Build Ransomware Resilience With Secure Isolated Recovery

Cyber-resilient organizations prepare for ransomware attacks with the mindset of when, not if, they will become part of another cyberattack statistic. Ransomware resilience requires the ability to quickly restore mission-critical systems with the confidence that you aren’t reintroducing compromised data into your business after an attack. Such confidence in disaster recovery comes from using a secure isolated recovery environment (SIRE).

What Is A Secure Isolated Recovery Environment?

SIRE protects backup and recovery systems against advanced ransomware attacks. Completely independent from your production environment, a highly controlled SIRE enables you to inspect and test backup data so you can more quickly cleanse and restore mission-critical systems without risking the spread of malware from infected data.

Gartner has explored using isolated recovery environments with immutable data vaults to create a SIRE framework with three main components:

• Secure and air-gapped, isolated data vault
• Immutable (unalterable) Storage, delivered by an immutable backup server or appliance
• Recovery capability to restore your data, applications, and systems.

As a mix of technology solutions and business processes, a SIRE framework goes beyond traditional data protection solutions to ensure you can quickly recover clean, verified data.

Kevin Finch, Senior Business Continuity Architect at Sayers, says:

“Secure isolated recovery environments are a lot like old school disaster recovery (DR). That’s what banking and financial services have done for decades – recover everything into an alternate environment and test it before going into production. The big difference with SIRE is you’re making sure your data is immutable.” 

Why Is SIRE Important?

Companies that react to a cyber event, rather than anticipating and preparing for it, pay a high cost. According to IBM Security’s Cost of a Data Breach Report 2023, the average cost of a data breach reached nearly $4.5 million in 2023 – an all-time high for the report and a 15% increase over the last three years. 

According to the 2023 Global Report on Ransomware Trends by Veeam Software, the average time to recover from a cyberattack is 24 days.

Each day your operations are down, the cost to your business increases and impacts your company’s financial standing and reputation. That’s why making secure and timely recovery is just as important as protecting your data. 

Veeam’s Ransomware Trends Report also shows:

• 85% of organizations suffered at least one cyberattack in the preceding 12 months, an increase from 76% in the prior year.

• In 93% of ransomware attacks, the threat actor attempted to modify/delete backup repositories. Threat actors were successful in impacting some or most of the backup repositories in 75% of attacks. 

• 56% of the affected organizations restored directly back to their production environment, running the risk of reinfection due to compromised data.

Stephen Johnson, Solutions Architect at Sayers, says:

“In more and more cyberattacks, the attackers are in the environment for months before being discovered. You want to have a solution that is backing up, doing parity checks on backed-up data, and has malware detection on it as well.”

The risk of a cyberattack now outweighs the cost of implementing a SIRE recovery solution. SIRE provides the ability to recover from a ransomware event as rapidly as possible, so your business can get up and running again without the risk of infected data. SIRE offers:

• A single control plane for orchestration
• Automation and AI to help increase efficiency and reduce the total cost of ownership for the solution 
• Protection for virtual machines as well as legacy physical servers.

Integrate SIRE As Part Of Cyber Resiliency

Cyber-resilient companies realize they need to adopt a holistic approach to recoverability. This holistic approach integrates SIRE with other key areas including: 

• Asset Protection to ensure mission-critical data and services can be recovered after an attack. 

• Incident Response so key stakeholders know how SIRE will be used with a clear plan of who does what, when, and where in a crisis. Johnson says:

“These are not procedures an organization wants to be developing in the middle of an attack. The whole point of cyber resiliency is to know you’re going to be attacked and be prepared for it, with your plan documented and in place.” 

• Process Alignment to ensure applications and process owners’ approach to cyber resiliency complements the organization’s overarching recovery strategy. 

• Risk Management to develop an end-to-end cyberattack defense using a cybersecurity framework, such as the National Institute of Standards and Technology (NIST) Framework For Improving Critical Infrastructure Cybersecurity. The NIST framework focuses on five key functions – identify, protect, detect, respond, and recover – to enable risk management decisions and address threats.

4 Steps To Implement a SIRE Framework

The foundation for a secure isolated recovery environment is having a broader cyber resilience strategy in place. Your larger strategy should envision how the business will recover mission-critical systems, with your recovery environment as an integral element.

At the 2023 Gartner Security and Risk Management Summit, Gartner recommended four key steps to implement a SIRE framework once you have your cyber resilience strategy in place: 

1. Define the recovery strategy. Combine backup infrastructure and data workflows to provide cyber resiliency that meets business objectives. Determine the recovery environment platform and location, specific use cases, and what technology and tools you will use for the data transfer.

• Design the environment. Ensure all required elements are included that will restore operations. These include networking and data isolation, survivable storage to host backup data, and how you will manage and control the whole infrastructure. 

• Develop the recovery process. Establish best practices to restore data and applications in the fastest time possible, starting with mission-critical applications and services. Align your restore techniques so all stakeholders understand the tools and techniques used to recover, and integrate your SecOps function into the recovery process. 

• Evolve. Continually improve your cyber resilience by embracing automation and having multiple recovery environments. These could include an offsite location or a multi-cloud strategy to recover expanding hybrid workloads. 

How To Design Your SIRE Recovery Environment 

Depending on the progress you’ve already made with your disaster recovery and business continuity planning, you’ll want to consider these three main factors for your recovery environment design:

• Where is your recovery environment?
• What backup data transfer will you use?
• Which use cases are your priority?

Recovery Environment Location. Among your options for a clean recovery environment, the cloud tends to provide the most cost-efficiency. You can replicate your data and leave the resources offline until you need them, saving on operational costs. Also, cyber recovery-as-a-service is an emerging area that can be more cost-effective than an on-premise or colocation facility.

Backup Data Transfer. How will you get your data from your production environment to the DR site? Several data storage providers have data replication built in. Third-party replication tools can push data up into the cloud and into a holding pattern in Azure Blob, for example.

Use Cases. These include having the ability to verify and analyze your data, the need to restore versus rebuild, and production integration to ensure your recovery environment is secure and ready to send data into your live production environment.

Questions? Contact us at Sayers today for a readiness assessment of your DR environment as well as recommendations to advance your recovery strategy and technologies.