“Everybody has a plan until they get punched in the face,” said boxer Mike Tyson.
That could be the mantra for CISOs and their security teams who can do all possible prep in advance of potential security incidents, only to throw the playbook out the window when reality hits the fan. No matter how much prep has been done, a security incident has a way of pushing an organization’s procedures, technologies, and people to the limit.
We’re not arguing that a playbook isn’t important to recovery (it very much is), but having a resilient foundation is the real key. That includes having a well-educated, well-prepared team armed with the right tools to spring into action in the heat of the moment. When you have clear marching orders, a fully prioritized recovery plan, and a line of sight for recovery equipment, and resilient data, you’re less likely to be scrambling.
Read the Report: Achieving Cyber Resilience Requires Teamwork
You Need a Dynamic Team
Cybersecurity is a team sport requiring knowledge, coordination, and cross-functional readiness. The biggest wild card for any organization responding to an incident is people. Do they know their roles? Are they ready to step in and perform?
“In the heat of battle, different personalities pop up, and things you’ve rehearsed tend to get tested,” said one of the CISOs in Pure Storage’s recent panel discussion. That’s why it’s essential to have a well-prepared emergency response team ready to act when time is of the essence. That could include:
- Digital forensic experts. This group will gather and analyze evidence from affected machines, as well as security logs and other tools, following detailed procedures to maintain the integrity of their findings and ensure their suitability as evidence. This includes reconstructing the events that led to an event using security log data, retrieving lost data from physical and virtual devices, collecting and analyzing incident evidence, ensuring a provable chain of custody of digital evidence, liaising and collaborating with law enforcement, and providing testimony at legal proceedings.
- Legal counsel. The legal eagles help you understand the obligations, potential conflicts, and liabilities associated with an event. They can advise on how to communicate with law enforcement, investigative agencies, and stakeholders. They can also provide valuable input when drafting policies and procedures.
- Information security (InfoSec). InfoSec is a subset of cybersecurity specifically related to data security. The InfoSec team coordinates the investigation, assessment, tracking, resolution, and reporting of critical security incidents. They’ll also be the people to enact the security breach protocol and determine whether a security incident needs to be reported.
- Information technology. Not surprisingly, the IT team will be actively involved in all phases of emergency response. This includes mapping of all IT and network assets and endpoints, identification and assessment of incidents, containment measures to minimize damage, eradication or removal of the threat, restoration of systems to their previous state, and post-event analysis to improve future security and incident response efforts.
- Media relations and corporate communications. An organization must be able to communicate a consistent, accurate account during and after the security event. A predetermined point of contact can control and coordinate communication—including internal comms—and manage communication with media outlets, affiliate business entities, and external stakeholders.
- Investor relations. Designating a single person or team to communicate with valued partners and investors in the event of a security incident helps ensure that they’ll receive orderly communications and can assess the financial impacts of the incident.
- Incident manager. The incident manager occupies a position at the top of the ERT hierarchy. Their job is to coordinate all the actions of the ERT, ensure each team member carries out their action items, summarize findings, escalate issues to higher management, and, when necessary, assign ad hoc roles.
- Other important team members. As needed, the team can include cyber insurance providers and local or national law enforcement organizations.
The Technology You Need
After a security breach or attack, computing resources could be shut down and any compromised resources could be confiscated, quarantined, or needed for use by investigators. A staged recovery environment, set up and tested in advance, provides a secure, clean IT environment to help get critical systems back online as soon as possible.
- Immutable snapshots. Nicknamed “airbags for data storage,” immutable snapshots protect data from unauthorized modification and deletion based on existing data retention policies. After the initial intrusion and reconnaissance, ransomware will attempt to execute, encrypt, and/or exfiltrate data. Without the snapshots, and if a ransomware attack encrypts backup data or backup metadata, your chances of data recovery are slim, leaving you vulnerable to ransom demands.
- A cyber recovery SLA that ships clean arrays for recovery.
- Tiered resilience architecture with data “bunkers.” Tiered backup architectures are all about resiliency. They ensure data is in the best location for recovery at all times, bringing you closer to achieving zero recovery time objectives (RTOs). Tiering snapshots isolates them, further ensuring their availability in the event of a disaster.
Stay Resilient from Events with the Pure Storage Platform
What if your data storage platform could make “major events” more like “tolerable events”? While a Pure Storage array canʼt prevent an attack, it can give you the ability to survive one and quickly recover. Hereʼs how.
Pure Storage® SafeMode™ Snapshots are the only snapshots in the industry with this advantage. SafeMode Snapshots are what I call “super immutable+.ˮ Like traditional, immutable snapshots, once theyʼre stored, data contained within cannot be changed, edited, or overwritten. However, thereʼs a major advantage to Pure Storageʼs SafeMode Snapshots: They also cannot be deleted—even by a user or process with administrative privileges on the Pure Storage array.
For Evergreen//One™ subscribers, our enterprise-grade storage-as-a-service subscription, the Cyber Recovery and Resilience SLA offers a unique add-on service to mitigate risk, guaranteeing:
- Next business day shipping of clean recovery array(s)*
- 48 hours to finalize a recovery plan
- 8 TiB/hour data transfer rate
- Bundled services, including a technical services engineering team to finalize the recovery plan and an onsite professional services engineer from time of array arrival through replacement of affected service infrastructure
- Quarterly cyber resilience reports, prepared by Pure Storage and reviewed with you directly
- Remediation services provided by Pure Storage Security Architects if you wish to address vulnerabilities identified in the report
Cyber resilience starts with strong data security and inter-team collaboration. Download the new report from Pure Storage and 451 Research on improving the relationships between IT operations and security cohorts.
*Shipment schedule: Next business day shipping of arrays to North America and EMEA. Three business days to Asia and Australia/New Zealand. Expedited shipping may be available depending on region.
Written By:
A Speedy Recovery
Get back up and running quickly after a cybersecurity event with SafeMode snapshots.