It’s safe to say sophisticated cyberattacks are not going away. They’re becoming more pervasive and the statistics are alarming about the cost and implications of being attacked. It’s not a question of if but when – and how will you know.
So, what’s an enterprise to do to prepare for the inevitable?
We describe cyber resiliency as the art and science of recovering from a debilitating ransomware attack in a timebound manner, losing the minimum amount of data.
The goal is to bend but not break with an attack – by focusing on detection and remediation. There’s no silver bullet solution or product – it’s impossible to keep up, never mind keep ahead, of the cyber criminals. The only approach is a combination of products, environments, and processes where malware can be isolated, detected and remediated. This includes an environment with multiple “air gaps” for isolation, immutable storage, a process to examine and test multiple point-in-time images and a complete process for recovery.
It’s common knowledge cyberattacks frequently target some of the simplest ways in – weak passwords, phishing attacks, and access controls to name a few.
We take a four-step approach to cyber resiliency – protect, detect, remediate, recover.
Protect – This is a combination of implementing the best possible cyber security solutions available along with preparing for an attack with a complete cyber resilience strategy and plans ready to implement immediately.
Detect – Implement tools and processes to get early notification of anomalies in server and data point-in-time images to identify both corruption as well as theft.
Remediate – Have a solution that cleans existing images of malware to prevent having to go back days, weeks or even months to enable a safe recovery.
Recover – The recovery process starts with obtaining or creating a clean image with the most recent possible data, then pulling together the multi-disciplined team to bring a production environment up securely.
The checklist
Protect:
- A full cyber resilience plan for strategy and execution. This includes a strategic plan based on the business needs of the organization, a team description of the groups that need to be involved in both protection and recovery, and a set of processes to follow for detection, testing and recovery to production.
- An air gap solution using a cloud as the target, isolated from the product environment. This ensures that malware execution can’t transition between isolated network segments and that those without credentials are kept out.
- Multiple point-in-time images, with the ability to mount any image almost immediately. This allows for the mounting of an image of a server from a previous time or date before malware was either installed or executed.
- Separate credentials with access based on function and/or role. With separate credentials in the cloud environment, stolen passwords are ineffective. By having access based on function and/or role, it also takes multiple people to make significant changes to the environment.
Detect:
- Make ongoing scans of images for malware and other anomalies. With early detection of infected systems, the recovery environment can be protected, and often the attack can be impeded before it happens.
- Ongoing testing for recoverability and performance anomalies. At all times the recovery environment needs to be ready to start the recovery process.
Remediate:
- Remediation as necessary to store known good images. Before a server can be recovered, it has to be in a clean state, otherwise the attack can be re-started. It’s insufficient to invoke a server in the cloud. The version of the server has to be free of the malware while also having the latest possible data.
Recovery:
- Recovery requires known clean images. Networks and access controls need to be setup for access. Initially only those that immediately require access will have credentials, and in most cases those will be new based on uncertainty as to which accounts have been compromised.
Next we look at how cyber resiliency is very different to disaster recovery.
