The question of ‘can I recover?’ in the event of a cyber attack, such as ransomware, is top of mind for many CIOs and IT executives. All too frequently, they see industry peers and organizations of all sizes across public and private sectors in the news as victims of the most recent attack. In order to differentiate, many organizations are taking a data-driven approach, but they must recognize that this also increases the impact of a cyber attack to their regular business operations.
Executives need to review their recovery strategy and determine whether they have the technology, processes and skills to recover from these attacks which often destroy data and bring normal business operations to a halt. The pressure is on to take immediate action to protect their business. The onus of cyber resiliency does not lie only with the CISO/InfoSec organization, rather it is a shared responsibility across the entire organization, and everyone has a part.
Dell Technologies Services is seeing this major concern with our customers.
Utilize Purpose-Built Technology
To enable recovery from destructive cyber attacks, organizations need to utilize technology purposebuilt to support this effort. When evaluating technology options, organizations must keep in mind that recovering from these kinds attacks is inherently different than the challenge of a localized site failure that drove the design of widely adopted disaster recovery solutions.
While these solutions are good for their intended purpose, they do not offer additional hardening and isolation features which better protect data and enable recovery from cyber attacks. In addition, traditional perimeter defenses have proven to not be enough with the proliferation of connected devices which drastically increased the attack surface of an organization.
Technology to support recovering from evolving cyber threats should be highly automated and should create an effective data vault by:
- Air-gapping the vault, which separates data from the primary backup environment, further isolating it from highly connected networks which can be targeted by a cyber attack. Many modern attacks are designed and executed to impact as many connected systems as possible, with highly connected backup systems as a key target to reduce the victim’s chance of recovery. By limiting connectivity to production networks, data in the vault is less likely to be impacted by an attack and is ready for recovery.
- Creating strong retention lock policies utilizing immutable copies and WORM to lock-down data, making it unable to be changed and invalid after a predetermined timeframe. If an attack occurs, rebuild can occur with the vaulted and immutable copies knowing that files have not been altered.
- Continuously analyzing data for indicators of compromise utilizing purpose built forensic tools. The inclusion of Machine learning (Ml) in these tools can increase the likelihood that compromised data is quickly and accurately identified. Many attacks have showed increasing dwell time before the attack is launched, so IT teams may not be aware of its presence. This introduces an advantage to those able to scan data in the vault for early indicators of compromise and possibly catch an attack before it is fully launched.
Tightly Align the Recovery Strategy with Business Priorities
For recovery planning, it’s strongly recommended to align with a known cybersecurity or industry specific framework. This can help ensure the strategy has accounted for all necessary controls is in line with any compliance goals specific to the organization and helps balance security investments across a broader set of capabilities, increasing the probability of recovering from a cyber attack. The NIST Cybersecurity Framework is one that’s been chosen by many organizations because its holistic view and in-depth recommendations across the functional pillars of Identify, Protect, Detect, Respond and Recover. Each of these focus on a key aspect of a cybersecurity strategy and recommends continuous evaluation and improvement of these programs.
To further enable recovery success, runbooks must be developed, documented and continuously tested. This is critical in ensuring that if the organization is impacted by an attack, they have their own step-by-step guide to successfully recover. These runbooks must be designed to be repeatable and integrated with incident response plans to ensure restoration of the most critical business processes first. Repeatability and scale are key, as they are a factor in conducting regular testing against the runbook in both tabletop and live exercises, simulating several scenarios and ensuring that teams work together against the defined steps. Through the documented, repeatable and tested runbook, organizations will further mature their recovery processes and know that if tasked with a real recovery effort, they can follow a familiar guide.
IT Staff are Prepared with the Latest Skills:
Another critical aspect in increasing confidence in recovery efforts is to have an IT team who have hands-on experience and are well versed in the skills necessary to recover. Due to the sensitivity of the data being protected, it’s recommended to tightly manage access of cyber recovery infrastructure a handful of trusted team members. To ensure they are ready to operate the processes and procedures in the runbook, organizations should focus in three areas:
- Having recovery teams regularly test cyber recovery plans to build their skills and confidence that the technology and processes in place enable their success. By having teams conduct regular testing, they become more familiar with the process, building a foundation of hands-on experience which can be called upon in an actual recovery scenario. Their experience testing recovery processes are also a critical step in maturing the recovery strategy by adding lessons learned to the documented steps for recovery and further refining processes.
- Continuing education programs for IT staff is paramount in ensuring they are not only familiar with the recovery practices of their organization, but also that they are aware of the latest technology advancements and in recovery operations, new procedures and tactics, and up to speed on the latest industry recommendations and certifications.
- Having executive-level support of the recovery programs and staff helps organizations increase their cyber resilience with teams knowing that programs are a long-term strategy imperative for the organization and represent a critical capability in protecting the business. The continued success of the team is of the upmost importance to executive teams looking to reduce risk.
An organization’s increasing reliance on data and the proliferation of connected devices on their networks has contributed to a reality that it’s no longer a matter of “if” an attack will strike, but “when.” Organizations must prepare by employing a recovery strategy as a ‘last line of defense’ utilizing hardened, automated technology combined with a business focused strategy which is continuously tested and improved. This last line of defense is a key proactive measure that organizations need to take to protect their business and reduce the risk of significant business downtime as a result of a cyber attack.
Dell Technologies Services covers the three keys to increase confidence in cyber recovery, featuring Forrester Research that outlines the four technologies to improve resilience against ransomware attacks. Download this report to learn more.