Front cover

IBM Storage Defender:

Data Resiliency Service

Christian Burns
Ondrej Bláha
Erin Farr
Phillip Gerrard
Meghan Grable
Juan Carlos Jimenez
Alexis Kojic
Ranjith Rajagopalan Nair
Daniel Paulin
Ramakrishna Vadla
Christopher Vollmar

Hybrid Cloud

Redpaper
IBM Redbooks

IBM Storage Defender: Data Resiliency Service

March 2025

REDP-5744-00
 Note: Before using this information and the product it supports, read the information in “Notices” on page v.

First Edition (March 2025)

This edition applies to IBM Storage Defender Data Protect 7.1.1 and 7.1.2 and IBM Storage Defender Data
Resiliency Service (DRS) 2.0.9.

© Copyright International Business Machines Corporation 2025. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Now you can become a published author, too! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Stay connected to IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Chapter 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 What is IBM Storage Defender Data Resiliency Service. . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 IBM Storage Defender overview and vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Why IBM Storage Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 IBM Storage Defender components and functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2. IBM Storage Defender DRS and architecture overview . . . . . . . . . . . . . . . . 7

2.1 DRS architecture and elements overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 The IBM Storage Defender mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.2 Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 IBM Storage Defender Connection Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 Data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 Recovery Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.3 Sensor control nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.4 IBM Storage Defender Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.5 Recovery Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.6 IBM Clean Room. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Adding resources in the Connection Manager and creating profiles in DRS . . . . . . . . 21
2.3.1 Adding resources in Connection Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.2 Creating profiles in DRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.4 Auto-forwarding IBM Storage FlashSystem ransomware threat alerts to IBM Storage
Defender. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4.1 IBM FlashCore Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4.2 Integration between DRS and IBM Storage Insights Pro . . . . . . . . . . . . . . . . . . . 37

Chapter 3. IBM Defender sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3.1 What do sensors do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.2 Installing sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2.1 Installing the sensor control software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2.2 Adding a sensor control node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.2.3 Removing a sensor control node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2.4 Installing an IBM Storage Defender sensor by using the GUI. . . . . . . . . . . . . . . . 45
3.2.5 Installing an IBM Storage Defender sensor by using the CLI . . . . . . . . . . . . . . . . 46
3.2.6 Uninstalling an IBM Storage Defender sensor by using the GUI . . . . . . . . . . . . . 48
3.2.7 Uninstalling an IBM Storage Defender sensor by using the CLI . . . . . . . . . . . . . . 49
3.2.8 Requirements for IBM Storage Defender sensors . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 4. Daily administration, alerting, testing, and validation . . . . . . . . . . . . . . . . 51

4.1 IBM Storage Defender DRS dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.1.1 Resiliency Monitoring in the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

© Copyright IBM Corp. 2025. iii

 4.1.2 Recovery Group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.1.3 Governance profile status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.1.4 Recovery posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2 User management profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.3 Integrations for alerting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4.4 Recovery testing and validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.5 Activating the recovery plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Abbreviations and acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

iv IBM Storage Defender: Data Resiliency Service

Notices

This information was developed for products and services offered in the US. This material might be available
from IBM in other languages. However, you may be required to own a copy of the product or product version in
that language in order to access it.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not grant you any license to these patents. You can send license inquiries, in
writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, MD-NC119, Armonk, NY 10504-1785, US

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS”

WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time
without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not in any
manner serve as an endorsement of those websites. The materials at those websites are not part of the
materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate without
incurring any obligation to you.

The performance data and client examples cited are presented for illustrative purposes only. Actual
performance results may vary depending on specific configurations and operating conditions.

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those products.

Statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice, and
represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to actual people or business enterprises is entirely
coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the sample
programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,
cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are
provided “AS IS”, without warranty of any kind. IBM shall not be liable for any damages arising out of your use
of the sample programs.

© Copyright IBM Corp. 2025. v

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines
Corporation, registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright
and trademark information” at https://www.ibm.com/legal/copytrade.shtml

The following terms are trademarks or registered trademarks of International Business Machines Corporation,
and might also be trademarks or registered trademarks in other countries.
Enterprise Design Thinking® IBM Research® Redbooks (logo) ®
IBM® IBM Spectrum® X-Force®
IBM Cloud® IBM Z® z/OS®
IBM FlashCore® QRadar®
IBM FlashSystem® Redbooks®

The following terms are trademarks of other companies:

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive
licensee of Linus Torvalds, owner of the mark on a worldwide basis.

Red Hat, Ansible, are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United
States and other countries.

UNIX is a registered trademark of The Open Group in the United States and other countries.

VMware, and the VMware logo are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in
the United States and/or other jurisdictions.

Other company, product, or service names may be trademarks or service marks of others.

vi IBM Storage Defender: Data Resiliency Service

Preface

This IBM Redpaper publication describes IBM’s new cyber resiliency solution, IBM Storage
Defender Data Resiliency Service (DRS). By using DRS, users can leverage new detection
mechanisms for their environment to detect threats early, and get a full view of the
infrastructure by connecting primary storage arrays like IBM FlashSystem® and auxiliary
storage solutions for backup, such as IBM Defender Data Protect and IBM Storage Protect.
Also, users can set up Governance profiles to help ensure that their data is meeting internal
or regulatory standards.

This IBM Redpaper publication is designed to help users and administrators to better
understand how to set up, tailor, and configure this offering for their environments.

Authors
This paper was produced by a team of specialists from around the world working with
IBM Redbooks.

Christian Burns is a Principal Worldwide Storage Data Resiliency Architect and

IBM Redbooks® Platinum Author who is based in New Jersey. As a member of the Worldwide
Storage Technical Sales Team at IBM®, he works with clients, IBM Business Partners, and
IBM employees around the globe, designing and implementing solutions that address the
rapidly evolving cyber resiliency and data resiliency challenges facing enterprises today. He
has decades of industry experience in the areas of sales engineering, solution design, and
software development. Christian holds a BA degree in Physics and Computer Science from
Rutgers College.

Ondrej Bláha works as a Technology EMEA subject matter expert (SME) and Architect
focusing on IBM Storage Software with a specialization in data resilience (the Storage
Defender strategy for primary and secondary workloads). He has been with IBM for more
than 17 years, and for the last 10 years, he has served in several regional roles as an SME
and Customer Technical Support or Technical Advisor for key IBM customers. Ondrej is an
official IBM instructor for external IBM Software Training organizations who creates technical
hands-on IBM Storage Defender courses in the EMEA region. In 2016, he received the “Best
of IBM” award due to the delivery of key projects that still act as public references today.
Ondrej is originally from the Czech Republic and lives in Prague.

Erin Farr is a Senior Technical Staff Member (STSM) who is based in the IBM Storage CTO
Office, where she explores new technology for future products and shapes strategy in
anticipation of industry trends. Her areas of focus are cybersecurity and cyber resiliency. She
was instrumental in forming the vision for IBM Storage Defender, and she is passionate about
helping customers prevent and recover from cyberattacks. Before joining IBM Storage in
2021, she was the team lead for the IBM Z® Center for Secure Engineering for z/OS. She
worked on product development for most of her career, in areas such as IBM z/OS® UNIX,
analytics, virtualization management, and open source.

© Copyright IBM Corp. 2025. vii

 Phillip Gerrard is a Project Leader for the International Technical Support Organization who
is based in Beaverton, Oregon. As part of IBM for over 15 years, he has authored and
contributed to hundreds of technical documents to IBM.com and worked directly with IBM's
largest customers to resolve critical situations. As a team lead and SME for the
IBM Spectrum® Protect support team, he is experienced in leading and growing international
teams of talented IBM employees, developing and implementing team processes, and
creating and delivering education. Phillip holds a degree in computer science and business
administration from Oregon State University.

Meghan Grable is a global Growth Product Manager who specializes in data management
and resilience solutions, both Software as a Service (SaaS) and software-based, with a
strong focus on Product-Led Growth (PLG) strategies. With over 5 years of experience, she
has led cross-functional teams to develop cutting-edge technologies that empower
organizations to exceed their compliance goals and enhance their cyber resilience against
threats like cyberattacks, natural disasters, and human errors. Based in Raleigh, North
Carolina, Meghan holds a degree in Service Design from the Savannah College of Art and
Design. Her expertise in Service Design, enterprise design thinking, and PLG enables her to
create innovative, customer-focused products that drive business success and growth directly
through user engagement and product experience.

Juan Carlos Jimenez is the Worldwide Data Resiliency Product Manager who is based in
Dallas, Texas. He is focused on defining roadmaps, initiatives, and strategies within the
various data resiliency software products that he manages. Juan Carlos brings an end-to-end
view to cyber resilience, and leverages his expertise in both storage and security. Juan Carlos
developed the IBM Cyber Resiliency Assessment Tool, which has been helping numerous
enterprises identify and close gaps in their IT environments. He holds a Management
Information Systems degree from the University of Arizona.

Alexis Kojic is a Storage Technical Sales Specialist who is based in Canada. He has 2 years
of experience in the IT storage and cyber resilience field. He holds a BEng degree in
Computer Engineering from Toronto Metropolitan University.

Ranjith Rajagopalan Nair is a Software Architect who is based at IBM India. He has worked
at IBM for 20 years, which includes working on IBM Systems Storage for the past 10 years.
Ranjith’s current responsibility includes the development and delivery of IBM Storage
Insights. Ranjith holds a master’s degree in Computer Science from the University of Kerala.

Daniel Paulin is a Storage Software Architect who is based at IBM Croatia. An IT

professional since 1997, he has worked as a systems engineer for two financial companies in
Croatia. In 2003, he joined IBM, where he gained comprehensive experience in designing,
developing, and deploying architectures and infrastructure for various storage and server
solutions. Currently, Daniel is focused on IBM Storage solutions, particularly IBM Storage
Defender. His work is part of IBM’s broader initiative to enhance cyber resiliency and storage
security, which helps ensures data protection across diverse IT infrastructures. Daniel plays a
crucial role in promoting these innovations within the NCEE region, especially in storage
management and safeguarding against data breaches.

