Hope is not a strategy.
It takes some fortitude to begin a blog with such a well-worn cliché, but in this case it is more than fitting. With the emergence of ransomware and hacktivism as a rapidly growing new category of threats, all too often the response is hope.
Hope the hackers don’t attack us. Hope we can detect and shutdown and attack before it does too much damage. Hope that by upgrading our perimeter defense and educating our employees that we will be a harder target.
Good luck with that.
The 2015 Data Breach Investigation report revealed that over 60% of companies could be compromised in six minutes or less. EMC has conducted two global data protection surveys in the past two years, and the resulting data is equally worrisome. Approximately 1/3rd of all customers have experienced data loss due to a security breach, and the average cost of a single incident is $914,000, which in Dr. Evil terms is really, really close to “One Million Dollars!”
The statistics are out there for you to find if you want a greater dose of shock and horror. (Sometimes I wonder given all the travel I do why I watch the television show “Why Airplanes Crash”, but we are all drawn to the macabre and disturbing, right?)
But the reason I’m writing this isn’t just to put forth the disturbing data again. Instead, it’s to point out that many groups are looking in the wrong place for solutions.
While the threats are evolving, the Information Security community, vendors and IT professionals are all doubling down on more of the same. All of the emphasis is on incident prevention and very little attention is given to data protection and recovery. The facts however lean very heavily toward the probability that any given business will be the subject of a successful cyber-attack in the foreseeable future. In fact, most security experts agree that there are two kinds of companies: those who have experienced a successful cyber-attack, and those who have experienced a successful cyber-attack and simply don’t know it yet.
As these threats have emerged, guidance in the form of Cyber Security Frameworks (CSFs) have been established. Most of these CSFs reference or borrow heavily from the NIST CSF, which has some very important fundamental information. “Protect” and “Recover” are both pillars of the NIST CSF, as well as every other highly regarded framework. In this context, “Protect” explicitly means to make secure, isolated protection copies of data. “Recover” means that after detecting a threat a business needs a plan to suspend production, eliminate the threat, and recover data and systems necessary to resume operations.
EMC has a solution for customers who want to protect themselves from these modern and sophisticated threats called the “Isolated Recovery Solution”. Logically, this provides an “Air gap” between the production environment and the data that is critical for the survival of any business. Here is a diagram demonstrating the key elements of the EMC Isolated Recovery Solution:
Isolated Recovery is NOT Disaster Recovery. IR represents only the most critical data that a business needs to survive. Most customers do not stand up an IR solution at the same size and scale as their primary backup or DR infrastructure. Furthermore, IR usually lives in the same location as the production data. This is essential for rapid recovery from an incident. The mechanisms IR puts in place are both physical and logical. For many enterprises this means creating a small locked cage within the data center and restricting access to the very few people who are responsible for the system.
There is a lot more to talk about when it comes to the IR solution, so I encourage you to reach out to one or more trusted advisors, prioritize what matters to you, and then dive into all the details.
But what about my earlier statements about not hanging all our hopes on prevention? Prevention is useful, but a successful defense requires a layered approach. All of the parts of the solution need to fulfill a purpose within the CSF. But how are you organized as a company? When was the last time the Information Security team and the Backup team got together and built a joint solution? My guess is probably never. Traditional organizational structures simply aren’t aligned very well in order to solve this problem. In order to defend against a threat that evolves rapidly, everyone needs to adapt. Whether it is the backup guru talking to the firewall guru, or the CIO talking to the Board of Directors, someone needs to start having this conversation. You are that someone. You can’t just hope that somebody else will do it. Hope is not a strategy.