Most CISOs have an 80/20 budget split between likelihood and impact mitigations as Deloitte points out in a recent global Cybersecurity survey. This report says that only 11 % of the budget go into incident response/disaster recovery and into infrastructure security. Rather than the illusion of total cyber security, the focus must shift to operational cyber resiliency where organizations can effectively respond to and withstand attacks. While preventative measures are important, they’re table stakes, not the winning hand, when an organization is fighting cyber-compromises. There is a very strong case for taking a sideways look at the traditional thinking about the ‘protect / detect / respond / recover’ setup.
An abundance of technology and a lack of process
It is worth pondering for a moment on how organizations approach recovery after a ransomware attack. It’s disheartening how often the public hears about scenarios in which an organization's response to an imaginary ransomware attack is to try to use business continuity and disaster recovery processes and technologies built for the scenarios of weather, loss of power or misconfiguration. These traditional business continuity and disaster recovery scenarios are, simply put, not suitable for cyber scenarios, where technology recovery efforts are actively targeted. Instead, organizations need to recover to first investigate how the attack manifested itself and which vulnerabilities were exploited so they are remediated while bolstering defense. Then finally all malicious artefacts of the attack need to be removed from the recovered environment. It is only then that recovered systems can be brought back into production.
The traditional timeline to the Recovery Time Objectives are very different in cyber recovery, if you recover without first understanding how you were attacked, how defenses were circumvented, closing down that attack surface and removing all traces of the attacker, the chances are you’ll continue to be impacted. I’ve witnessed first-hand efforts to move to recovery too early and the resulting elongated response cycle and continuing impact on operations. Back in the halcyon days of when CISOs only had to deal with three secondary impacts from incidents - reputational damage, litigation and regulatory fines - this kind of response strategy could be tolerated. But with ransomware and wiper attacks incidents now have a primary impact: the inability of an organization to deliver its products and services.
Many organizations have an abundance of protective and detective security technology but a lack of process resulting in a low-level of operationalization and integration. This situation used to be tolerated when impacts were secondary losses. But now when an organization faces primary losses that grow exponentially over time, there is a need to achieve resilience by empowering existing security solutions with better context of data and files while bringing together the traditional silos of the IT and security teams and technologies.
James Blake is Field CISO of EMEA at Cohesity.
A data-centric focus on cyber resilience
To achieve this, the organization should adopt a data-centric focus on cyber resilience, ensuring that data from an organization's diverse compute and storage environments is brought together providing the governance, detective, response and recovery capabilities needed to achieve a high level of resiliency.
This is logically sensible. After all, it is data that drives the business, data that adversaries want to steal, encrypt or wipe, and data that has compliance obligations. Set alongside this, the technology infrastructure is becoming a commodity with orchestration, cloud and virtualization now readily accessible to help organizations manage and protect that data. Any approach to bring this data together and provide those governance, detective, response and recovery capabilities should do so in a manner that supports the wider security and IT ecosystem though integration and orchestration.
Being resilient means being able to withstand any and all possible threats: fire, flood, hurricane, misconfiguration, ransomware, wiper attack and many, many other potential eventualities. The ability to resume normal service with minimal impact and cost is critical.
Added benefits – practical and financial
Once an organization decides it wants to take a data centric approach to cyber resilience, there are plenty of other benefits to be reaped beyond those just related to recovery from cyber-attack or downtime caused by other reasons.
Siloes are removed – creating a level playing field for those who need to access and use data, and supporting remote collaboration and storage optimization. Data can be made ready for more robust and fruitful search and use by AI and other tools:
Compliance is made easier because discovery can be streamlined.
Incident response and forensics and protection is made easier: diverse workloads can be addressed with the same teams and tooling whether it’s cloud, virtual, on-premise or hybrid; triage and investigation can be prioritized by the sensitive or regulated data discovered on systems by scanning inside the snapshots; incident timelines can be rebuilt using snapshots over time from compromised systems; and historical filesystems can be hunted for indicators of compromise.
Once these data-centric platforms are integrated into security operations, the improved effectiveness and efficiency of response and recovery delivers improved cyber resiliency.
Protection is made less complex too, as it is possible to clone production servers for restore, for breach and attack simulation work, penetration testing and for deception and vulnerability scanning. The ability to clone data allows for robust application security testing and development, using data sets which are as close to live as it gets without actually being live.
What all this boils down to is an approach which delivers resilience to traditional disaster recovery scenarios as well as cyber incidents and streamlined data management. It will by its very nature bring Cybersecurity and IT teams closer together, and may derive further, data-related benefits to the organization. While it won’t get rid of all threats of cyber-attack, a resiliency-based approach should help organizations get back on their feet much faster if the worst happens.
