In this blog

That is the most prominent question organizations are challenged with today regarding cyber recovery. It involves recovering not just data but also critical business services. Then, the question of speed follows.

The best recovery an organization can do is the one it doesn't have to do; the second best is recovering to a minimum viable business position in a timely fashion to avoid business disruption and failure of regulatory and compliance standards. 

Organizations should focus on:

  • Strategy development aimed at accelerating the journey from backups to a cyber resilience vault
  • Process improvement (i.e., avoid replicating/backing up potentially infected databases after an incident has occurred)
  • Business Impact Analysis (BIA) for prioritization of critical business services
  • Fast containment and isolation as closest to the application layer as possible (see enterprise segmentation and zero trust architectural principles)
  • Inter-team and cross-team communication (incident response playbooks)
  • Cyber recovery testing scenarios (test-validate-restore)

The importance of immutability

Immutability is a key component of a data protection and cyber resilience strategy. It allows organizations to protect data against threats such as ransomware attacks. When a backup is immutable, even if ransomware infiltrates the network and locates the backups, it cannot proceed to encrypt or destroy them, thereby ensuring the safety of the backups. In addition to protection from ransomware, immutable backups are helpful to guarantee data is retained for data compliance and governance. 

Most organizations use a plethora of backup/data protection solutions across their environment as they look to protect data and ensure its recoverability across Amazon Web Services (AWS), Microsoft Azure (M365), Google Cloud Platform (GCP), Oracle Cloud, on-premise, etc. Today, most large organizations are migrating to a two-vendor backup strategy where one vendor is responsible for the vast majority of backups, such as virtualized workloads (VMware, Nutanix, etc.), and the second vendor is used for backups of unusual or legacy workloads (IBM iSeries, OpenVMS, etc.). Regardless of the vendors chosen, the ability to implement immutable backups is of utmost importance to ensure a resilient/robust backup and recovery solution.

Different levels of recoverability

This diversity of infrastructure and components brings different levels of recoverability with other risks and benefits. The range of recoverability goes from immutable snapshots on disk storage arrays to implementing a cyber vault wholly isolated from the production network. 

Immutable snapshots on disk arrays provide the ability to keep a point-in-time copy of production data that can easily be rolled back into production in the event of a cyber attack. The significant drawback to snapshots is the economic feasibility of retaining more than a few days. Ransomware is usually injected into an environment weeks before it is executed. This is known as "dwell time," meaning the ransomware code is now stored on the snapshot, making it unusable for recovery.

The most resilient recovery solutions implement what is known as an Isolated Recovery Environment (IRE) or cyber vault. An IRE provides copies of backups or inaccessible production data (also known as air-gapped) from the production environment. This isolation prevents cyber attackers from accessing the data, providing an "always available" copy. The solution allows data to be scanned for malware, potentially detecting it during the dwell time before execution. The primary drawbacks to an IRE are cost and the technical expertise required to implement.

A multi-cloud strategy coupled with significant investments in backup and recovery solutions over the years may lead to a diverse infrastructure with a heavy technology footprint, often without a clear underlying immutable backup strategy. Organizations should work towards creating a framework that makes technology part of it, not a model that makes technology the epicenter of their plan and direction. An approach to recovery based solely on technology becomes an island and makes organizations vulnerable to adverse cyber events instead of becoming genuinely cyber resilient.

The need for strategy development

Veeam's 2023 Ransomware Trends Report cites that 93% of cyber attackers target backups during their attacks and successfully debilitate their victims' ability to recover in 75% of those events. To this end, organizations now look to a trusted and experienced partner who can support them in the development and execution of a strategy that enables them to move from data backup and immutability to a cyber resilient vault as part of an end-to-end cyber resilience program. An executable, timebound, milestone-driven roadmap helps get there on time and within budget.

How to begin

Organizations can embark on their journey toward cyber resilience by adopting a structured approach that focuses on strategy, architecture, processes, and procedures. The first step involves conducting a comprehensive assessment to understand the current state of their backup, recovery, and archiving practices. This assessment should provide an independent view of the vendor landscape and share industry best practices for developing an immutable backup strategy.

Following the assessment, organizations should evaluate various options, considering their existing investments, assessing alternative solutions, and conducting vendor comparisons. This evaluation process will help determine a fit-for-purpose solution that aligns with the organization's requirements for immutability.

Based on the evaluation's findings, organizations can develop a detailed blueprint and a milestone-driven roadmap for operationalizing and maturing their cyber resilience capabilities over time. This roadmap should address critical components such as immutable backup and isolation, separate security measures (e.g., identity management, vulnerability scanning, logging, monitoring), forensics, regular technology recovery testing, and end-to-end business process recovery testing.

The ultimate goal is to transition from a reactive approach, where organizations can only access the latest clean copy of their data, to a proactive approach that enables the recovery of applications, infrastructure, and critical business systems and services. By collaborating with experts and following a consultative, risk-based approach, organizations can improve their Recovery Time Objective (RTO) and develop a holistic cyber resilience program that addresses strategy, architecture, processes, and procedures from the initial inception phase to the final operationalization stage.