IBM Spectrum Sentinel: Automated Response and Recovery for Safeguarded Copy Snapshots

IBM’s recent announcement of IBM Spectrum Sentinel extends the company’s cyber resilience storage portfolio to include recovery of IBM Safeguarded Copy snapshots, complementing existing solutions such as Predatar (focused on back-up data) and IBM CyberVault blueprint (threat detection and snapshot recovery centered around Safeguarded Copy with IBM FlashSystem). The solution is an easy to deploy appliance that provides application-specific recovery within minutes in the event of a cyberattack.  The first release will support EPIC healthcare software. IBM’s plan is to offer future releases that will add support for other applications such as SAP HANA, Oracle, VMware and SQL Server.


IBM’s portfolio of cyber resilience solutions dovetails nicely with the NIST Cybersecurity Framework, offering customers a solution or solutions for each facet of the framework, rather than focusing exclusively on one or two aspects of cyber resilience.

Identify– The IBM Cyber Resilience Assessment enables IT professionals to identify vulnerabilities in an organizations current data protection strategy, and provides a roadmap of recommendations to bridge any security gaps.

ProtectIBM Safeguarded Copy (now available on IBM FlashSystem) provides back-up copies in the event of corruption or destruction of primary data and IBM Spectrum Protect provides data protection for physical file servers, applications and virtual environments.

DetectIBM QRadar and Guardium encrypts and monitors and stores compliance and security data, while IBM’s broad range of security software analyzes and detects security threats.

Respond/Recover – IBM offers several solutions that provide rapid response and recovery through “air-gapping.” IBM Safeguarded Copy offers logical air gapping which entails a physical connection but logical isolation from the network, while IBM Spectrum Archive and Tape provides physical air-gapping. IBM Spectrum Sentinel and IBM CyberVault provide the highest level of air-gapping, operational air-gapping, where unsecured networks have both a physical and logical separation from the production environment, further reducing the attack surface.

IBM Spectrum Sentinel – A Closer Look

Let’s look at IBM Spectrum Sentinel in more detail.

IBM reports that businesses experience an average of 25 or more days of downtime in the event of a cyberattack – and in roughly 60% of these cases, the business shuts down within 6 months.

IBM Spectrum Sentinel works with IBM Spectrum Virtualize and IBM Spectrum Copy Data Management to protect data from malicious attacks but also enables a quick and accurate recovery in the event of an attack. With isolated and immutable snapshots and automated ransomware detection, data is protected on an on-going basis and safe recover point identification automates retrieval of data for recovery within minutes.

How does IBM Spectrum Sentinel work? First, the solution takes an application-consistent Safeguarded copy snapshot (in the first release this will be of an EPIC data volume group). The safeguarded snapshot copy is then presented to the Spectrum Sentinel anomaly scan server. The Spectrum Sentinel anomaly scan engine scans the Safeguarded snapshot copy looking for abnormalities. In the event of data corruption, it will scan and analyze safeguarded snapshots to identify a clean copy and manage the application’s return to a safe version.

Summary Observations

The addition of IBM Spectrum Sentinel enhances IBM’s arsenal of cyber security and cyber resilience solutions with application-specific, automated data protection and recovery–providing customers with a broad and comprehensive range of options across the board. With EPIC healthcare software support in its initial release, IBM addresses cyber resilience in a particularly vulnerable and security-sensitive market.