Ramakrishna Vadla is an STSM and Lead Architect for IBM Storage Insights and
IBM Spectrum Control. He is responsible for developing and designing the IBM Storage
Insights product, which monitors storage systems. With over 20 years of experience, he has
worked on large-scale distributed systems across various technologies, including AIOps,
microservices architecture, storage management, cloud-native services, and middleware
systems. He has spoken at multiple technical forums, including the SNIA Storage Developer
Conference and IBM global conferences, and has contributed to the open-source community.
He holds a Master of Technology degree in Computer Science from the International Institute
of Information Technology, Hyderabad, India.

viii IBM Storage Defender: Data Resiliency Service

 Christopher Vollmar is the Principal Worldwide Storage Data Resiliency Architect.
Christopher is an IBM Certified IT Specialist (Level 3 Thought Leader) and Storage Architect.
He is focused on helping customers design solutions to support operational and cyber
resiliency on primary and backup data to complement their cybersecurity practices. He is an
author of several IBM Redbooks publications, an IBM Enterprise Design Thinking®
Co-Creator, and a frequent speaker at events like IBM THINK, and TechXchange.

Now you can become a published author, too!

Here’s an opportunity to spotlight your skills, grow your career, and become a published
author—all at the same time! Join an IBM Redbooks residency project and help write a book
in your area of expertise, while honing your experience by using leading-edge technologies.
Your efforts help to increase product acceptance and customer satisfaction, as you expand
your network of technical contacts and relationships. Residencies run from two to six weeks
in length, and you can participate either in person or as a remote resident working from your
home base.

Find out more about the residency program, browse the residency index, and apply online at:
ibm.com/redbooks/residencies.html

Comments welcome
Your comments are important to us!

We want our papers to be as helpful as possible. Send us your comments about this paper or
other IBM Redbooks publications in one of the following ways:
򐂰 Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
򐂰 Send your comments in an email to:
[email protected]
򐂰 Mail your comments to:
IBM Corporation, IBM Redbooks
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400

Stay connected to IBM Redbooks

򐂰 Find us on LinkedIn:
https://www.linkedin.com/groups/2130806
򐂰 Explore new Redbooks publications, residencies, and workshops with the IBM Redbooks
weekly newsletter:
https://www.redbooks.ibm.com/subscribe
򐂰 Stay current on recent Redbooks publications with RSS Feeds:
https://www.redbooks.ibm.com/rss.html

Preface ix
x IBM Storage Defender: Data Resiliency Service
 1

Chapter 1. Introduction
This chapter introduces the IBM Storage Defender Data Resiliency Service (DRS). It
describes this solution’s overview and vision for the future. Later chapters describe the
different functions of the solution, how to set them up, configure them, and run them to drive
the most value.

This chapter describes the following topics:

򐂰 1.1, “What is IBM Storage Defender Data Resiliency Service” on page 2
򐂰 1.2, “IBM Storage Defender overview and vision” on page 3
򐂰 1.3, “IBM Storage Defender components and functions” on page 4

© Copyright IBM Corp. 2025. 1

1.1 What is IBM Storage Defender Data Resiliency Service
Today, organizations face severe threats to their data as the number of cyberattacks
increases and malicious actors become more sophisticated. According to the IBM X-Force®
Threat Intelligence Index 2024 report, 43% of all reported incidents involved malware, making
it the most common threat, and 20% of reported incidents were attributed to ransomware
attacks. In addition to malware, IT organizations are threatened by natural disasters, system
failures, human errors, and even sabotage. These events and others like them might result in
any number of outcomes, including financial losses and harm to customer trust if sensitive
data is compromised.

DRS is a cloud-based data resilience platform to help organizations restart essential business
operations if there is a cyberattack or other unforeseen catastrophic event. DRS provides
data resilience and compliance, early threat detection, and safe and fast recovery
orchestration for data that is stored across primary and auxiliary storage. The DRS software
helps to detect and respond to cyberthreats, such as malware and ransomware attacks, and
enables rapid recovery of data if there is a security breach or data loss. Administrators can
take quick and effective action to minimize the risks of massive financial losses or damage to
a company’s reputation.

DRS offers features such as data backup, data management, disaster recovery (DR), and
data isolation to help organizations protect their data from cyberthreats and unexpected
disruptions. Also, it provides rapid recovery of data and applications if there is a disaster or
data loss, minimizing downtime and helping ensure business continuity.

Note: The term auxiliary storage denotes a secondary or backup storage location that
enables you to use copies of data in place before the data is recovered.

DRS provides the following benefits:

򐂰 Data resilience and compliance
Set your resiliency standard to meet compliance across a data estate.
򐂰 Early threat detection
Provides near real-time file system monitoring, backup anomaly analysis,
IBM FlashSystem inline detection, and recovery time scanning.
򐂰 Safe and fast recovery
By using air-gapped data, immutable snapshots, and Clean Room recovery, you can
confidently and quickly recover your business operations.
򐂰 Connect storage ops and security operations (SecOps)
Collect storage and security events to send alerts to support staff and other security tools.
Deep integration with IBM QRadar® and Splunk.
򐂰 IBM FlashSystem integration
Understand threats down to the IBM FlashSystem volume and virtual machine (VM) level,
which helps speed up identification and the time to initiate remediation. Automatically
trigger proactive Safeguarded Copy snapshots to limit damage and automatically recover
to a Clean Room for testing.
򐂰 IBM Storage Defender Data Protect integration
Catalog IBM Storage Defender Data Protect recovery points, understand how your
policies align with your Governance goals, and automatically recover to a Clean Room for
testing.

2 IBM Storage Defender: Data Resiliency Service

 With the combination of SecOps, storage, and infrastructure tools, DRS can monitor end to
end data movement and quickly supply critical information so that teams can make the most
intelligent decision about recovery strategies. DRS presents data resilience and recoverability
options across primary and auxiliary storage, bringing internal teams together with a
comprehensive single pane of glass view and simplifying the orchestration of business
recovery processes.

1.2 IBM Storage Defender overview and vision

This section describes the vision behind IBM Storage Defender, along with a high-level
overview of the functions that IBM Storage Defender provides to meet those goals and
customer needs.

1.2.1 Why IBM Storage Defender

Originally, backup solutions were focused on protecting against accidental data loss (user
mishaps or data corruption), hardware failures, or natural disasters (such as hurricanes). As
cyberattacks became more prevalent, the industry adapted to meet the growing needs of
prevention and mitigation against bad actors attempting to cause harm. Many enterprises
assert that having a good DR plan in place means that they are covered for responding to
cyberattacks. However, cyber recovery has many different characteristics beyond simple DR:
򐂰 The impact of a natural disaster is regional, but a cyberattack can be global.
򐂰 Depending on the location of the backup data, your expectation might be that your data
would not be impacted by a natural disaster, but with cyberattacks backups can be
targeted first. Targeting backup or data copies further impacts recoverability, forcing a
victim into paying the ransom. According to IDC, over 30% of data backups are
successfully destroyed, and 55% in North America.1
򐂰 The probability of a natural disaster is relatively low compared to a cyberattack.

In addition, although an enterprise might practice their DR recovery, research2 shows that few
enterprises are practicing cyber recovery, which includes aspects outside of traditional DR:
򐂰 Playbooks to help ensure seamless interaction with incident responders.
򐂰 Antivirus scanning during recovery to avoid the reintroduction of dormant malware.
򐂰 Practicing identification of good data copies at scale. Cyberattacks are not as
instantaneous as a power outage, for example, and the points of impact might vary across
available recovery points.

The industry has responded to some of these threats with solutions that provided extra
protection, such as air gaps or immutability. Initially, many auxiliary storage vendors also
added threat detection to their solutions, which led Gartner to coin the term cyberstorage.
Solutions with threat detection can be pure software or a dedicated appliance, but the trend is
that threat detection and response capabilities are being added into storage across the
industry. At first, only auxiliary storage vendors were providing this capability, but IBM saw a
need for detection in primary storage.

1
Source: 1. Ransomware 2024. If we have backups, why are we still paying a ransom?. IDC. March 2024. IDC
Survey - Doc Document number:# US51941924
Source: 2. 2022 Gartner Hype Cycle report
2
Ransomware 2024. If we have backups, why are we still paying a ransom?. IDC. March 2024. IDC Survey - Doc
Document number:# US51941924

Chapter 1. Introduction 3
 However, as IBM investigated this trend, it quickly became apparent there were a series of
concerns that needed to be addressed:
򐂰 If an attack is detected, who is expected to respond? Nobody expects storage
administrators or data protection teams to become incident responders.
򐂰 Disparate solutions make it difficult to identify and find the last good copy. Recovery points
can be primary storage snapshots or auxiliary storage backups. Often, they are managed
by different tools and different teams. If an incident is actively occurring, a storage
administrator or incident responder might not have a holistic view across both primary and
secondary storage.
򐂰 If an enterprise takes backups once a day, would backup-based detection (only) be fast
enough to detect issues?
򐂰 How do you determine the scope of damage? Which systems were impacted? What is the
timeline?
򐂰 Although storage-based threat detection is important, it is unlikely that someone would
swap out their current solution only to get access to threat detection. How can this need for
extra features be met?

We recognize the need for the following items:

򐂰 A way to provide these cyber recovery features that works with existing investments and
current storage solutions.
򐂰 The ability to provide a holistic view across both primary and auxiliary storage for recovery
and threat detection.
򐂰 Features that specifically address cyber recovery, such as Clean Rooms (isolated
recovery environments) and antivirus scanning during recovery to avoid re-reintroduction
of dormant malware.

The vision of IBM Storage Defender is one that meets all these needs. DRS is a Software as
a Service (SaaS) management feature that is designed and intended to integrate with and sit
above an enterprise's existing storage system investments. DRS enables a holistic view
across primary and auxiliary storage while providing advanced ransomware detection and
recovery features that address modern threats in storage environments.

1.3 IBM Storage Defender components and functions

DRS is a multi-faceted offering that has several functions that work together to stay ahead of
data disruptions and attacks.

DRS has a centralized dashboard to promote cross-department visibility. Within the

dashboard, Recovery Groups, resource summary, and usage monitoring are readily available
in a simplified format. Also, Recovery Groups, Governance profiles, resources, and integrated
configurations can be created and updated within this dashboard.

