BTEX 2023: How to Strengthen Your Organization’s Cyber Resilience

How can organizations build cyber resiliency and ensure complete recovery from a ransomware attack?

They need to consider the business side by enhancing their capabilities to protect against, defend and recover from ransomware, Samaroo said. It’s important to understand where business assets are, how important they are and the nature and type of data that supports those assets. Not all data are equal, he says, and it’s essential to examine data interdependencies.

“If you have your active directory, for example, that is a key part of accessing your data from an identity and access management perspective,” Samaroo explained. “If you have multifactor (authentication) as a sub-component of that, you want to make sure you understand the interconnectivities between each of the data points in order to deliver applications or services to your external customers, your business customers and so on.”

You also want to understand the acceptable amount of downtime your organization can tolerate for specific applications and that some may be more critical than others.

Consider how you measure the restore time and the response time to ensure those applications are back up online quickly and that you're getting the connectivity to the services that are essential to your business, he said.

And when it comes to backing up data, it’s important to understand when data becomes “stale” or no longer productively useful within specific applications and services. You don’t want or need to back up and maintain such data that is end of life, since there’s a cost to store and maintain it. Backing up such data will also impact your restore time, Samaroo said.

Backup and recovery are two sides of the same coin. Regularly backing up data is essential, but there also needs to be a recovery plan around restoring data within certain timelines so the business can continue operating without major disruption. And make sure that the controls for the repository where data is backed up are regularly tested.

“Our suggestion here is to ensure you're doing penetration testing exercises – such as social engineering and networking-based penetration testing – against your backup repository of information,” Samaroo said.

You also need to understand your cyberinsurance policy obligations and follow the requirements and commitments of that policy to ensure that you don’t violate your agreement. To that end, the technology used to protect a backup repository should include multifactor privilege identity management so that you always verify the users of your data are who they say they are, Samaroo says.

Consider multiperson authorization to access or restore data and impose strict control to ensure that access when needed is granted and with the right approvals. Be sure that encrypted data and encryption keys are always stored separately so that, in the event that data is exfiltrated, keys for decrypting are not contained within data that may have been compromised.  

Samaroo said it’s essential to have three copies of data saved on two separate media types plus one that should be air gapped (a security measure where a computer or network is kept isolated and prevented from establishing external connections to other devices) or configured as an immutable backup that prevents data from being altered or tampered with.

“We want to make sure that ransomware doesn’t touch that immutable backup or air-gapped backup because it is a last resort in restoring your information,” he said.

Another aspect to consider is ensuring that the quality of backups is maintained. Use test procedures to prevent corrupt data from being backed up and to ensure backed up data itself does not become corrupted.

Samaroo suggested using available advanced machine learning and artificial intelligence (AI) tools to ensure backed up data integrity and integrate backups with scanning and protection tools that query and provide alerts if malicious data is detected during the backup process.

In a situation where your organization’s data is compromised and you’ve decided to refresh from a backup, how would you know data contained in the backup you are restoring is clean?

“In some cases, you might need to do a breach assessment to understand where your (clean data points) are,” Samaroo explained. “But in the meantime, while that breach assessment is happening, you may not have data needed to serve your customers.

“So, in that scenario, you want to consider something like a ‘clean room’ restoration point – whether it be cloud, a separate data centre or a separate infrastructure that you have on standby – that you can completely restore from while leaving your production environment intact to do that breach assessment to investigate and understand what transpired through an initial breach.”

CDW has a wide range of products and services, including managed services, to help you navigate the complex world of data backup, create a restoration plan, create governance controls and manage cyberinsurance policies.

CDW’s consulting services can perform tabletop exercises with your teams and provide risk advisory services to help you understand where technical or governance gaps may lie in the backup and restoration process. CDW can also help with full disaster recovery and management of on-premises or cloud storage environments.

On the security side, CDW provides a managed extended detection and response (XDR) endpoint monitoring service for early detection of ransomware attacks before they can migrate laterally throughout an organization.