With a sharp rise in cyber-attacks in recent years, CISOs have become more involved in areas of data management, including backup and disaster recovery.
In interviews with a dozen CISOs and people performing CISO functions we conducted this year, we found all of them were heavily involved in evaluating and purchasing data backup products.
I spoke with the CISOs as part of a research project to determine the tools and processes they use to thwart ransomware and other cyber-attacks. We also conducted a survey of 163 people with CISO responsibilities in large (1,000 employees or more) companies. I wrote about their strategies involving people in their organizations here. In this note, I will address the tools and services they are using now and what is missing.
Cyber-Recovery Wish List
Respondents were more concerned about faster detection than faster recovery. Nearly three-quarters (71%) said faster/earlier detection of a cyber-attack was among their highest priorities for cyber-resiliency analytics. That was by far the highest response. 43% listed faster identification of last-known good recovery point and 41% listed increased confidence that malware was eradicated from the environment. Only 12% said “avoid paying a ransom” and 10% said the ability to preserve good data were highest priorities.
Most of the respondents said they already have data analytics/machine learning (73%) to detect suspicious activity, data loss prevention software (61%), and continuous monitoring for suspicious software (56%).
When asked what capabilities they want but cannot get from their current vendors, responses were evenly spread. The most-cited capabilities were audit data for sensitive content (35%), post-ransomware forensics (29%), continuously monitor for malicious software (29%), storage assessment to find where data resides (27%), rapid cyber incident response (25%), and storage risk/vulnerability assessment (20%). Of nine capabilities and “others” to choose from, only 11% said “none of these,” which indicates few are getting all they need from current tools.
“You’re not doing this by pushing the easy button,” said a cybersecurity adviser and former CISO for a Fortune 500 company. “The challenge in this day and age is knowing where all your structured and unstructured data is, because if I don’t know where it is, I can’t recover. So, you’d just have to write it off and say, ‘We can’t recover that data.’”
“Data forensics is an area of weakness for our organization,” said a CISO of a California-based financial services institution. “That’s the primary area that we’re focused on right now is the forensics.”
He said his firm’s cyber insurance includes forensic services and other tools handle some forensics. Still, he lacks confidence that those tools can identify the entry point of a ransomware attack, which files have been affected, and if the ransomware is still present.
Searching for That Good Restore Point
A few CISOs said they struggled with simplifying the process of finding the last known good copy of data after an attack.
“For us, it’s an estimated guess [at a good recovery point] based on log data and other data points that we have,” said the head of cybersecurity at a US-based poultry farm. “If we have an incident, it’s an exercise where everybody’s coming together and saying, ‘I don’t see this, or I see this here.’ We wouldn’t recover anything unless we were comfortable that we had a known good backup or a known good state.”
In interviews, most CISOs said they could get critical data within a day, but it would take longer – sometimes weeks – to get everything back in case of a severe attack.
A CIO who manages security teams at an oil company said tabletop exercises show his IT team can respond within 24 hours, but his field operations would require 3-5 days to fully recover.
“We can live with a delay of 3 to 5 days,” he said. “Anything beyond that may impact the business. And we have to be concerned about the impact on the outside world. You can lose the trust of your customers.”
The type of attack also has a major impact on recovery time. A major ransomware attack that encrypts data would prove more difficult to recover from than a simple distributed denial of service (DDoS) that knocks systems offline but does not encrypt data. Restore times would also be considerably longer if systems such as Active Directory and Domain Name System (DNS) records are corrupted.
“For our organization, I would expect it to take anywhere from a few hours for a simple DDoS attack to perhaps as much as a week for a significant ransomware attack,” said the CISO of a California-based financial institution. “That would be an absolute worst case scenario.”
Encryption Is Popular for backups, Air Gaps Still Not So Much
For backup and recovery, 64% of the survey respondents said they are encrypting data and 52% are classifying data for ransomware protection. Another 40% said they had instant recovery capability. Only 15% said they were air gapping, which was lowest on the list of nine possibilities.
Among the 24 respondents who are air gapping, 63% are using a disconnected system offsite and 38% a public cloud service.
A VP of infrastructure and security said air gapping is not always easy to set up because it may require a network reconfiguration.
“We don’t have a completely separate network where the backups exist, and you can kind of turn it on and off,” the VP said. “We might need additional hardware for that.”
A credit union CISO said he relies on backups to understand the last-known good copy, but concedes there would likely be data loss if there is a serious attack. He said his company accepts that data saved within the last day may not be recoverable.
“We do full and incremental backups, so we always have an incremental backup to restore to from at least 24 hours prior, along with a full backup to restore to a secondary data center,” he said. “We have a philosophy from a recovery point objective that we may have to lose some data. And that’s OK. Otherwise, you have to go off-site with real-time backups, and that’s very, very expensive. I don’t think many organizations will commit to that.”
Author Information
Dave’s focus within The Futurum Group is concentrated in the rapidly evolving integrated infrastructure and cloud storage markets. Before joining the Evaluator Group, Dave spent 25 years as a technology journalist and covered enterprise storage for more than 15 years. He most recently worked for 13 years at TechTarget as Editorial Director and Executive News Editor for storage, data protection and converged infrastructure. In 2020, Dave won an American Society of Business Professional Editors (ASBPE) national award for column writing.
His previous jobs covering technology include news editor at Byte and Switch, managing editor of EdTech Magazine, and features and new products editor at Windows Magazine. Before turning to technology, he was an editor and sports reporter for United Press International in New York for 12 years. A New Jersey native, Dave currently lives in northern Virginia.
Dave holds a Bachelor of Arts in Communication and Journalism from William Patterson University.