DRS deploys AI-powered sensors to quickly detect threats and anomalies from backup
metadata, array snapshots, and other relevant threat indicators. Signals from all available
sensors are aggregated to increase detection paths for a fast response.

4 IBM Storage Defender: Data Resiliency Service

IBM FlashSystem offers protection through immutable copies of data that are known as
safeguarded copies, which are isolated from production environments and cannot be modified
or deleted through user error, malicious actions, or ransomware attacks. IBM Storage
Defender includes IBM Storage hardware integration with IBM FlashSystem and SAN Volume
Controller to include the usage of Safeguarded Copy as part of the DRS configuration.

IBM Storage Defender Data Protect offers an immutable auxiliary storage solution that
incorporates backups with rapid recovery, policies to lock data even from administration
removal, and two-person integrity checking. It features a scale-out, clustered architecture with
deep integration into databases and hypervisors and a robust global management structure.

By integrating DRS with an SIEM like Splunk or QRadar, advanced notification aggregation
allows for crucial information to be available and used for initiating the next steps between
infrastructure and SecOps teams. This setup provides needed information use when deciding
whether recovery plans should be implemented immediately or how best to address threats.

Clean Room isolation helps ensure that the backups are clean and malware-free before
returning the data to a production environment. As a customer-managed resource, DRS
provides guided testing workflows to recover, test, and isolate backups before pushing them
to production systems, which help ensure that clean recovery data is present.

DRS also brings in data from various points to help organizations become proactive in their
approach to data resilience. Identifying threats early helps ensure the availability of business
operations, which is essential to building operational resilience and trust. DRS is an advanced
solution that helps organizations build operational resilience by bringing together multiple
levels of threat detection and data protection that serve as a base when building out
advanced lines of defense across primary and auxiliary storage. This technology enables
users to effectively detect and respond to cyberattacks and other unforeseen threats to
storage environments. When put together, these features enable DRS to help navigate
unpredictable events and help ensure the continuity of vital business operations and
processes.

Chapter 1. Introduction 5
6 IBM Storage Defender: Data Resiliency Service
 2

Chapter 2. IBM Storage Defender DRS and

architecture overview
This chapter describes the architecture and elements of IBM Storage Defender Data
Resiliency Service (DRS). It breaks down the core functions and elements, including the local
and cloud-based elements, and alerting.

This chapter describes the following topics:

򐂰 2.1, “DRS architecture and elements overview” on page 8
򐂰 2.2, “IBM Storage Defender Connection Manager” on page 10
򐂰 2.3, “Adding resources in the Connection Manager and creating profiles in DRS” on
page 21
򐂰 2.4, “Auto-forwarding IBM Storage FlashSystem ransomware threat alerts to IBM Storage
Defender” on page 36

© Copyright IBM Corp. 2025. 7

2.1 DRS architecture and elements overview
IBM Storage Defender provides end-to-end data resiliency. Understanding the DRS
architecture and its elements help you to properly plan, test, and recover your critical data.

The architecture shows you how DRS fits into IBM Storage Defender and what are the
elements that make up the architecture. This chapter describes the following elements:
򐂰 IBM Storage Defender Connection Manager
򐂰 Data sources
򐂰 Recovery Locations
򐂰 Sensors
򐂰 Recovery Groups
򐂰 Clean Room

2.1.1 The IBM Storage Defender mission

DRS is an optional component within the IBM Storage Defender solution that provides cyber
resiliency capabilities for managing primary and secondary data, and workloads. DRS
concepts simplify the recovery of complex applications and automated recovery tests, and
performs validation of primary and secondary data. Also, DRS may send notifications if
anomalies are detected, and indicate when the trustworthiness of existing primary and
secondary data sources has decreased.

DRS is a combination of cloud-based Software as a Service (SaaS) that is managed by IBM

and an on-premises agent that manages communications from your data center. The data
center agent is called the IBM Storage Defender Connection Manager, and collects telemetry
data about your primary and secondary data, and data sources like VMware. The data stays
on-premises. The telemetry data goes to the DRS, which helps secure and recover the data.

DRS can surface and aggregate the detection of operational threats on your production data.
At the time of writing, this feature includes the following system-level detection:
򐂰 Detection on the file-system level by using IBM Storage Defender Sensor technology
򐂰 Detection on the storage block level by using IBM Storage FlashSystem and
IBM FlashCore® Module (FCM) technology and statistical analysis to identify threat
patterns

DRS introduces the concept of Recovery Groups, which are used to group resources
together within the DRS. The combination of resources enables DRS to perform automated
test recoveries and to verify automatically whether the protection policies that are set up in
the related data protection application meets the requirements for a cyber resilient
environment. In DRS, multiple Recovery Groups can be defined. The key parts of a Recovery
Group are the protected resources, for example, virtual machines (VMs); the Clean Room
profile that defines the environment that can be used for automated test recoveries; and the
Governance profile that specifies the requirements for cyber resiliency within each Recovery
Group that is defined.

8 IBM Storage Defender: Data Resiliency Service

 The DRS dashboard presents information that is relevant to cyber resiliency in a consolidated
view. This dashboard displays the configured Recovery Groups and any potential
informational or warning messages that are related to its cyber resiliency requirements being
met for each of those groups. From the DRS dashboard, you can access all capabilities and
configuration options for the service.

DRS is designed to enhance data cyber resiliency to help protect against events like
hardware failures, human errors, sabotage, natural disasters, and ransomware. By
consolidating key parts of the existing IBM Storage portfolio into a single solution, you can
use new detection and protection capabilities on your data. DRS includes the following
capabilities:
򐂰 Supports software protection for multiple operating systems inside a VMware
environment.
򐂰 Deploys anomaly based sensor agents on VMware VMs (IBM Storage Defender Sensors).
򐂰 Integrates and aggregates the hardware detection capabilities of IBM Storage FlashSystem
to receive alerts from IBM Storage Insights and IBM Storage Defender. These alerts may
be sent through integration with IBM QRadar and Splunk SIEM solutions.
򐂰 May recover data from a more recent point in time by creating a SafeGuarded Copy
(immutable hardware snapshot) on IBM Storage FlashSystem.
򐂰 May recover IBM Defender Data Protect backups into the Clean Room for testing as part
of the Recovery Group’s collection of recovery points.
򐂰 Provides a dashboard that can help clients better understand inconsistencies between
their primary storage copies and backup copies for the same workload or application.
򐂰 Additional dashboard features include the following items:
– May create and define Recovery Groups, which are a collection of data resources that
should be backed up and recovered as a unit.
– A summary of connected resources like VMs, data sources, Recovery Locations, and
connection managers.
– A license usage overview that highlights the number of Recovery Groups and deployed
sensors.

2.1.2 Architecture overview

DRS is a component of IBM Storage Defender that runs in a cloud, and uses the on-premises
IBM Storage Defender Connection Manager to inventory the available and important
resources in a data center.

IBM Storage Defender Connection Manager provides on-premises data center connections to
the following resources:
򐂰 Data sources (IBM FlashSystem, IBM Storage Defender Data Protect, and VMware
vCenter)
򐂰 Recovery Locations
򐂰 Sensor control nodes and IBM Storage Defender Sensors

The data sources and Recovery Locations that are connected to the IBM Storage Defender
Connection Manager are inventoried automatically, and IBM Storage Defender Sensors
observe the systems on which they are installed.

Chapter 2. IBM Storage Defender DRS and architecture overview 9

 After the inventory is done, you may create the following DRS elements:
򐂰 Recovery Groups with resources
򐂰 Profiles:
– Governance profiles
– Clean Room profiles

Figure 2-1 shows a high-level overview of DRS.

Figure 2-1 DRS: high-level overview

2.2 IBM Storage Defender Connection Manager

IBM Storage Defender Connection Manager (Connection Manager) connects to your local
environment to do inventory, test recovery, and recovery operations.

The Connection Manager must be installed in an on-premises data center or cloud instance. It
is in an OVA format, and is deployed to your local VMware vCenter. Inside the Connection
Manager, Red Hat Enterprise Linux is the underlying operating system, but is part of the
installation. The Connection Manager software becomes active and connects to your local
resources, and the DRS runs in the cloud quickly with less initial configuration before initial
use.

The Connection Manager can be deployed from an OVA or on a bare metal server. Then, you
can log in to Connection Manager and add connections.

Figure 2-2 on page 11 shows the opening window of the Connection Manager.

10 IBM Storage Defender: Data Resiliency Service

 Figure 2-2 IBM Storage Defender Connection Manager

Connections in Connection Manager include data sources, Recovery Locations, and sensor
control nodes. Typically, only one Connection Manager should be deployed at each physical
location. Data sources must be registered to the Connection Manager instance that is in the
same physical location.

Connection Manager also includes a job manager, which communicates internally with
various workload agents that run in Connection Manager, and also catalogs safeguarded
copies for IBM FlashSystem.

By using a built-in SIEM agent, Connection Manager integrates with on-premises

QRadar and Splunk installations to log security events from IBM Storage Defender.

2.2.1 Data sources

Data sources that you connect to the IBM Storage Defender Connection Manager are
inventoried automatically. The inventory metadata is transferred to the DRS. Connection
Manager supports the following data sources:
򐂰 IBM FlashSystem
򐂰 IBM Storage Defender Data Protect
򐂰 VMware vCenter

For IBM FlashSystem, Connection Manager gathers inventory, catalogs safeguarded copies
and recovery tasks, and restores from backup snapshots.

For IBM Storage Defender Data Protect clusters and VMware vCenters, Connection Manager
scans for VMs and protected systems and sends the scan results to DRS. It also coordinates
the recovery of VMs that are protected by IBM Storage Defender Data Protect.

Chapter 2. IBM Storage Defender DRS and architecture overview 11

 Figure 2-3 shows an example of data sources in Connection Manager:

Figure 2-3 IBM Storage Defender Connection Manager: data sources

2.2.2 Recovery Locations

The Recovery Locations concept is used to help recover workloads into an isolated
environment. This concept introduces the ability to safely operate on resources that might be
contaminated with viruses or other malware without the risk of infecting your production
environment. Recovery Locations, like hypervisors that you connect to the IBM Storage
Defender Connection Manager, are inventoried automatically. The inventory metadata is
transferred to the DRS.

