Our recent post addressed the changed cyber threat landscape for enterprise IT environments and how organizations’ storage environments – where core data assets reside – are increasingly the target of cyberattacks, particularly ransomware.
In this post we’ll discuss the critical steps that should be taken in order to ensure that following a cyberattack, recovery of critical data can be achieved. These recommendations were also discussed in our recent webinar.
Recovering data from cyberattacks differs from standard disaster recovery. Standard DR solutions typically address recovery from events such as electric outages, hurricanes, floods, human error, etc. IT organizations spend significant time and budget to ensure that recovery from such unplanned failure will be possible. Remote data replication, mirroring and backup technologies are configured to enable data restoration when needed. But will these DR solutions deliver in the event of a cyberattack?
A cyberattack, by its nature, involves malicious intent. Standard disaster recovery solutions are “naïve” and may fail to work properly in the event of an attack. Additional care must be taken to ensure that recovery systems are configured so that recovery data cannot be jeopardized.
Often, the objective of cyberattacks or ransomware involves attempted encryption or deletion, not only of production, but of backup data as well. Fallout from an attack is monumental; recovery can take months and cost hundreds of millions of dollars (for instance: Maersk, Merck, city of Baltimore, etc.). Without usable copies for recovery from a ransomware attack – an enterprise might never be able to recover its data. Today’s cyberattacks target key data at the core of operations for SMBs and enterprises alike. Without access to this critical data, the organization will, most likely, not be able to continue operations. To ensure recovery from attack is possible, these environments must be configured for recovery from these worst-case scenarios.
At the same time, in addition to ensuring recovery with data intact, focus on time to recovery is another crucial parameter that must be addressed. The new global standards for resilience and recovery (NIST, ISO, CIS, etc.) specify timelines for recovery and resumption of operations. In fact, for financial institutions, European Central Bank guidelines stipulate that critical operations must resume within two hours of a cyber disruption. Non-compliance leads to stiff fines.
All systems must be configured with recoverability as the goal. To this end, security, resilience and recovery objectives must first be clarified. Issues such as ransomware attacks, recovery isolation, recovery copy immutability, replication and backup guidelines, access control to recovery systems, RPO and retention, etc. should be reviewed. Following review, the recovery objectives that were decided upon must be reflected in security baseline documents which define the minimum (baseline) configurations required for successful recovery. Note that resilience and recovery requirements differ for different organizations and each one must review, specify and implement the ones relevant to its needs.
Two examples of such configuration settings that should be specified in baseline documents so that storage systems are built accordingly are: Configuring the retention lock period in the EMC Data Domain so that backup data can’t be altered or deleted. This is critical to recoverability from a cyberattack where there will probably be attempts to wipe out backup data sources. Similarly, with NetApp, an option in the system allows for configuration of file policies. Here, it’s vital that policy be specified in order to block traffic suspected of being ransomware.
Heads up! In the many different systems that make up an enterprise’s infrastructure, these options are not automatically enabled. For each system, the appropriate and preferred security configurations must be put into place in order to meet the recovery objectives specified in the security baseline documents.
Enabling configuration options for recoverability, such as the two described above, is just the first step. As new vendor and industry best practices for configurations are continuously released, IT must continuously validate that security configurations are still in place and correct. This means that to ensure adherence to the baseline requirements and keep the environment resilient and recoverable, organizations need to stay current with the newest best practices from multiple sources and continuously update and integrate them.
These are big, complex tasks we’re talking about that are impossible to carry out manually. It’s clear that ongoing configuration validation for recovery must be automated.
Continuity Software’s solutions focus exclusively on enabling recovery from cyberattacks and preventing loss of critical data. It checks for vulnerabilities, violation of industry best practices, organizational security baseline requirements, ransomware guidelines and non-compliance with regulations – all of which impact your resilience and recoverability.