We’re excited to announce the evolution of the Cohesity Clean Room solution to support incident response activities. Thousands of the world’s largest organizations depend on Cohesity for their resilience. The Cohesity Clean Room represents a complete approach to cyber incident response, offering organizations a robust solution for managing incident response (IR) and ensuring business continuity. By creating a trusted environment for incident response and recovery, organizations can enhance their resilience against increasingly sophisticated cyber threats.
There are three fundamental truths we’ve observed in our experience:
- Each attack should be treated as its own unique event, requiring flexibility in your response capabilities.
- When you’re in the middle of an attack, it’s difficult to understand how the attack happened and find patient zero, which allows you to close the gaps in your security posture and prevent future attacks.
- Organizations must have a thoughtful response and recovery approach that adjusts based on the results of forensic analysis of the attack.
I’d love to tell you that you can simply press a button that can automatically recover clean data back into production in every circumstance. But that’s not the reality. Just ask InfoSec practitioners who have worked through the response and recovery process.
The incident response lifecycle
When we first announced the Clean Room, we simplified the incident response process into three distinct phases (initiate, investigate, and mitigate) to demonstrate a more complete lifecycle in the IR process.
This approach allowed us to define how ITOps and Security teams could work together to recover from a cyberattack and reduce the risk of reinfection. As we worked with industry leaders and customers, it became apparent that we needed to add a fourth phase to our design: Preparation.
Preparation is vital: Meet the digital jump bag™
Organizations often realize they aren’t prepared for a cyberattack when it is too late and they are in the middle of the attack. Too often, I hear the words “I think” when discussing how an incident response process “should” work. Reports of responders picking the locks of the data center because the access system was down or not having access to the systems and documentation needed to begin an investigation are all too common.
This valuable feedback led us to create the digital jump bag, where customers can store the tools, software, configuration files, and documentation needed to respond to an incident in a vaulted immutable store beyond the reach of adversaries.
The concept of a jump bag has been around for a long time. Outside of the IT world, they’re primarily associated with emergency response, which allows quick access to supplies or the ability to leave a dangerous area rapidly. The term “jump bag” comes from parachutists in World War II who would pack a bag with all the necessary equipment they might need once they landed behind enemy lines, ensuring they could respond effectively to immediate challenges. Over time, the concept evolved, and today, jump bags are utilized across various professions, including emergency medical technicians (EMTs) and military personnel, each tailoring their bags to meet specific needs related to their field.
We’ve refined the concept and brought it into the incident response world. These bags are essential for mitigating the effects of cyber incidents by ensuring that responders have immediate access to the necessary tools and resources when an incident is declared. Having your digital jump bag ready allows ITOps teams to initiate the Minimum Viable Response Capability (MVRC), enabling the SecOps teams to investigate and mitigate the threat.
We’ve created detailed best practices for packing and protecting your digital jump bag in our Clean Room deployment guide. If there’s one thing you can do right now to know you’re ready to respond to a cyberattack, it’s create your digital jump bag. That way, you don’t have to think you’re ready, you’ll know.
How do I get the Cohesity Clean Room?
When the Clean Room design was created, three things stood out.
- We created a solution to a real problem based on industry best practices. We didn’t try to convince people that we had the panacea for incident response. We know we need to work with the menagerie of tools for our customers to respond and recover.
- The solution design uses the Cohesity tools you already own and the data you already manage. In many cases, it’s simply a new way to use the tools.
- Its flexibility lets you control the sizing and workflow, allowing it to meet your business’s needs today and grow with you as threats evolve.
To help our customers realize the full value of the Clean Room solution, we’ve created a deployment guide that walks you through the setup process and provides additional information to get the most out of the solution.
Of course, we’re here to help. Our professional services team is available to ensure you’re ready for the inevitable attack. Our professional services organization has years of experience working with hundreds of customers, giving them a unique perspective that can enhance your operations and help you overcome any obstacles you may have by going alone.
If you need help justifying the Clean Room, consider why bad actors want to keep your business offline.
- Current processes make you more likely to reinfect your environment, causing more downtime if the appropriate investigation and threat mitigation steps are skipped.
- Attempting recovery prematurely keeps your business disabled, making you more likely to pay a ransom.
- Creating a trusted environment for response, testing, and recovery will always be less expensive in the long run.
- Bad actors are very good at disabling and evading endpoint security controls, hampering your response and recovery efforts. An isolated clean room allows investigations to happen outside the view of the attackers.
- Having a clean room set up in advance reduces the chaos during an investigation and allows ITOps and SecOps to build muscle memory for the overall response process.
- Proactively addressing these challenges can enhance your readiness to respond to a cyberattack and improve your overall cybersecurity posture.
What’s next?
We’ve come a long way in a very short period, but we’re not done yet. Just as cyberattacks evolve, so will we. Plans are underway to improve automation to streamline response. While you can’t fully automate an investigation, building playbooks can be an important force multiplier for the response and recovery process, reducing the incident’s overall impact.
We’re looking to see if Cohesity Gaia can be an asset in minimizing human error and providing insights into the direction you should investigate. We’re also looking into more integrations to give your detection and forensics tools access to the backup data, providing a better understanding of the attack and how to resolve it.
Deploying the Cohesity Clean Room solution offers substantial benefits that enhance an organization’s ability to effectively respond to and recover from cyber threats. From accelerating time to response, supporting comprehensive investigations, speeding up recovery times, and seamlessly integrating IT and Security operations, the Clean Room equips organizations with the tools necessary to navigate the complexities of modern cyber incidents. As cyber threats continue to evolve, investing in such a robust solution is not just advantageous. It is essential for maintaining operational continuity and safeguarding sensitive data in an increasingly hostile digital landscape.
Learn more about the Cohesity Clean Room solution.