Figure 2-4 shows the main window of the Recovery Locations.

Figure 2-4 IBM Storage Defender Connection Manager: Recovery Locations

Figure 2-5 on page 13 shows an example of the relationship between your production
environment and a Recovery Location.

12 IBM Storage Defender: Data Resiliency Service

 Figure 2-5 Recovery Location example diagram

2.2.3 Sensor control nodes

DRS implements the concept of sensor control nodes. The sensor control nodes are used to
host the sensor management systems. The sensor management systems are used for
sensors that are installed on resources like VMs.

The sensor control node hosts the sensor software and distributes it to the VMs that have
sensors that are installed. These sensors observe the systems that they are installed on and
can detect cyberattacks, like a ransomware attack, in real time. When the sensor detects a
cyberattack, the sensor alerts you by sending messages to the on-premises Connection
Manager and DRS.

Connection Manager comes with a built-in control node so you can start adding sensors right
away. However, if you want to use your own control nodes, you can add them through the
Connection Manager and use the provided Ansible playbooks to manage the sensors.

Chapter 2. IBM Storage Defender DRS and architecture overview 13

 Figure 2-6 illustrates the sensor control architecture.

Figure 2-6 Sensor architecture overview

2.2.4 IBM Storage Defender Sensors

IBM Storage Defender Sensors implement a real-time detection mechanism for anomalous
operations on file system objects for the hosts that they are installed on. IBM Storage
Defender Sensors are part of the IBM Storage Defender product, and can be deployed on
VMs that are part of a Recovery Group. When the sensors are deployed, the sensors
automatically send metadata to the DRS.

A high-level example of the workflow and data path for DRS sensors is shown in Figure 2-7
on page 15.

14 IBM Storage Defender: Data Resiliency Service

Figure 2-7 IBM Storage Defender Sensors workflow

IBM Storage Defender Sensors operate as follows:

򐂰 When installed, the sensors use file system and operating system interfaces to collect
information about operations on file system objects.
򐂰 While collecting this information, sensors analyze this information to identify anomalies for
operations on file system objects.
򐂰 Frequently, heartbeat information is sent to the IBM Storage Defender Connection
Manager to signal that the sensor is active.
򐂰 When anomalies are detected, the related information is sent to the IBM Storage Defender
Connection Manager. A single Connection Manager can have many sensors that report
data to it.

DRS uses the sensor information in the following ways:

򐂰 When installed, the sensors use file system and operating system interfaces to collect
information about operations on file system objects.
򐂰 The IBM Storage Defender Connection Manager reports the sensor data that is collected
on-premises to the DRS.
򐂰 The DRS correlates the information with Recovery Groups in your tenant.
򐂰 When sensor heartbeat information is missing or when an anomaly is detected for file
system, a case is opened for the related Recovery Group.
򐂰 Depending on your notification settings, notifications are sent out about the new case.

Chapter 2. IBM Storage Defender DRS and architecture overview 15

2.2.5 Recovery Groups
Recovery Groups are a core concept within DRS. They include a combination of resources,
Governance profiles, and Clean Room profiles. By prioritizing your data, you assign storage
resources to a Recovery Group, which is assigned to a Governance profile and Clean Room
profile. When creating the Recovery Group, DRS evaluates the assigned primary resources
to determine whether the associated secondary resources contain corresponding
information, such as data protection backups or snapshots of the primary resource.

For example, if a Recovery Group is assigned VM1, VM2, VM3, and VM4, then DRS
determines whether it can find backup snapshots for these VMs in the secondary data
sources within the same location (data center). When DRS correlates the primary and
secondary resource data for the assigned VMs, it proceeds to test the Recovery Group based
on the policy and Clean Room profile settings.

In the DRS dashboard, you can find the details about Recovery Groups. Figure 2-8 shows
Recovery Group details.

Figure 2-8 DRS Recovery Group details

Profiles
The Governance and Clean Room profiles are used to define and set the recovery objectives
of Recovery Groups and recovery target environments.

Governance profiles are created and applied to the Recovery Group so that specific recovery
objectives may be defined and associated with one or more groups. These recovery
objectives are composed of preset points in time for the recovery points and the preset
minimum retention time for the recovery points. The Governance profile may specify a
threshold time that must elapse before the next recovery test is performed for the Recovery
Group. Separate recovery objectives can be defined for IBM Storage FlashSystem and
IBM Storage Defender Data Protect independently.

16 IBM Storage Defender: Data Resiliency Service

The Governance profile definition enables one of the following three use case definitions:
򐂰 Observation of the recovery objectives for IBM Storage FlashSystem recovery points
(safeguarded snapshot copies)
򐂰 Observation of the recovery objectives for IBM Storage Defender Data Protect recovery
points
򐂰 Observation of both the recovery objectives for IBM Storage FlashSystem recovery points
and IBM Storage Defender Data Protect recovery points

The test frequency objective is optional for all use cases.

Figure 2-9 shows an overview of recovery objectives that are configured in the Governance
profile.

Figure 2-9 Recovery objectives that are configured in the Governance profile

The Clean Room profiles connect the Recovery Groups that belong to resources in the
production environment with configuration and resources that are defined in DRS. The
connected resources are IBM Storage FlashSystem, IBM Storage Defender Data Protect,
and the Clean Room environment. This resource configuration defines how IBM Storage
Defender behaves during a recovery event.

Chapter 2. IBM Storage Defender DRS and architecture overview 17

 Figure 2-10 illustrates the logical connection between the different components.

Figure 2-10 Clean Room objectives that are configured in the Clean Room profile

To help ensure the successful recovery of the Recovery Group that is assigned to the specific
Clean Room profile, configuration requirements must be met. The configuration of a Clean
Room profile enables the usage of the profile for one of the following three different use
cases:
1. Recovery from IBM Storage FlashSystem safeguarded snapshots
2. Recoveries from IBM Storage Defender Data Protect backup copies
3. Recovery from both IBM Storage FlashSystem safeguarded snapshots and IBM Storage
Defender Data Protect backup copies

Important: If these requirements are not met, the recovery of the VMs that belong to the
specific Recovery Group fail for Clean Room recoveries.

In addition to the conceptual dependencies between the Clean Room profile and other IBM
Storage Defender components, consider that the same Clean Room profile can be reused for
different Recovery Groups. In cases where a Clean Room is associated with multiple
Recovery Groups, the different Recovery Groups might have different requirements for their
recovery. This situation is important when recovering from IBM Storage FlashSystem
because the requirements for network infrastructure, mapping of volumes, or SAN zoning
might be different. Therefore, it might be beneficial to implement multiple Clean Room profiles
with different configurations to provide more flexibility for the recovery scenarios that you want
to implement for different Recovery Groups.

18 IBM Storage Defender: Data Resiliency Service

 Resources
All available resources that are managed by DRS and inventoried with Connection Manager
are shown in the DRS GUI. DRS supports the following resources:
򐂰 VMs
򐂰 Connection Managers
򐂰 Data sources
򐂰 Clean Rooms

Resources are added to Recovery Groups during its creation, and are checked during
inventories by the Connection Manager.

2.2.6 IBM Clean Room

Clean Room plays an important role in the IBM Storage Defender solution by enabling the
recovery of workloads into an isolated environment. By using it, you can safely restore and
investigate resources that might be contaminated with viruses or other malware without the
risk of infecting your production environment.

Protected VMs may be recovered into an associated Clean Room for verification before their
recovery into a production environment. IBM Storage Defender is connected to each VM
instance and provides observation and assistance with this process.

A Clean Room environment setup has several similarities with a standard vCenter setup.
Apart from the Recovery Groups that are restored by using data stores that are mapped from
data protection solutions, a DMZ is implemented to enable access to the isolated portions of a
Clean Room.

Figure 2-11 displays the high-level structure of a Clean Room environment.

Figure 2-11 Clean Room environment schema

Isolation is an important aspect to consider when implementing Clean Room functions. There
are multiple dimensions, such as isolation of infrastructure, network, and access
management. In addition to isolation, you must monitor and log a Clean Room environment.
The following sections describe the different aspects of isolation for a Clean Room
environment.

Chapter 2. IBM Storage Defender DRS and architecture overview 19

 Infrastructure isolation
Isolating the infrastructure is an important aspect of a Clean Room environment. Isolation for
physical resources refers to physical separation, where you have computer hardware that is
used for a hypervisor and is independent of any production environment. When you use a
cloud service provider, isolation refers to a logical separation that is configured by using
different cloud accounts.

Network segmentation and monitoring

Network segmentation comprises multiple aspects:
򐂰 Logical separation and subnetting: In addition to the recovered VMs, the Clean Room
environment contains systems that are used for tools and management. Separate groups
of systems into network segments to prevent the breakout of malware from infected
systems. If multiple Recovery Groups are recovered into the same Clean Room to
establish a temporary production environment, use a dedicated VLAN for each Recovery
Group. Apart from the breakout prevention, the positive impact of the administrative
separation of duty is another important benefit to this planning step.
򐂰 Access control and firewalls: Use firewalls and access control lists (ACLs) to control and
monitor traffic between network segments. Also, enhance security by enforcing rules that
are based on source, destination, and port.
򐂰 Security zones and critical infrastructure protection: Establish security zones, including a
DMZ to separate public-facing servers and protect critical infrastructure components by
limiting potential attack vectors.
򐂰 Monitoring, encryption, and regular auditing: Implement network monitoring tools and
centralized logging to help ensure visibility and timely detection of security incidents. Also,
implement secure communication between Recovery Groups in the same Clean Room. If
applications require interaction, you can use VPNs and encryption. If the Clean Room is
used for temporary production, conduct regular security audits to confirm all security
measures are still valid and providing the expected protection.

Identity management and logging

Implementing administrative separation of a Clean Room environment from a production
environment helps provide an extra layer of security. This implementation can range from
using a different set of administrative identities to a total separation of identity management in
a separate directory service.

The logical separation of administrative roles for the production system and the Clean Room
environment and strict limits on a user’s permissions prevent a user from influencing both
environments.

