staff monitor disks, define policies, reset PINs, and receive ransomware alerts.
Even without a Secure SSD+ drive, it can manage Data Defense software across the organization’s PCs and activate “Shields Up” status to protect them against ransomware.
Secure SSD+ has a “storage firmware heartbeat” that detects Cigent software disablement. This prevents access to sensitive data.
When booted from another disk, planned upgrades will prohibit the drive from being cloned, deleted, or accessed.
According to Cigent’s website, CEO and co-founder John Benkert was a USAF Intelligence and NSA veteran and CEO of data recovery company CPR Tools. The corporation targets government and commercial clients.
We queried Cigent about the Secure SSD+’s on-board processing. The startup employs a dedicated MCU (microcontroller unit) to analyze low-level SSD controller telemetry data using machine learning techniques for ransomware activities.
A dedicated communications bus connects the MCU to the SSD controller. Cigent said this ensures drive performance.
It claims that studying telemetry outside of the SSD controller has little effect on read/write operations.
The product Data Sheet lacks read/write performance characteristics. Cigent said the drives will be available in 480GB, 960GB, and 1920GB in May 2023.
The Data Sheet states that the Secure SSD+ ships in an M.2 2280 double-sided form factor, which is 22mm wide by 80mm long and may not fit some ultra-thin laptops.
Professor Alan Woodward, a computer scientist and security expert at the University of Surrey, said this technology is intriguing but raises several problems.