There’s a saying in cybersecurity: “It’s not if, it’s when.” With the chances of becoming the target of a ransomware attack climbing, simply hoping it won’t happen isn’t a great strategy.
If you’re in a leadership role, you might be losing sleep over cyberattacks. And you’re not alone. The largest ransomware attack to date recently hit a popular supply-chain software.
It’s time to sit down with your CISO and other security team members to discuss your organization’s cybersecurity defenses. The questions below can help you discover what safeguards are in place and where you might be falling short in deterring cyber threats.
1. Do we have a vulnerability and patch management program? How do we measure its effectiveness?
Installing software patches and updating systems to eliminate vulnerabilities are the low-hanging fruit of security tasks. However, it’s not easy for busy security teams to get into a regular cadence regarding patching and upgrading, which means it’s painfully easy to let these tasks slide. The Kaseya ransomware attack affected as many as 1,500 businesses that use the company’s supply-side software. And it may have been caused by the company’s inconsistent patching program. (In fact, employees appear to have complained to senior leaders about sloppy patching practices to no avail.)
If your security team confirms that your company has a patch management program, then the next questions to ask are: How do we measure success, and what are the SLAs?
Patching can’t do much good if the patches are applied months or even years after they’re released. Security teams must maintain and track currency in your management programs and clearly demonstrate their effectiveness. Ideally, teams should target to install patches within days or maybe a couple of weeks. For major releases, the target should be n-1, or at worst, n-2.
If the security team tells you there is no patch management program or the program is too slow or ineffective, there’s no time like the present to get one started—or get your existing one amped up.
2. Do we have a recovery plan mapped out in case we do suffer a ransomware attack? How will we restore data?
Security teams should consider setting up forensics retainers with outside firms that clearly define SLAs, response, and cost. And this arrangement needs to take place before attacks happen. The last thing anyone wants is to scramble for help as an attack is occurring.
Getting back online during the forensic process is key—and the right storage provider can be the difference between days and weeks. Pure Storage Evergreen//One™ storage as-a-service now offers a unique ransomware recovery SLA that addresses many of these recovery steps. In particular, the SLA provides next business day shipping of clean recovery array(s)*, 8 TiB/hour data transfer rate, and a technical services engineering team to finalize the recovery plan plus an onsite professional services engineer from time of array arrival through replacement of infected array(s).
As for data, it’s important to note the “ask” here: You need to know how data will be restored, as opposed to simply backed up. If data is backed up, that’s good. But if it takes several hours (or days) to be restored, that’s not good at all. Consider asking about the benefits of tiered security architectures and “data bunkers,” which can help retain large amounts of data and make it available immediately.
In addition, work with fellow executives to ensure that tiers of recovery are agreed on with other stakeholders. Application restoration priorities or tiers should be well-defined so that business units know the timeline for restoring applications and there are no surprises. The planning should also include critical infrastructure such as Active Directory and DNS. Without these services, other business applications can’t come back online or function correctly.
3. How often do we test how our systems would perform in the event of an attack?
The corollary to this question is, “How long until our data will be available again after an attack? One hour? Or 10 hours?” Only by running through all possible attack scenarios can the CISO and security team confidently benchmark the time to normal operations. As we heard security experts say during our recent Pure//Accelerate® Digital sessions, too many companies don’t even test workflows for restoring operations or gauge how much time they’ll need—or how they can improve upon those times.
You also need documentation for tests to prove effectiveness over time and to create an accurate, up-to-date heatmap. It should include details on which apps are tested, how frequently, and what the results are. The documentation should also focus on critical infrastructure that can be rapidly restored in an outage since other applications depend on it.
4. If we are under attack, how will we communicate?
Security teams need well-defined communications plans when it’s time to inform leaders about the onset of a cyberattack. If systems and email are down, what’s the chosen method of reaching out to business units? It’s important to create and update lists of cell phone numbers and alternate email addresses for contacts within IT and security teams, senior leaders, and outside security consultants such as the retained forensics team.
Also critical: preparing an external communications plan for working with the media, regulators, and legal teams. Contacts within local offices of law enforcement authorities such as the FBI in the United States may also serve useful. Also, include cyber insurance providers that can explain coverages and limitations.
5. Are we getting enough ROI from our SIEM solutions? Do we have the visibility and speed we need?
While many SIEM solutions come with plenty of capabilities right out of the box, they will still rely on underlying storage solutions to analyze massive amounts of data at high speed and be effective. Collecting data alone isn’t enough to get real ROI from SIEM solutions. Ask your CISO to dig into SIEM capabilities and performance, and consider a storage solution with built-in anomaly detection like you get with Evergreen//One.
Anomaly detection is key, and. Pure1 Meta’s AIOps leverages machine learning to identify anomalous drops in data reduction ratios which could indicate that an attack occurred.
6. How can we work together to assess cybersecurity risks?
If the CISO and the security team work in their own silo, cut off from senior leaders, there isn’t much hope in obtaining answers to any of the above questions on a timely basis. It’s better to connect with the CISO to hash out plans for regular briefings within boardrooms, so issues and emergencies get the attention of the C-suite.
To strengthen relationships among teams, spend time with the CISO and security staff to perform tabletop training exercises with real-world scenarios to see how attacks might evolve and where gaps exist.
Download “10 Questions to Ask Your CISO” for These and More Action Items
Security should be everyone’s priority. Not just the IT team, not just the network admin, and not just the InfoSec team—everyone, including you.
The impacts of security threats can be far-reaching and devastating, affecting everything from revenue and productivity to your organization’s reputation and even your customers’ businesses. It’s in your best interest to understand your security strategy and partner with your security team to ensure they have the visibility, budget, and buy-in they need.
Download this sheet and use it to help kick off more productive conversations with your CISO and security team. And learn how Pure Storage® can provide your organization with the ultimate in rapid recovery solutions.