Cyber incident recovery: Be prepared, be fast and be agile

By: Mike Errity

We’re used to planning for natural catastrophes. While their paths are random, we usually know what the effect of the potential damage will be. We can adequately prepare to mitigate the effects through necessary resiliency programs. With natural events, we see where and what the damage is, we know when it occurred and we know who’s impacted by it. Classic methods have evolved with software-defined resiliency capability to enable assured recovery.

Recovering from cyber incidents like cyber attack, data breach and ransomware attack, on the orher hand, is a different story. We have little visibility into these factors. We may not even know that a breach or cyber-attack has happened, let alone who’s been affected, what damage occurred or how widespread it is. The threat actor may be someone on the other side of the world or it may be someone inside your enterprise. Their intent is malicious, and their path is not random — precise aim is being applied to your operation.

When these cyber incidents occur, the disaster recovery (DR) process can be frenetic. Recovering from a pervasive event becomes an all-hands-on-deck affair. Your most skilled, knowledgeable and dedicated staff scramble to find, fix and recover from the attack.

Given the widespread risk possibilities, building a comprehensive cyber resiliency program requires a cross-competency of network, security and resiliency skills. A cyber resiliency assessment can provide a roadmap for readiness to recover and lead to auditable testing scenarios.

Point and time: Classic objectives applied to cyber incident recovery

The key optimal metrics for measuring the effectiveness of any business and technical recovery are the common objectives of recovery point (RPO) and recovery time (RTO) for all your critical and operational systems.

We are learning that a fast recovery from a cyber incident to a safe point in time demands purpose-built solutions. As with natural disasters, these solutions need to be repeatable up to a point — but more importantly, given the silent and often-changing nature of cyberattacks, they must be agile enough to adapt to the unknown.

That’s why, at IBM, we are evolving our disaster recovery (DR) orchestration solutions to assist our clients’ efforts to swiftly recover from cyber incidents. Our goal is to enable recovery as robustly and confidently as we are do today with our clients who test and execute infrastructure recovery solutions.

Platform recovery: A new definition of a disaster

As cyber incidents become increasingly pervasive, the perimeter of a data center becomes a potential risk for a point of entry. Any private domain has private and public access points, with only authorized personnel allowed entry at the private doors. In a private, hybrid or cloud technology environment, perimeter platforms are in a constant state of flux. Despite constant change, it is essential that any unauthorized open door be closed as soon as possible.

Leveraging the capabilities of the IBM Resiliency Services Orchestrator, we are building new workflows to enable constant vigilance, assess an unauthorized change to configuration profiles, and, when a suspicious change is determined, initiate an automated recovery of a system to its correct state. In the past, we focused on recovering inoperable systems in a remote disaster recovery (DR) center, but now we need to orchestrate a solution to enable a platform’s return to its proper, safe configuration profile — all while it is in production. This is the IBM solution for cyber incident platform recovery configurations.

Go back in time: Ensure recovery to a clean copy

Imagine you know a cyber incident occurred. Your immediate thought is to return to the point in time when you knew all of your data was safe from harm.

Returning to that point of clean client data requires extended capabilities of data management — a range of copies (snapped) kept remotely safe (air gapped) on immutable storage (WORM technology) and verifiably tested for accuracy (in a clean room) through an expeditious approach.

With our products and partners, we’re building a framework that spans data and compute layers to orchestrate this data recovery process. This is the IBM solution for cyber incident data recovery.

Cyber incidents will always be targeted, malicious and volatile. With new assessment methodologies, orchestration tools and frameworks, we are creating purpose-built resiliency solutions to enable an agile approach to recover from a cyber disaster scenario.

Questions? Come see us at IBM THINK 2018 on March 19 – 22 or at the DRJ Spring World conference on March 25 – 28, 2018. To learn more about the new cyber incident recovery solutions from IBM, set up a one-on-one conversation with one of our experts today.

Missed Chairman Ginni Rometty’s Think 2018 keynote or a session? Watch a replay.

Related topic: Cyber Resilience Services.

In depth: business continuity topics

Understand how to plan for and react when business disruptions are happening.

Adapt and respond to risks with a business continuity plan (BCP)

How to defend against cyber attacks

Do you have your disaster recovery plan (DRP)?

Defend against ransomware attacks?

What is data breach and how to defend against one?

What is a recovery time objective (RTO) and how does it affect disaster recovery for your enterprise?

What is an RPO (recovery point objectives)?

Topics: , ,

About The Author

Mike Errity

Vice President of Resiliency Services, IBM

Mike Errity is Vice President of IBM Resiliency Services in North America for IBM Global Technology Services. He manages the consulting, sales and delivery team implementing industry-leading service processes to create client value and earn loyalty. Mike and his team work with clients to design and deploy solutions for business resiliency and to mitigate operational... Read more