Login

Steps for Planning for Cyber Resiliency

Prevention

1) Verify all security settings for systems – access and administration at all level, software including operating systems and applications, networks, and other management/monitoring tools. A plan for auditing and regular updating of security settings should be developed and followed.  This should be exercised according governance practices but at least monthly.

2) Tools used to detect attempts to penetrate the environment should be implemented and tested periodically. These tools continue to evolve and will require continual updating and transitioning to improved tools.

Detection

Detection of an attack in progress is done through a limited number of means:

  • – Log analysis software collects logs from software and hardware systems and performs analysis to determine if suspect activity is occurring. This software will do alerting, notification to systems/software that could be used to freeze activity, and report on detailed activity that could be used to identify the point in time of an attack.
  • – Software that interacts with data such as backup software that monitors access to the protected data and can determine if anomalous activity is occurring. The actions to be taken upon detection can vary and are usually configurable.
  • – Some storage systems that are used for data protection (backup targets) can monitor for anomalous activity, similar to backup software. These systems report on the activity and may also take action based on control settings.

Recovery

There is great variance in what the recovery processes are considering the environment – systems and software.  There are some general considerations to be undertaken but detailed understanding of recovery requires efforts with technical staff who understand the environment and the organization requirements.

1) The first step is to understand what potentially is required to be done in the case of a recovery due to a cyber-attack. The starting point for this, from an expediency standpoint, is to begin with an existing Disaster Recovery plan.  Using that will serve as an outline where the reasons for recovery with an understanding of the potential for altered/infected data and those implications can the introduced.

2) The recovery sequence from a cyber attack is what will be developed first. With the DR recovery sequence as an outline (without a DR recovery plan that includes a detailed sequence of actions, the effort becomes much greater).

    1. 1) The first consideration is to add steps to validate the information before proceeding. ‘Was the data protected (before the problem/infection occurred?’ is the first question assuming the time of the first indication of an attack is known. This is where the identification of the different recovery copies and the understanding of recovery points becomes critical and the expertise of the staff and their data protection strategy is important.  Some primary storage systems provide capabilities to make copies of data as ‘logical air gaps’ that can be used to reduce the recovery point and recovery time.  These storage systems need to be factored into the recovery strategy if they are available.
    2. 2) Dependencies such recovering identity access management credentials and authentication systems must be addressed first as these have been seen major target to compromise in attacks.
    3. 3) The sequence to recover will be very dependent on the expertise of staff, knowing the relationship of data and applications and the status of the protected copies.

3) Use of existing DR plans is an expedient outline after understanding what data could be infected/altered and the systems that could be compromised. Examination of the DR plan with a focus on where recovery changes for cyber attack would need to be made will lead first to additional investigation that may need to be done and then insertion of additional steps for this type of recovery.  Adding the steps for identification of ‘known good copy’ of data and validation of data are the first consideration.  Another is the ‘sandbox.’  Propagation of an infection/alteration during recovery is a major concern during recovery.  To address this, recovering data to a trial area, termed a ‘sandbox’ where tests can be done to prove the validity of the data recovered is an additional, time-consuming step that needs to be taken.

4) Exercising the recovery from a cyber attack must be added to the regular process for IT operations.

Author Information

Randy Kerns

Randy draws from over 35 years of experience in helping storage companies design and develop products. As a partner at Evaluator Group and now The Futurum Group, he spends much of his time advising IT end-user clients on architectures and acquisitions.

Previously, Randy was Vice President of Storage and Planning at Sun Microsystems. He also developed disk and tape systems for the mainframe attachment at IBM, StorageTek, and two startup companies. Randy also designed disk systems at Fujitsu and Tandem Computers.

Prior to joining The Futurum Group, Randy served as the CTO for ProStor, where he brought products to market addressing a long-term archive for Information Technology and the Healthcare and Media/Entertainment markets.

He has also written numerous industry articles and papers as an educator and presenter, and he is the author of two books: Planning a Storage Strategy and Information Archiving – Economics and Compliance. The latter is the first book of its kind to explore information archiving in depth. Randy regularly teaches classes on Information Management technologies in the U.S. and Europe.

SHARE:

Latest Insights:

Altimeter and ARK Lead $100M Round in Hammerspace to Strengthen AI Infrastructure Performance
Brad Shimmin
Brad Shimmin

Altimeter and ARK Lead $100M Round in Hammerspace to Strengthen AI Infrastructure Performance

Brad Shimmin, VP and Practice Lead at The Futurum Group, examines why investors behind NVIDIA and Meta are backing Hammerspace to remove AI data bottlenecks and improve performance at scale.
Will Tableau’s New Enhancements Drive Use of Agentic AI Across the Enterprise
Brad Shimmin
Brad Shimmin & Keith Kirkpatrick

Will Tableau’s New Enhancements Drive Use of Agentic AI Across the Enterprise?

Looking Beyond the Dashboard: Tableau Bets Big on AI Grounded in Semantic Data to Define Its Next Chapter
Futurum analysts Brad Shimmin and Keith Kirkpatrick cover the latest developments from Tableau Conference, focused on the new AI and data-management enhancements to the visualization platform.
Partnering For Success: Field Alignment, Earnings, and Readiness with Google Cloud- Six Five On the Road
Tiffani Bova
Tiffani Bova

Partnering For Success: Field Alignment, Earnings, and Readiness with Google Cloud- Six Five On the Road

Colleen Kapase, VP at Google Cloud, joins Tiffani Bova to share insights on enhancing partner opportunities and harnessing AI for growth.
Ericsson Goes Wireless-First for AI Enterprises
Ron Westfall

Ericsson Goes Wireless-First for AI Enterprises

Ericsson Introduces Wireless-First Branch Architecture for Agile, Secure Connectivity to Support AI-Driven Enterprise Innovation
The Futurum Group’s Ron Westfall shares his insights on why Ericsson’s new wireless-first architecture and the E400 fulfill key emerging enterprise trends, such as 5G Advanced, IoT proliferation, and increased reliance on wireless-first implementations.
Become a Client

The Futurum Group

(833) 722-5337

501 West Ave., Suite 2102
Austin TX 78701

Linkedin Youtube Facebook

Welcome to The Futurum Group

Login to The Futurum Group
Login to Futurum Intelligence
Login to Futurum Labs Research Library

Book a Demo

Thank you, we received your request, a member of our team will be in contact with you.