Is my organization’s disaster recovery strategy ready for today’s uncertain cyber landscape? Your company has determined the recovery point objectives (RPOs) and recovery time objectives (RTOs) for all systems. You have also implemented solutions to achieve these goals. Your organization routinely performs successful Disaster Recovery (DR) tests meeting your established expectations and objectives. If a situation arises in the future that requires your organization to activate its disaster recovery plan (DRP), shouldn’t your organization feel confident it will work to achieve a successfully recovery as expected? While this may seem like the answer would be “Yes”, the reality is, that it often is not.
Traditional DR strategies do a very good job preparing organizations to recover in the event of a natural disaster, such as an earthquake, fire, flood, hurricane, tornado, etc. They work for infrastructure and utility failures including cooling, networking and internet services, servers, storage or power. However, these plans will typically fall short when it comes to successfully recovering from cybersecurity related events, such as ransomware. In a recent 11:11 Cyber Resilience webinar our senior executives discussed that to truly be Cyber Resilient an organization needs to enhance their ability to withstand, prevent, respond, and recover from all sorts of cyber incidents and other events like natural disasters. A successful DRP should recover systems to a known good and clean state.
Cyber Resilience – a comprehensive end-to-end approach that organizations adopt to enhance their ability to withstand and prevent, respond to, and recover from cyber risks and incidents.
Recovery to a known good state means that a system was recovered to a state of operating and functioning properly by using recovery solution (replication or backup) from a successful replication or backup of our production environment. Recovery to a known clean state on the other hand means that a recovered system is free of malicious artifacts (changes, scripts and executables). Following a traditional DRP, an organization uses the most recent known good version recovery media to recover systems back to that state.
With cybersecurity related events it is probable that malicious actors had been lurking around in an organization’s systems for a while before the actual event occurred. This means that malicious artifacts can exist on systems for an unknown timeframe prior to the actual cybersecurity event occurring. If we follow our traditional DRP, recovered systems may contain those malicious artifacts; meaning they may have been recovered to a known good state, but aren’t in a known clean state. This can create the potential for the malicious actor to effortlessly cause the impactful cybersecurity event to reoccur.
When recovering from a cybersecurity event, the most recent known good recovery media may not be suitable to recover from because it is not clean. This creates a challenge in that meeting the defined RPOs and RTOs may not be realistic. The organization needs to be able to evaluate their recovery media to determine which version is not only the most recent known good, but also clean version.
This requires organizations to update and enhance their disaster recovery strategies. Things like a cyber-recovery cleanroom (clean room) should be incorporated into the DR strategy. A cleanroom is an independent environment designed to securely recover systems after a cybersecurity event. The purpose of the cleanroom is to ensure that systems are recovered to a known good and clean state free of the malicious artifacts that lead to the initial cybersecurity event.
Updating disaster recovery strategies and implementing a cleanroom solution, while very important, doesn’t solve the problem entirely. There is still the issue of data and work loss. If the malicious actor has been lurking around the organization’s systems for a few weeks the organization may not have a choice but to recover from a version of recovery media that is weeks old. Afterwards, the work that was performed between the date of the recovery media and the date of the cybersecurity event occurred will need to be reproduced to recreate what was lost. According to the M-Trends 2024 report by Mandiant, the average dwell time was 10 days in 2023. While this is down from their reported 24 days four years ago in 2020, that can still be a huge gap in terms of lost work.
Organizations must take steps to shorten that dwell time to reduce the age of clean recovery media. Enhancing the ability to detect and respond to cybersecurity events is essential to making that happen. Endpoint detection and response (EDR) and security information and event management (SIEM) solutions can help facilitate this. SIEMs aggregate event and log information to correlate activities across the environment providing holistic visibility to detect and identify malicious or anomalous activity. EDR solutions use behavioral analysis and machine learning to detect and respond to malicious behavior, ransomware and malware on endpoints.
It is crucial that an organization has able to analyze and respond to cybersecurity events 24/7/365. Malicious actors are opportunistic and prone to carry out activities and attacks when defenses are reduced, and they are less likely to be quickly detected. This is typically outside normal business hours, such as nights, weekends and even holidays. For many organizations, standing up a security operations center (SOC) with the necessary skilled cybersecurity talent capable of meeting these requirements is challenging and cost prohibitive.
A managed detection and response (MDR) solution provides a way for organizations to meet those expectations to help support a robust disaster recovery strategy. MDR solutions provide organizations with the features and capabilities of both SIEM and EDR as a managed and monitored service. This makes it possible for organizations to benefit from the capabilities of a 24/7/365 SOC staffed with skilled cybersecurity talent, providing the ability for the timely detection and response to actionable cybersecurity events in a much more cost effective manner.
11:11 Systems has a wealth of information and tools to help along your cybersecurity journey. If you would like to learn more about disaster recovery strategies and tools please reach out to an 11:11 Representative or check out these additional resources.