The implementation of auditable logging for all operations in the Clean Room helps ensure
that any operation on the recovered data is traceable. This implementation includes the
creation and configuration of the Clean Room; Clean Room operations, such as recovery,
data masking, and anonymization; or temporary production usage of the data.

20 IBM Storage Defender: Data Resiliency Service

 Compliance and legal compliance
The bounded usage scope of a Clean Room environment enables comprehensive
documentation of all operations in the Clean Room. The addition of the auditable logging in
the configuration of the Clean Room environment allows for an event chain to be present and
maintained to help ensure that proper procedures were followed or evaluated during a
post-event review. With logging, the usage scope expands to include actions such as
temporary production use or test recovery on the data in the Clean Room. These operation
logs enable analysis or development, and you can use them to document events or actions
that are taken. A comprehensive review of this documentation can help you audit the
regulatory compliance status of a company and confirm whether the requirements are being
met.

For more information, see IBM Storage Defender: Clean Room environments.

2.3 Adding resources in the Connection Manager and creating

profiles in DRS
The following section describes how you can add resources in the IBM Storage Defender
Connection Manager and how you can create profiles in DRS with these resources.

2.3.1 Adding resources in Connection Manager

After you deploy Connection Manager, you can log in to the Connection Manager GUI and
add resources that you manage through DRS.

To log in to Connection Manager, enter the following link into a browser:

https://<ConnectionManager IP or hostname>/login

A login page opens, where you enter your username and password (Figure 2-12). Confirm
the login by entering the confirmation code from your authentication application.

Figure 2-12 Connection Manager login

Chapter 2. IBM Storage Defender DRS and architecture overview 21

 Figure 2-13 shows the Connection Manager dashboard. You can use this dashboard to add
resources from the Connections menu.

Figure 2-13 Connection Manager: Connections

From the Connections dashboard data sources, you can add Recovery Locations and sensor
control nodes to the DRS configuration.

Adding data sources

To add data sources in the Connections dashboard, complete the following steps:
1. Select the Data sources tab and click Add a data source. A wizard opens in the right
pane. It guides you through the process (Figure 2-14). Select the type of data source that
you want to add and click Next.

Figure 2-14 Connection Manager: Add a data source pane

2. Enter the hostname or IP address of the data source and click Next. (Figure 2-15 on
page 23).

22 IBM Storage Defender: Data Resiliency Service

Figure 2-15 Connection Manager: Add a data source details pane

3. Review the certificate details and click Next. (Figure 2-16)

Figure 2-16 Connection Manager: Add a data source details pane

Chapter 2. IBM Storage Defender DRS and architecture overview 23

 4. Enter the credentials that will be used by Connection Manager to access this data source
(Figure 2-17).

Figure 2-17 Connection Manager: Add a data source credentials pane

5. Click Add. Once the process completes, the new data source is added to Connection
Manager, as shown in Figure 2-18.

Figure 2-18 Connection Manager: New data source

Adding Recovery Locations

To add Recovery Locations in the Connections dashboard, complete the following steps:
1. Select the Recovery locations tab and click Add recovery location. A wizard opens in
the right pane. Enter the hostname or IP address of the VMware vCenter that you want to
add and click Next (Figure 2-19 on page 25).

24 IBM Storage Defender: Data Resiliency Service

Figure 2-19 Recovery Location: Adding recovery location pane

2. Review the certificate details and click Next (Figure 2-20).

Figure 2-20 Recovery Location: Certificate details pane

Chapter 2. IBM Storage Defender DRS and architecture overview 25

 3. Enter the dedicated credentials with the required permissions and the level of access to
the environment for this Recovery Location, and click Add (Figure 2-21).

Figure 2-21 Recovery Location: Add location panel

Figure 2-22 shows that the new Recovery Location was successfully added to the
Connections list.

Figure 2-22 Add Recovery Location

Adding sensor control nodes

Connection Manager comes with a built-in control node. If you want to use your own control
nodes, you can add them through the Connection Manager GUI, and use the provided
Ansible playbooks to manage the sensors.

26 IBM Storage Defender: Data Resiliency Service

To add a control node into the Connections dashboard, complete the following steps:
1. Select the Sensor control nodes tab and click Add control node (Figure 2-23). A wizard
opens in the right pane. Enter the Ansible control node hostname, and click Next.

Figure 2-23 Add sensor control node pane

2. Enter the credentials that you created on the Ansible control node during the IBM Storage
Defender sensor setup, and click Add (Figure 2-24).

Figure 2-24 Add sensor control node pane

Chapter 2. IBM Storage Defender DRS and architecture overview 27

 The new sensor control node was added to Connection Manager (Figure 2-25).

Figure 2-25 Sensor control node connections list

2.3.2 Creating profiles in DRS

Profiles that are used in DRS are assigned to Recovery Groups and consist of Governance
and Clean Room components. Policy Governance profiles can be assigned to Recovery
Groups to monitor alignment with your backup policies and recovery point objectives. Clean
Room profiles are used by a Recovery Group to specify the Clean Room location and setting
that is needed to recover data. To create profiles in DRS, select Profiles from the menu,
which opens the Profiles dashboard.

28 IBM Storage Defender: Data Resiliency Service

To create a Governance profile, complete the following steps:
1. Select the Governance tab and click Create profile. The Create governance profile
window opens (Figure 2-26). Under the Details tab, enter the name for a Governance
profile and its description, and then click Next.

Figure 2-26 Creating a Governance profile window

2. When creating a Governance profile, use the Immutable Snapshots tab to select
thresholds for immutable snapshot recovery points that are available from the
IBM FlashSystem server (Figure 2-27). Select the checkbox to enable point in time
verification and retention time verification for the specified time interval. Click Next.

Figure 2-27 Governance profile: Immutable snapshots verification window

Chapter 2. IBM Storage Defender DRS and architecture overview 29

 3. Under the Backups tab, select thresholds for backup copy recovery points that are
available from IBM Storage Defender Data Protect (Figure 2-28). Select the checkbox to
enable point in time verification and retention time verification for the specified time
interval. Click Next.

Figure 2-28 Governance profile: Backups verification window

4. In the Recovery testing tab, select the thresholds for successful recovery testing. Select
the checkbox to enable test frequency verification and specify time interval (Figure 2-29).

Figure 2-29 Governance profile: Recovery Testing window

5. Click Create. A new Governance profile is created.

30 IBM Storage Defender: Data Resiliency Service

Figure 2-30 New Governance profile created in the profiles list

To create Clean Room profile, complete the following steps:

1. Select the Clean Room tab and click Create profile (Figure 2-31).

Figure 2-31 Creating a Clean Room profile

Chapter 2. IBM Storage Defender DRS and architecture overview 31

 2. In the Create Clean Room profile window, under the Details tab, specify the name for a
Clean Room profile and provide a description of the Clean Room profile (Figure 2-32).
Click Next.

Figure 2-32 Clean Room profile details window

32 IBM Storage Defender: Data Resiliency Service

3. Under the Clean room settings tab, enter the Clean Room location and recovery
preferences (Figure 2-33). The settings under this tab are global in the context of the
profile and influences the recovery from IBM Storage FlashSystem and
IBM Storage Defender Data Protect. Click Next.

Figure 2-33 Clean Room settings window

Chapter 2. IBM Storage Defender DRS and architecture overview 33

 4. Under the Immutable snapshot recovery tab, enter your recovery preferences when
recovering from immutable snapshots with IBM Storage FlashSystem (Figure 2-34).

Figure 2-34 Clean Room: Immutable snapshots settings window

5. Under the Backup recovery tab, specify your recovery preferences when recovering
from IBM Storage Defender Data Protect (Figure 2-35 on page 35). If you plan to recover
from a backup, select the vSphere resource pool from the drop-down list that you use for
recovery. The default resource pool on each vCenter is the pool that is called Resources.
You can have other resource pools that you created in your vCenter. All available resource
pools can be selected for recovery. You can select the vCenter data store from the
drop-down list that you want to use for recovery with this policy. Click Create to create a
Clean Room profile with the specified values.

34 IBM Storage Defender: Data Resiliency Service

Figure 2-35 Clean Room: Backup recovery settings window

The Clean Room profile is created under the Clean room tab (Figure 2-36).

Figure 2-36 Clean Room profile list

By creating the Governance and Clean Room profiles, you configured the recovery objectives
of Recovery Groups and recovery target environments.

Chapter 2. IBM Storage Defender DRS and architecture overview 35

2.4 Auto-forwarding IBM Storage FlashSystem ransomware
threat alerts to IBM Storage Defender
DRS integrates with IBM Storage Insights and IBM FlashSystem to enable inline data
anomaly detection on storage at the block level. IBM Storage FlashSystem offers new smart
technology that is enabled by the fourth generation of IBM FlashCore Modules (FCM4),
which are designed to continuously monitor statistics that are gathered from every I/O. IBM
Storage FlashSystem uses machine learning models to detect anomalies like ransomware in
less than a minute, which helps ensure that your business is protected before a cyberattack
runs.

These ransomware alerts that are generated by IBM Storage Insights Pro for a monitored
IBM FlashSystem can be auto-forwarded to IBM Storage Defender to trigger cyber resiliency
workflows, and protect your systems as soon as possible. For a customers subscribing to
IBM Storage Insights Pro and IBM Storage Defender, this function enables enhanced
protection from ransomware attacks with simple integration.

2.4.1 IBM FlashCore Module

IBM has been delivering high-performance, highly reliable customized flash modules for many
years. With IBM FCM, the control path and the data path within the module are separated,
which helps ensure that data can be accessed and transferred without any performance
degradation that is caused by the control path. To enhance endurance and reliability, FCM
modules have endurance features and RAID within the modules themselves. Numerous
additional technologies and benefits are implemented.

For more information, see the IBM Redbooks website for publications about the
IBM FlashSystem family, such as IBM Storage FlashSystem 7300 Product Guide: Updated
for IBM Storage Virtualize 8.7, REDP-5741.

