Getty Images/iStockphoto

IBM FlashSystem update focuses on ransomware detection

IBM FlashSystem builds on the ransomware fight in primary storage by adding AI to its FlashCore Module storage media and to Storage Defender, its data protection SaaS.

IBM is looking to detect ransomware in storage as early as possible by adding AI to its primary storage offering, reducing recovery time objectives.

In the latest update of its FlashSystem primary storage device, IBM made changes to both its primary storage hardware and Storage Defender software. FlashCore Modules, flash storage it uses in place of SSDs, are now in their fourth generation and provide extra computation to power an analysis of I/Os. IBM Storage Defender, primary and secondary data protection software, will now use low-powered AI sensors to search for anomalies.

In storage, ransomware detection is often relegated to backup software and products. But data resiliency and data protection is everyone's job, according to Scott Sinclair, an analyst at TechTarget's Enterprise Strategy Group. The responsibility stretches beyond the cybersecurity team or the backup team to all parts of the IT stack.

"The storage team needs to prioritize data protection," he said. "The faster you can identify an issue, the faster you recover, the better off you are."

Security in the media

FlashCore Modules look like traditional 2.5-inch SSDs but have more Arm-based cores and a field-programmable gate array, a configurable device to meet desired requirements, that turns the modules into computational storage devices, according to Sam Werner, vice president of storage product management at IBM. The modules use quad-level cell NAND but can perform at a faster, triple-level cell performance at a lower cost, he said.

The additional Arm cores provide the FlashSystem with extra computation to conduct an analysis of I/Os and look for anomalies, Werner said. This means the FlashCore Modules can detect ransomware on the flash itself, in under a minute, he added. When data is stored using flash technology, it is not updated but is instead rewritten somewhere else in the media, with a second copy existing for a short period of time. Ransomware detection can now analyze one copy outside the data path, without slowing performance.

Tools such as AI detection in primary storage can help organizations fight against ransomware, according to Sinclair. These attacks will continue and increase in sophistication, so a faster identification of the issue can reduce exposure, he said.

More intelligent defender

On the software side is Storage Defender, a combination of the vendor's data resilience product, Storage Protect, and a partnership with Cohesity's backup and recovery software, DataProtect.

Offered as a SaaS, the latest version places a lightweight sensor outside of the I/O path in Linux systems that samples metadata about every 30 seconds to look for anomalous activity, Werner said. Using this new methodology, Storage Defender can now detect threats in near real time, according to IBM.

The updates to Storage Defender are incremental but welcome, according to Dave Pearson, an analyst at IDC. The sensors have a low computational load to avoid negatively affecting performance.

"IBM wants to ensure your storage works the way it's expected to, and that ransomware detection isn't being provided at the expense of performance," he said.

These metadata searchers look for things such as encryption rather than exfiltration of data, Pearson said. Separately, IBM does offer data exfiltration detection in its QRadar Suite. The FlashCore Module and Storage Defender updates don't address every aspect of ransomware but could help customers get up and running again, which is a significant pain point.

"Downtime is extremely expensive and sometimes fatal for organizations," Pearson said.

Combined for overall intelligence

The FlashCore Modules and Storage Defender provide a defense in depth, or multiple layers, IBM said. The vendor gave examples of automating backups of user-defined protection groups as well as the faster restoration of immutable copies that have been validated and verified to be safe when using these technologies combined.

Regardless, IBM's approach to data protection is not unique, according to Pearson. NetApp and Pure Storage also offer services to detect ransomware in primary storage. Still, IBM has a huge install base and experience to garner information from about ransomware attacks, Pearson added.

"IBM has learned from previous attacks how the attack affects drive utilization and patterning of I/O," he said.

Adam Armstrong is a TechTarget Editorial news writer covering file and block storage hardware, and private clouds. He previously worked at

Dig Deeper on Flash memory and storage

Disaster Recovery
Data Backup
Data Center
and ESG