In a previous Spotlight on Security session, Kevin Mandia, CEO and Founder of Mandiant (recently acquired by Google), shared a powerful vision of where data security will be in five years—one of fully automated security, including automated backup and resiliency. So when enterprise data gets attacked or destroyed, it will be recovered rapidly and cleanly—and the business won’t even notice. It’s an elegant and powerful aspiration that we at Cohesity also subscribe to.
But we’re not there yet. We are, however, excited to see some of our leading customers adopt the mindset, strategy, and security tactics in data management that head in that direction. The best example is the evolution from DR to CR or disaster recovery to cyber resilience. If you’re unsure what we’re referring to, below is an example we discussed in our own recent Spotlight on Security session.
Hypothetical scenario
First, imagine all your systems are down. No phones. No email. No directory. No office entry as access systems are locked down. Trying to get into your data center? Not if the security guard can’t confirm with a call to your office or an email. And that’s just the start. Combine these factors with the possibility of re-injecting a vulnerability into your environment as you recover your data.
The above scenario, one we wouldn’t wish on any organization, is very real. However, it may also be a helpful indicator of understanding how far your organization needs to shift to achieve cyber resilience.
Do your current tabletop exercises for disaster recovery cover the above scenario? Are you confident you’ll be able to recover your data from a clean, uninfected copy? Within the requisite time to ensure ongoing business operations?
Natural disasters can be a formidable adversary to any ongoing business operation. A bolt of lightning, hurricane, tornado, flood, or a combination of those can impact power and functions across your business. But ultimately, whether you are doing walkthroughs, workshops, or tabletop exercises, there are a handful of scenarios to consider.
Contrast that to a cyber threat. Your adversary is actively working to take your business down. The attack vector could be fluid, multifaceted, and obviously evasive. And the risk of re-injecting vulnerabilities, compromised accounts, mechanisms of persistence, and other attack artifacts back into your environment looms large. Ensuring recovery in the face of this new class of adversaries requires a similar approach to disaster recovery but a significantly more robust, dynamic, and collaborative process. Cyber resilience isn’t just about bringing your systems back up—it’s about ensuring you can keep your business running, despite this more stealthy and aggressive adversary.
From security to resilience
It’s no secret that CISOs and their organizations readily spend up to 90 to 95% of their security budget on preventative and detective technologies, a virtual castle-and-moat.
This table-stakes approach is logical and supports an organization’s defense-in-depth strategy. But, the pervasiveness of ransomware impacts on these same organizations, with tens of millions of dollars in preventative and detective investments, shows it is not a winning hand. Instead, we need to pivot to a resilience-in-depth approach.
If we continue the castle and moat metaphor, the challenge arises because, while we build higher walls and wider moats, this adaptive adversary continually builds taller ladders to scale our walls and faster boats to cross the moat. Or builds a Trojan Horse by socially engineering our staff and effectively walking in through the front door. And there’s no technical control to stop that. Finally, our adversaries always have the first-mover advantage, striking at will on their attack vector of choice.
Given the increasingly sophisticated and complex nature of cyber threats, this entrenched approach built around preventative and detective technologies may become a blocker on the road to resilience. The underlying premise of this approach sets the expectation that our organizations could withstand and prevent all the attacks if only there were enough people and the right technology.
Unfortunately, an overreliance on these areas also has downsides. Like friction, given the multiple agents installed on boxes. Or a lack of agility, given the overstuffed technology stacks. But the most significant downside is a reliance on people, process and technology that ultimately will not help the business when it needs it most—after its systems have been rendered useless and ransom demands have ominously arrived.
Then where do we turn? Do we pin our hopes on achieving a successful recovery on the half of the risk equation that gets a 20th of the overall investment?
The questions above aren’t rhetorical—they’re a reality for many organizations. The bottom line is that we need cyber resilience when the status quo strategies fail.
It’s not recovery to production—it’s recovery to a clean room
So, let’s return to our example of how traditional DR plans and testing are unsuitable for a cyberattack.
Why? With a cyberattack, recovery differs from what IT does in isolation in disaster recovery. Instead, it’s done in conjunction with the Security Operations team. It is no longer a ticket that arrives in the IT inbox—it becomes an active collaboration between the two groups to get the business back up and running.
A few examples include the systems that need to be restored by IT so SecOps can perform forensics to understand how the attack manifested itself. Or how SecOps will need to identify and prioritize vulnerability remediation, but IT needs to patch these. Finally, security controls on the recovered platforms may need to be bolstered by the SecOps team before IT moves them back into production.
This isn’t a one-way flow; it’s an iterative process throughout the Respond and Recover stages of the NIST Cybersecurity Framework.
The challenge? Most organizations only develop collaborative processes, a clean room strategy, and the requisite technologies for a successful recovery once there’s a ransomware incident. In other words, once it’s too late.
How to initiate a clean room strategy
Below is a high-level approach for initiating a clean room strategy. It’s a tangible example of how people, processes, and technology come together to help drive resilience.
- Understand and plan for the impacts of a cyberattack.
- Ask tough questions and scenario-plan against them. What if we had no phones? No email? That’s your starting point. So, communications and collaboration platforms must be beyond the reach of the bad actors. All incident response procedures, especially those that rely on cross-swimlane coordination, need open communication lines. Relatedly, these also act as evidence of action taken later for regulators and to counter any litigation.
- Review your core cyber security systems. Start with your foundational components like immutable backups, air gaps, and strong authentications. Robust recovery technologies are a prerequisite.
- Recover in a secure environment. Your incident response timeline starts with recovery to a clean room. You can remove vulnerabilities and understand where the attack timeline began from there.
- Know the location and classification of your data.
- First, understand what your adversaries are targeting. Data is what you need to be in compliance. Data is what runs your business. Data is what they’re after.
- Understand and assess the vulnerability of your most sensitive information. Data classification and the systems that support it maintain the confidentiality and integrity of that data. In an attack, this is the top concern.
- Prioritize your response assessment based on regulatory obligations. Understand which data is subject to regulator notification requirements.
- Make your tools work together for you.
- Use integration, automation and orchestration as your key levers. For example, snapshots can demonstrate a better picture of the attack timeline across your estate over time. A forensic image taken after the attacker may have cleaned up after themselves won’t help.
Transition to resilience to prevent and recover from new adversaries
Much work remains to achieve the vision of fully automated security in the enterprise. But one step we can take today is the move toward cyber resilience. Cyber resilience, a critical approach to data security, requires a robust, collaborative process and an understanding of how to respond specifically to cyber threats. By evolving beyond the traditional approach of DR and a castle and moat mindset, we move closer to this vision and continue adapting to the seemingly endless changes in adversary behavior.
To watch the full Spotlight on Security discussion on evolving from disaster recovery to cyber resilience, click here.
To explore more real-world examples, best practices, and trends from Security, Ops, and IT experts, register now for our data security & management summit, Cohesity Catalyst.