How IBM FCMs detect and report ransomware threats

In 2024, IBM introduced FCM4, which brought another industry-leading breakthrough that is
called Ransomware Threat Detection. It is a process that identifies and responds to security
threats before they can damage data or systems. FCM4 collects detailed statistics on every
I/O operation (IOP) for each virtual disk (VDisk). This data is intelligently summarized for
efficient processing. FCM4 transmits this summary to IBM Storage Virtualize, which relays it
to an AI-powered inference engine. This engine can identify unusual activity, like potential
ransomware attacks, in under a minute. On detection, an immediate alert is sent to
IBM Storage Insights Pro, enabling swift action. Also, the information can be shared with
IBM Storage Defender if it is available, which further strengthens your security posture.

With IBM Storage Virtualize 8.7 and FCMs with FCM firmware 4.1, the ransomware threat
detection is further improved by the following process:
1. IBM FCMs collect and analyze detailed ransomware statistics from every I/O with no
performance impact.
2. IBM Storage Virtualize runs an AI engine on every IBM FlashSystem, which is fed
machine language (ML) models that are developed by IBM Research® and trained on
real-world ransomware.
3. The AI engine learns what is normal for the system and detects threats by using data from
FCM.

36 IBM Storage Defender: Data Resiliency Service

 4. IBM Storage Insights Pro collects threat information from a connected IBM FlashSystem,
and alerts trigger SIEM/SOAR software to initiate a response.
5. Statistics are fed back to IBM to improve ML models.

2.4.2 Integration between DRS and IBM Storage Insights Pro

IBM Storage Insights Pro is a subscription-based SaaS offering that provides enhanced
monitoring, management, and optimization for storage environments. It is designed to help
enterprises gain deeper insights into their storage infrastructure, improve operational
efficiency, and proactively manage storage resources. IBM Storage Insights Pro has many
AIOPS capabilities that can help customers plan for the future and manage their
infrastructure efficiently.

For IBM FlashSystem running firmware 8.6.3 and later, IBM FCM (FCM4 with firmware 4.1)
can detect ransomware threats in the data path and send threat details to IBM Cloud® Call
Home. IBM Storage Insights Pro monitors ransomware threats that are detected on all
monitored IBM FlashSystem systems and generates alerts. These alerts are sent to the
storage administrator through email and are also displayed in the IBM Storage Insights Pro
user interface. Also, IBM Storage Insights Pro identifies affected volumes, marking them as
having detected ransomware threats.

Enable DRS integration in Storage Insights Pro

Storage administrators who subscribe to both IBM Storage Insights Pro and DRS may direct
ransomware alerts that are generated in IBM Storage Insights Pro to DRS. When an IBM
FlashSystem is onboarded to both IBM Storage Insights Pro and IBM Storage Defender,
IBM Storage Defender sends an integration request to IBM Storage Insights Pro. The IBM
Storage Insights Pro administrator receives this request through the user interface and
decides whether to forward ransomware alerts to IBM Storage Defender. Once the
administrator approves the request, the system is enabled to send ransomware alerts to IBM
Storage Defender. When a ransomware threat is detected on any volume or volume group of
the monitored IBM FlashSystem system, the alert is forwarded to the IBM Storage Defender
webhook, including details such as storage system information, volume specifics, and the
ransomware timestamp. On receiving and acknowledging the alert, IBM Storage Insights Pro
notifies the user that IBM Storage Defender has acknowledged the alert and is actively
addressing it. Then, the alert is available to be sent through DRS to any connected SIEM
systems to notify the security operations (SecOpsClean Room) team. At the time of writing,
QRadar and Splunk are supported.

The basic working principle of the integration between the two services is as follows:
򐂰 IBM FlashCore Module 4 technology is built into the IBM Storage FlashSystem system
that is used.
򐂰 The IBM Storage FlashSystem system is registered in IBM Storage Insights Pro. When
the system is registered, the IBM FCM starts reporting the detected anomalies and
ransomware threats to your IBM Storage Insights Pro tenant.
򐂰 The IBM Storage FlashSystem system must be registered in DRS. This registration is
done in the user interface of Connection Manager.
򐂰 IBM Storage Insights Pro communicates with DRS. The health status of your IBM Storage
FlashSystem system is sent to DRS so that if IBM Storage Insights Pro stops monitoring it,
it can be made known to the users.
򐂰 IBM Storage Defender correlates the information that is received from the storage system
to Recovery Groups.

Chapter 2. IBM Storage Defender DRS and architecture overview 37

 򐂰 When the IBM FCM detects an anomaly for block-level data operations, a case is opened
for the related Recovery Group.
򐂰 Depending on your notification settings you are notified about the new case. These
notifications might include alerts that are sent to a connected SIEM.

Viewing ransomware threats in DRS

IBM Storage Insights Pro reports the ransomware threats at the volume or volume group
levels for an IBM FlashSystem system. An alert is sent and shown in DRS (Figure 2-37). DRS
uses Recovery Groups to group the related VMs. When a ransomware alert is received, DRS
correlates the volume in the alert to the data store, and opens a case for the Recovery Group
where the VM that uses the data store is. The newly opened cases can be viewed on DRS,
and a recovery plan can be activated to recover to the last copy or last best copy that is
available.

Figure 2-37 DRS showing a malware event notification message

38 IBM Storage Defender: Data Resiliency Service

 3

Chapter 3. IBM Defender sensors

This section describes the IBM Defender sensors that are used for detecting threats against
live data in near real time.

This chapter describes the following topics:

򐂰 3.1, “What do sensors do” on page 40
򐂰 3.2, “Installing sensors” on page 43

© Copyright IBM Corp. 2025. 39

3.1 What do sensors do
IBM Storage Defender sensors are small, lightweight pieces of software that are installed into
virtual machines (VMs) to monitor for file-pattern activities that resemble ransomware threats.
Every 30 seconds, the sensor looks at Linux file-related event information to detect specific
file patterns that ransomware variants tend to use. Sensors also use a pre-built machine
learning model that trains on known ransomware variant patterns, which the sensors use to
help identify similar patterns on the host where they are installed. If malicious activity is
suspected based on these factors, a third check that uses file introspection is performed to
determine whether the suspected victim files are encrypted.

If each of these criteria is met, an event is raised to IBM Storage Defender Data Resiliency
Service (DRS) that indicates a possible malware event, and a case is opened, as shown in
Figure 3-1.

Figure 3-1 IBM Storage Defender timeline sensor event

In the details for the specific event (Figure 3-2 on page 41) both informational and actionable
information is provided, which includes the following items (in our example):
򐂰 The type of event, which in this case is a “Possible malware event” of ransomware.
򐂰 The date and time that the event was detected, which can help with pinpointing clean
copies for recovery and initial forensic analysis.
򐂰 The VM that is impacted (in this case, sts-pok-dsn-2-rhel) and its vCenter.
򐂰 The suspected malicious process: python3 ./filesEnc.py.
򐂰 The number of files that are affected (235) for this specific window of detection.
򐂰 The source (originator) of the event, in our case, an IBM Storage Defender sensor.
IBM FlashSystem related events may also be raised from IBM Storage Insights Pro.

40 IBM Storage Defender: Data Resiliency Service

Figure 3-2 Event details window

You can also drill down further and review detailed information for the event by clicking View
sensor logs. A sample sensor log is shown in Figure 3-3.

Figure 3-3 IBM Storage Defender sensor log details

Figure 3-3 shows additional, actionable information, such as the hostname (Fully Qualified
Domain Name (FQDN)) of the VM and the Process ID (pid), which can be used to identify and
kill the suspicious process. It also shows the user ID (uid), which an admin with appropriate
rights can use to lock out that user. Detailed logs can also be useful information for incident
responders because the absolute path names of every impacted file are also shown.

Chapter 3. IBM Defender sensors 41

 A summary of the impact is provided at the end of the log, including the total number of files
(Figure 3-4 shows the suspected malicious accesses event details). Regardless of the
number of files that are impacted, recovery happens at a volume level, and all files can be
recovered to an earlier, unimpacted state.

Note: At the time of writing, the encryption detection identifies encryption only on files that
are larger than 4 KB, so it is likely that if specific files are identified as impacted, it is
probable that smaller files in these locations are too.

Figure 3-4 Sensor log details (cont.)

The sensors also send regular heartbeats to the DRS to indicate that both the sensors and
the dependent network connections are healthy. If a heartbeat is missed, an event is raised,
as shown in Figure 3-5.

Figure 3-5 Sensor heartbeat warning message

42 IBM Storage Defender: Data Resiliency Service

 For any of these events, a case is opened so that actions can be reviewed and communicated
between team members and teams. For example, after an event is analyzed by an admin or
responder, information from the event is reviewed, and the cause can be addressed or
confirmed. After the appropriate remediation is taken to resolve the issue, the case can be
closed. When a case is closed, the corresponding event messages are cleared, as shown in
Figure 3-5 on page 42. However, past events can still be viewed from the Detection window,
as shown in Figure 3-6.

Figure 3-6 Recovery Group detection window

After closing the case, the DRS dashboard continues to allow access to historical events. You
may search on previous threat events and drill down to review the details of those events.

3.2 Installing sensors

This section explains how to install an IBM Storage Defender sensor on one or more systems
by using either the GUI or command-line interface (CLI). These sensors monitor the systems
on which they are installed, enabling real-time detection of cyberthreats, such as ransomware
attacks. There are two ways to deploy the sensors:
򐂰 Automatically from the Connection Manager by using the built-in facilities
򐂰 Through Ansible automation and deploying your own sensor control node

This section shows how to deploy a sensor control node outside of the IBM Storage Defender
Connection Manager.

3.2.1 Installing the sensor control software

Download the IBM Storage Defender sensor control software by completing the following
steps:
1. Log in to the system that you want to use as a sensor control node.
2. From that system, log in to a Connection Manager instance.
3. On the home page of the Connection Manager, click Connections.

Chapter 3. IBM Defender sensors 43

 4. Click Sensor control nodes.
5. Click Download package.

Install the sensor control software on the sensor control node by completing the following
steps:
1. Log in to the system that you want to use as a sensor control node.
2. Copy the sensor download package to a working directory.
3. Unpack the compressed software package that you downloaded.
4. In the newly created directory, run the setup.sh shell script.

