You have a Disaster Recovery strategy - do you have a Cyber Recovery strategy too?
Cyber recovery is generally harder than a full blown disaster recovery. In traditional disaster recovery, an "all or nothing" approach from architecting a solution, to testing, to actual recoveries is typically used. If the production data centre was obviously going to be down for longer than an acceptable timeframe (or worse, gone!), you declared a disaster and recover everything. Not so with today's hybrid cloud and highly distributed IT environments: instead you might have multiple DR plans for the various "sites" disaster scenarios.
And for cyber recovery, things differ further, in that recovery is usually a multi stage approach, including a "clean room" recovery and a promotion to production once the recovered environment is validated to be clean.
Here are some key differences for cyber recovery:
recovery plans need to exist for multiple data centre environments and scenarios, and be flexible to adapt to a wide variety of outage / loss scenarios;
copies of backup data need to exist in multiple locations, isolated and contained away from the systems / data they protect, and be immutable;
techniques like data replication will likely not help in cyber events, as replication will also contaminate / infect from source to target;
the need to have Isolated Recovery Environments (IRE) or "clean rooms" to test recovery, potentially from numerous points in time to identify a "clean" backup, then promote to production;
post recovery, ensure the restored environment is free of any malware and protect against reinfection.
Creating, testing and exercising flexible Cyber Recovery Plans is key to teams' readiness and the likelihood of recovering from cyber events effectively and quickly. The nature of an incident and the "blast radius" of what is affected can vary greatly from incident to incident. Frequent and varied testing and exercising helps ensure teams are proficient with the tool available to them, regardless of scenarios. Key factors in today's computing environments contribute to the complex and often fluid recovery scenarios we need to be prepared to deal with, including:
the widely distributed nature of systems & data (on-premises, co-location data centres, cloud (IaaS, PaaS, SaaS) ;
the vast number of entities (systems, VMs, services, data) that are all integrated in an organizations IT ecosystem;
the pace of technological change and adoption.
Select tools that meet your business AND technical needs. For this, an enterprise architecture viewpoint and approach should be employed, to ensure holistic solutions that address not only functional technical requirements, but also operations and governance. This implies that mature processes are in place to ensure long term sustainable capabilities for your organization.
Real-time (or near real-time) visibility into the state of your computing environments needs to be maintained at all times. And this needs to be available even during an event / incident. Conventional documentation is too difficult and cumbersome to maintain. The good news is that, by leveraging tools and techniques like tagging, Infrastructure as Code, replication and others, an "off platform" view of your environment can be maintained and secured for use in the event of an outage.
Isolated Recovery Environments (IRE) are relatively easy to create in cloud, and can be quickly brought on line. One or many can be used to allow for multiple simultaneous recoveries from numerous points in time to speed up identifying viable backups. Further, IREs or clean rooms enable frequent testing and exercising to keep teams sharp and plans up to date. It is critical that teams are proficient with the tools available to them to address just about any scenario they may face.
In conclusion, cyber recovery requires unique architectures, tools, techniques, and skillsets to ensure your organization is prepared to recover from a variety of potential events. Regardless of how much time, effort, and money is put into protection, detection, controls and technology, the ability to recover from backups must be part of your cyber security framework - viable backups and your ability to restore them are your Last Line of Defense!