Three key components of a cyber resiliency framework

Extortionists know that the availability of backups often determines whether they can collect on their ransom demands. Those without sufficient backups must choose between paying the ransom or suffering data loss.

For this reason, business continuity, specifically backup systems, is a prime target for attackers wishing to inflict maximum damage and increase the likelihood of a payout.

Implemented preventative controls must be augmented with an effective recovery framework. These frameworks should address a fluid, rapidly changing threat landscape through flexibility, integration, and agility. A cyber-resilient strategy should include three key components: isolation, orchestration, and rapid recovery.

Isolation: Physically separate your backup data

The last decade has seen the decline of tape as a primary backup medium while disk and cloud-based replication systems supplanted the technology. Traditional tape systems suffered from relatively slow restore capability, especially for non-sequential data, but they had one attribute that is sometimes missing from disk and cloud backup replication, namely isolation. Replication without isolation often results in the encryption of both primary and replica data sets when ransomware strikes.

Isolation can be performed through air gaps or logical mechanisms to protect backup sets from being overwritten. The air gaps approach physically and logically separates data from the rest of the network. A straightforward example of air gaps is backing up to a removable hard disk and then storing the disk in a safe. More complicated scenarios are often used in business, and air gaps have been a standard procedure in many government installations.

However, air gaps often rely upon a human element. In the hard drive example, someone must disconnect the drive when the backup completes and move it to a safe location. A backup set mistakenly left attached to systems would lack the protections afforded by air gaps. Humans are all too frequently proven unreliable at consistently performing such tasks without robust processes and accountability. This presents a potential point of failure in the system.

The second isolation method relies on software to implement protections for the backup sets. Such systems prevent altering backup sets once they are written according to system policy, which is highly restricted, audited, and controlled to prevent unauthorized changes. This form of isolation would prevent an administrator from removing or changing a previous backup set prior to the backup retention period expiration.

Orchestration: Automate your quarantine controls to reduce the scope of impact

Ransomware and other destructive malware are designed to propagate and then swiftly encrypt valuable data rapidly. Such attacks' speed requires companies to implement monitoring and analytics across systems to identify malicious behaviour quickly.

The speed of malware far exceeds that of human response, yet the initial response to such threats is often well understood. This makes automation the ideal method to address threats in real-time. Incident response orchestration uses triggers from monitoring systems to automate the execution of predetermined workflows to quarantine the threat and reduce the scope of impact.

For example, Dell EMC Cyber Recovery can be leveraged to analyze data to detect activity such as ransomware. As ransomware begins to encrypt a network share, monitoring and analytics would detect the encryption and kick off workflows to attempt to stop the ransomware and isolate the system for investigation. This prevents ransomware from impacting other systems, and it does so without waiting for human intervention.

Rapid recovery: Invest in protective measures that will prevent future loss

Rapid recovery is the third key component of cyber resiliency. As mentioned earlier, IT systems are critical to business success, but in some cases, downtime of IT systems could result in loss of life, such as in healthcare and critical infrastructure. Every organization will suffer downtime at some point, and systems should be put in place to restore system or data availability according to the business needs in such an event.

A benefit of rapid recovery solutions is that recovery and investigative steps can operate in parallel. In the example above, the system infected with ransomware was isolated from the network, preventing users and applications from accessing that data. Rapid recovery solutions may need to mount snapshots of the affected data and then remap resource pointers to the recovery location.

Implementing the framework

Not all data requires this level of protection, so the first step in implementing this level of protection is to identify the mission-critical data sets. Investing in management and automation software, like Dell EMC Cyber Recovery, can be implemented on 10-15% of an organization’s disaster recovery scope. Companies then select critical data based on its direct and indirect use, including how the data impacts systems and processes across the enterprise.

Our economy and our lives are increasingly digital. As such, the systems and data that underpin our digital economy are essential to company success. However, cyber resiliency supports the business when other controls fail. Make your company cyber-resilient now to prevent future disasters.