The script requires the following input values. Use unique names for each entity in the
environment:
Hostname: The FQDN of the Connection Manager.
Username: Define a username that is to register IBM Storage Defender sensors
that are installed on VMs for the sensor control node.
Password: Define a password that is related to the username.
Vault password: The username and password that were defined are stored and
encrypted in a local Ansible vault. This password is used to protect the
access to the vault.

3.2.2 Adding a sensor control node

To add a sensor control node to the Connection Manager, complete the following steps:
1. Log in to the Connection Manager instance.
2. On the home page of the Connection Manager, click Connections.
3. Click Sensor control nodes.
4. Click Add control node. This action opens a dialog box.
5. In the dialog box, enter the FQDN of the sensor control node.
6. Click Next.
7. Enter the username that was provided when you installed the sensor control software on
the sensor control node.

Note: Multiple sensor control nodes can use the same username and password for sensor
installation or registration. In this case, only one control node must be added. If you
attempt to add more than one control node by using the same username, the following
error occurs in the GUI:
Error getting source native ID: Username already in use. Select a different
username.

8. Enter the password of the user.

9. Click Add.
Now, you see the registered sensor control node in the GUI.

44 IBM Storage Defender: Data Resiliency Service

3.2.3 Removing a sensor control node
To remove a sensor control node from the Connection Manager, complete the following steps:
1. Log in to the Connection Manager instance.
2. On the home page of the Connection Manager, select Connections → Sensor control
nodes.
3. In the table that lists all the sensor control nodes, scroll to the relevant sensor control
node.
4. In the row of the sensor control node, click the overflow menu (Figure 3-7), and then click
Remove. This action opens a dialog box.

Figure 3-7 Overflow menu location

5. In the dialog box, click Remove to confirm that you want to remove the sensor control
node from the Connection Manager.

3.2.4 Installing an IBM Storage Defender sensor by using the GUI

You can install the sensor on one or multiple systems directly through the IBM Storage
Defender GUI.

Before you begin, consider the following items:

򐂰 Review the system requirements.
򐂰 The procedure that is described in this topic covers adding a sensor to a server by using
the Connection Manager embedded sensor control node feature.

To install an IBM Storage Defender sensor on one or more systems, complete the following
steps:
1. Log in to IBM Storage Defender.
2. Click the hamburger menu (three horizontal lines) in the upper left of the window.
3. Select Data Resiliency → Recovery Groups.
4. From the list of Recovery Groups, select the row for the Recovery Group that you want to
install the sensor on.

Chapter 3. IBM Defender sensors 45

 5. In the Overview window, find the Defender sensors tile and click Get started (see
Figure 3-8).

Figure 3-8 Defender sensors tile

Note: If you previously installed sensors, you see the Manage button on the Defender
sensors tile.

6. In the Manage sensors window, select one or more VMs by checking the corresponding
boxes.
7. Click Add sensor + in the title bar.
8. Enter either the username and password or the SSH key for the VM.

Note: All the selected VMs must have the same login credentials.

9. Select Add Sensor to submit the installation request.

10.The selected VMs display the status “Installing” until the installation is complete.

Note: Monitor the Notification menu to check for completed or failed notifications for each
sensor. If the status is TIMEOUT, the installation request was accepted but did respond for
15 minutes. For the FAILED status, check the detailed error message in the notification.

After the installation completes, the sensor automatically begins monitoring file access
activity on the system. If it detects any unusual access patterns, such as patterns that are
associated with ransomware attacks, the sensor generates an alert. This alert is sent to the
on-premises Connection Manager, which securely forwards it to the DRS. The sensor also
periodically sends heartbeat messages through the Connection Manager to confirm that it is
operating normally.

3.2.5 Installing an IBM Storage Defender sensor by using the CLI

You can install an IBM Storage Defender sensor on one or multiple systems by using the GUI
or CLI. The sensors observe the systems that they are installed on and can detect
cyberattacks like ransomware attacks in real time.

To install an IBM Storage Defender sensor on one or more systems, complete the following
steps:
1. Log in to the system that is being used as the sensor control node.
2. Go to the working directory where the sensor control software is installed.

46 IBM Storage Defender: Data Resiliency Service

 Note: This directory is the one that you specified when downloading and installing the
sensor control software.

3. Create an inventory file containing the FQDNs of all the systems that you want to install
the sensor on.
4. Modify the /etc/ansible/hosts file to include the FQDNs of the target systems.

Note: You can use a different file for the sensor inventory list. If so, use the -i
/your-directory/your-file argument in step 5.

5. Add the FQDNs for the sensor hosts to the hosts file. Under the [defender_sensor_hosts]
tag, list the FQDN of each system, one per line.

Tip: If you use a YAML inventory file, extend it with a defender_sensor_hosts group.

Example 3-1 Ansible hosts file configuration

[defender_sensor_hosts]
<FQDN1>
<FQDN2>
<FQDN3>

[defender_sensor_hosts:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_connection=ssh
ansible_ssh_pass=<ssh password>
ansible_ssh_user=<ssh username>

all:
vars:
ansible_connection: ssh
ansible_ssh_user: <ssh username>
ansible_ssh_pass: <ssh password>
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
children:
defender_sensor_hosts:
hosts:
<FQDN1>:
<FQDN2>:
<FQDN3>:

6. Run the Ansible playbook command in Example 3-2 to begin the installation.

Example 3-2 Ansible playbook install command

ansible-playbook sensor_install.yml --ask-vault-pass [-i
path_to_alternative_inventory_file>]

7. When prompted, enter the vault password that you created during the installation of the
sensor control node software.

Note: To avoid saving passwords in the hosts file, use the arguments --ask-pass
--ask-become-pass to provide the SSH and sudo passwords during the playbook run time.

Chapter 3. IBM Defender sensors 47

 After installation, the sensor automatically monitors file access activities on the system. If any
unusual access patterns resembling ransomware attacks are detected, the sensor sends
alert messages to the on-premises Connection Manager, which forwards these alerts
securely to the DRS. The sensor also sends periodic heartbeat messages to the DRS
through the Connection Manager, indicating normal operation.

3.2.6 Uninstalling an IBM Storage Defender sensor by using the GUI

To uninstall an IBM Storage Defender sensor from one or more systems by using the GUI,
complete the following steps:
1. Log in to IBM Storage Defender and access the IBM Storage Defender dashboard.
2. Go to the Recovery Group:
a. Click the hamburger menu (three horizontal lines) in the upper left of the page.
b. Select Data Resiliency → Recovery Groups.
c. From the list of Recovery Groups, click the row corresponding to the Recovery Group
where you want to uninstall sensors.
3. Manage sensors:
a. In the Recovery Group's Overview dashboard, find the Defender Sensors tile and click
Manage.
b. Select the VMs from which you want to uninstall the sensor by checking the
appropriate boxes.

Note: The Connection Manager uses FQDNs to perform sensor installation and
uninstallation. You cannot select the following VMs for sensor uninstallation:
򐂰 VMs without an FQDN
򐂰 VMs that use localhost as the FQDN
򐂰 VMs with duplicate FQDNs

Any changes to VM network configurations are reflected in the GUI after the next inventory
scan, which occurs automatically every hour or can be manually triggered.

4. Uninstall the sensor:

a. Click Remove Sensor in the title bar.
b. Enter either the username and password, or the SSH key for the VMs.
c. Click Remove Sensor to submit the uninstallation request.

Note: All selected VMs must share login credentials.

5. Monitor the process:

a. The statuses of the selected VMs change to Uninstalling.
b. You can monitor the Notification menu for updates about the success or failure of each
sensor uninstallation.

48 IBM Storage Defender: Data Resiliency Service

 Tip: If the status shows TIMEOUT, the request was accepted but did not receive a
response for 15 minutes. For a FAILED status, check the detailed error message in the
notification.

Important: If you are trying to uninstall a sensor that is associated with a Connection
Manager that was destroyed or improperly backed up and restored during a Connection
Manager OVA upgrade, the uninstallation fails. For troubleshooting, see Resolving an IBM
Storage Defender sensor uninstallation failure.

After the uninstallation completes, the IBM Storage Defender sensor service is removed from
the selected VMs.

3.2.7 Uninstalling an IBM Storage Defender sensor by using the CLI

You can uninstall an IBM Storage Defender sensor from one or more systems by using either
the GUI or CLI. To proceed with the CLI method, complete the following steps:
1. Log in to the sensor control node: Access the system you are using as the sensor control
node.
2. Create an inventory file listing the FQDNs or IP addresses of all systems from which you
want to uninstall the sensor.
3. Modify the /etc/ansible/hosts file to include the FQDN or IP address of each target
system.

Note: You can use a different file for the sensor inventory list. If so, use the -i
/your-directory/your-file argument in step 4.

4. Add the FQDN or IP address of all systems that you want to equip. Add one per line under
the tag [defender_sensor_hosts].
5. Run the Ansible playbook command that is shown in Example 3-3.

Example 3-3 Ansible playbook uninstall command

ansible-playbook sensor_uninstall.yml --ask-vault-pass [-I
<path_to_alternative_inventory_file>]

6. Enter the Ansible vault password.

After the playbook runs, the sensor is removed from the host.

Chapter 3. IBM Defender sensors 49

3.2.8 Requirements for IBM Storage Defender sensors
Before proceeding with the installation and registration of the IBM Storage Defender sensor,
ensure that your system meets the following requirements in terms of supported operating
systems and necessary software packages:
򐂰 Supported operating systems:
– Red Hat Enterprise Linux Server 9 required packages:
• bash
• Kernel 5.9 or later
• libgomp
• python3
– SUSE Linux Enterprise Server 15 SP5 required packages:
• bash
• Kernel 5.9 or later
• libgomp1
• python311

Note: To install python311, the Python3 module must be enabled. For details on enabling
modules, refer to the SUSE Linux Enterprise Server documentation.

– Ubuntu 24.04 LTS required packages:

• bash
• libgomp1
• linux-image-generic 5.9 or later
• python3
򐂰 Supported file systems:
– XFS
– EXT4

50 IBM Storage Defender: Data Resiliency Service

 4

Chapter 4. Daily administration, alerting,

testing, and validation
This chapter provides an overview about how to bring together the elements for daily
administration and test your recovery points.

This chapter describes the following topics:

򐂰 4.1, “IBM Storage Defender DRS dashboard” on page 52
򐂰 4.2, “User management profiles” on page 57
򐂰 4.3, “Integrations for alerting” on page 57
򐂰 4.4, “Recovery testing and validation” on page 58
򐂰 4.5, “Activating the recovery plan” on page 62

© Copyright IBM Corp. 2025. 51

4.1 IBM Storage Defender DRS dashboard
For daily administration and statuses at a glance, the IBM Storage Defender Data Resiliency
Service (DRS) provides a dashboard landing area. This area is an at a glance perspective of
the overall environment, including urgent issues, the Connection Managers, open cases,
Recovery Group status, and other information.

Figure 4-1 shows a view of the DRS dashboard.

Figure 4-1 DRS Dashboard overview page

This dashboard contains several elements that enable users to view more information and
context. These capabilities include the following items:
򐂰 Resiliency Monitoring through IBM Storage Defender Connection Managers.
򐂰 Actions that can be performed, which include open cases, assigned actions, required
updates, and other issues.
򐂰 Recovery Groups statuses.
򐂰 Governance Profiles statuses.
򐂰 Recovery Posture status.

4.1.1 Resiliency Monitoring in the dashboard

The DRS Dashboard provides an at-a-glance view of Resiliency Monitoring (Figure 4-2 on
page 53), which highlights the status of the Connection Managers and any open cases.

52 IBM Storage Defender: Data Resiliency Service

Figure 4-2 Resiliency Monitoring Dashboard window

With this dashboard, you can see locations, see the states or statuses of them, and drill in on
the managed Connection Managers. You can use the View All link to see the Connection
Managers tab of the Resources window. This window highlights the Connection Managers,
their states, their types, hostnames, versions, and whether updates are required, as shown in
Figure 4-3.

Figure 4-3 DRS Monitoring Resources overview window

Figure 4-4 shows the actions that you can take, such as open cases, assigned actions,
required updates, and others.

Figure 4-4 Actions summary window

Chapter 4. Daily administration, alerting, testing, and validation 53

 Figure 4-5 shows the view that is available when you click the Actions menu. From here, you
can see a deeper view of the actions to review recommendations and resolve issues, see
pending actions, or view the history.

Figure 4-5 Actions window history details

4.1.2 Recovery Group status

The Recovery Group pie chart (Figure 4-6) shows a summarized view of tenant Recovery
Groups, indicating the percentage of Recovery Groups that are ready, in draft, not compliant,
or have an open case or a threat that is recorded on them that must be addressed.

Figure 4-6 Recovery Group pie chart on DRS dashboard

If you select Recovery Groups on the left of the dashboard, you see the Recovery Group list
(Figure 4-7 on page 55), where you can drill down on any Recovery Group or create one.

54 IBM Storage Defender: Data Resiliency Service

 Figure 4-7 Recovery Group list

4.1.3 Governance profile status

This pie chart (Figure 4-8) highlights the number of Governance profiles and what percentage
of them were assigned to a Recovery Group. These Governance profiles help users follow
internal or regulatory compliance that is mandated around retention, frequency, and testing
frequency of copies of data.

Figure 4-8 Governance profile pie chart on DRS dashboard

Chapter 4. Daily administration, alerting, testing, and validation 55

 You can create and modify your existing Governance and Clean Room profiles within the
Profiles tab (Figure 4-9).

Figure 4-9 Profiles tab on DRS

4.1.4 Recovery posture

The recovery posture graphic (Figure 4-10) helps you quickly understand your recovery
posture. On the Y axis, you see Secondary and Primary, which refers to auxiliary storage (for
example, backups in IBM Storage Defender Data Protect) and primary storage (for example,
an IBM FlashSystem system). On the X axis, you see the copy frequency, which is how often
that your system creates copies. By combining these two axes, you can view what the
frequency policies are for your environment for both primary and secondary copies.

Figure 4-10 Recovery posture graphic in DRS dashboard

You can gather more information about your available resources, available copies,
connections, and Connection Managers by clicking the Resources tab (Figure 4-11 on
page 57) and then clicking Resources in the left pane of the GUI.

56 IBM Storage Defender: Data Resiliency Service

 Figure 4-11 Resources tab on DRS

4.2 User management profiles

In the All Resources tab in DRS (Figure 4-12), administrators can view the list of authorized
users for the solution. Also, they may manage user access to add users, assign authority
permissions, or modify or remove existing users.

Figure 4-12 User management in DRS

4.3 Integrations for alerting

You can integrate DRS with the SIEM solutions IBM QRadar and Splunk to improve your
security posture while also bridging the storage and security silos that sometimes exist in
enterprises storage landscapes.

For more information, see the following resources:

򐂰 QRadar
򐂰 Splunk

Chapter 4. Daily administration, alerting, testing, and validation 57

 Figure 4-13 shows the Integrations tab in the DRS dashboard.

Figure 4-13 Integrations tab in DRS

4.4 Recovery testing and validation

You can use DRS to test and validate recovery points for a Recovery Group. You may test
recovery points for a Recovery Group only when the status for the group is Ready, which
means that the Recovery Group is complete, that is, it has a Governance plan that is assigned
and Clean Room that is defined, and it has one or more recovery points.

Figure 4-14 shows the Recovery Group status of Ready and the details of Governance for the
policy.

Figure 4-14 Recovery Group details

Testing recovery points for a Recovery Group establishes the recovery plan. This plan is used
in response to a cyberevent. From the recovery points of the selected Recovery Group, you
can choose a recovery point that is required for testing. To select a recovery point, go to
Recovery Group details, and from the Protection menu, you see all recovery points
(Figure 4-15 on page 59).

58 IBM Storage Defender: Data Resiliency Service

Figure 4-15 Recovery points details

You can use these recovery points to test or activate a recovery plan. Figure 4-16 shows the
options that you can select for each recovery point.

Figure 4-16 Recovery point details

Click Test recovery point to test a recovery of the virtual machines (VMs) that belong to the
Recovery Group. These VMs are recovered by using the information that is stored in the
Clean Room profile that is associated with the Recovery Group. Depending on the
configuration of the Clean Room profile, the VMs either start and connect to the defined
network or they do not. When the test recovery finishes successfully, the status of the
recovery point is updated from “Recovery in progress” to “Awaiting validation”, as shown in
Figure 4-17.

Figure 4-17 Recovery point status window

Chapter 4. Daily administration, alerting, testing, and validation 59

 After the recovery point is recovered to the Clean Room and ready for validation, a blue box
appears across the top of the page with a link to confirm that the validation passed or failed
testing, as shown in Figure 4-18.

Figure 4-18 Test-only confirmation dialog

Figure 4-19 highlights the ability to validate the recovery point after the restoration of the
Recovery Group to the Clean Room. You can identify the use case of starting the recovery
and defining the status of the action as “Test Only” or whether the activity was part of a
Recovery Plan resulting from a cyberincident. Then, you may mark it as valid or not.

Figure 4-19 Validate recovery dialog

Figure 4-20 on page 61 confirms the results of the recovery to the Clean Room and confirms
the results.

60 IBM Storage Defender: Data Resiliency Service

Figure 4-20 Confirm recovery results dialog

After you determine whether the recovery point is valid, you can mark it as Valid or Not Valid.
As part of the validation process, the recovery points are kept in the history of the Recovery
Group until their policies expire them from the inventory of their supporting services.

Depending on the decision that you make, the status of the recovery point will be updated
from “Awaiting validation” to “Validated” or “Not valid”.

Figure 4-21 shows the different categorizations of a recovery point.

Figure 4-21 Validation status window with invalid recovery points

Chapter 4. Daily administration, alerting, testing, and validation 61

 After the recovery test data is verified, if the cleanup option is selected in the test results
window, as shown in Figure 4-22, the data is confirmed as validated and the system cleans up
the VM data that was restored as part of the validation test. If the cleanup option is not
selected, the VMs remain in the Clean Room and can be removed manually later.

Figure 4-22 Validation and cleanup notification messages

4.5 Activating the recovery plan

The Recovery Group option Activate recovery plan describes the recovery of resources that
are associated with a Recovery Group. This option uses an existing and valid recovery point
to recover your application after a cyberattack or disaster.

In contrast to the manual recovery test, the activate recovery plan process provides the
flexibility to specify a new Clean Room profile for the recovery point. With this option, you can
use a dedicated recovery environment to test the recovery point again and prepare a
recovery point for a downstream promotion into your production environment.

Figure 4-23 shows the Activate recovery plan options where you select the required recovery
plan.

Figure 4-23 Activate recovery plan window

62 IBM Storage Defender: Data Resiliency Service

Now, specify a Clean Room profile (Figure 4-24). After you review the profile settings
(Figure 4-25), click Done and wait for the recovery to complete.

Figure 4-24 Activate recovery plan: Clean Room profile

Figure 4-25 Activate recovery plan

Chapter 4. Daily administration, alerting, testing, and validation 63

 Once confirmed, the Recovery in Progress window in the Recovery Group’s Overview
window shows the progress, as shown in Figure 4-26 and Figure 4-27.

Figure 4-26 Recovery progress information in the Recovery Group Overview window: Example 1

Figure 4-27 Recovery progress information in the Recovery Group Overview window: Example 2

From here, once the recovery process is completed, you may access the VMs that were
recovered to the Clean Room environment and return them to production as needed.

64 IBM Storage Defender: Data Resiliency Service

Abbreviations and acronyms
ACL access control list
DR disaster recovery
DRS Data Resiliency Service
FCM IBM FlashCore Module
FQDN Fully Qualified Domain Name
IBM International Business Machines
Corporation
IOP I/O operation
ML machine language
PLG Product-Led Growth
SaaS Software as a Service
SecOps security operations
SME subject matter expert
STSM Senior Technical Staff Member
VDisk virtual disk
VM virtual machine

© Copyright IBM Corp. 2025. 65

66 IBM Storage Defender: Data Resiliency Service
Back cover

REDP-5744-00

ISBN 0738462020

Printed in U.S.A.

®
ibm.com/redbooks