![\"\"](\"https:\/\/www.commvault.com\/wp-content\/uploads\/2024\/07\/NIST-Cyber-Security-Framework.png\")
\u201cIdentify\u201d is a critical element because you can\u2019t protect it or prioritize your efforts if you don’t know what you have. What\u2019s critical? What\u2019s regulated? What\u2019s necessary for our business to function and generate revenue?<\/p>\n\n\n\n
Most teams struggle with this element, especially with the prevalence of decentralized and shadow IT. Aside from the CSF, most other cyber frameworks and regulatory guidance require identifying and inventorying systems and data as a foundational step.<\/p>\n\n\n\n
\u201cProtect\u201d is all about technologies deployed to prevent attackers from gaining access to data in the first place. This spans the gamut of tech from vulnerability scanners to identity and access management to antivirus and anti-malware.<\/p>\n\n\n\n
These tools need to be configured properly and, most importantly, deployed across every device and system across the organization. This isn\u2019t always the case. Sometimes, things are purchased on corporate P cards, not through IT. Sometimes, systems simply don\u2019t update properly and thus are running out-of-date, vulnerable software.<\/p>\n\n\n\n
\u201cDetect\u201d is about setting traps and ensuring alarms function when actions indicate something out of the ordinary. Unfortunately, many organizations have dozens of tools that generate millions of alerts to detect threat actors infiltrating their systems.<\/p>\n\n\n\n
This massive influx of alerts that may or may not be truly something awry can cause alert fatigue \u2013 spending immense amounts of time chasing down possible anomalies only to learn they were a false-positive. This also diverts attention away from other alerts, which may be real threats.<\/p>\n\n\n\n
Then we have the two Rs of the framework, \u201cRespond\u201d and \u201cRecover.\u201d These two cybersecurity areas are where your mettle is tested. Organizations will be breached. It\u2019s not a matter of \u201cif\u201d but \u201cwhen and how bad?\u201d<\/p>\n\n\n\n
To be good at \u201cRespond,\u201d teams need alignment on many fronts. Good leadership, solid strategy and tactics, great documentation and planning, and the most critical thing of all \u2013 practice.<\/p>\n\n\n\n
For incident response, you will not rise to the occasion but rather fall to the level of preparation. Without practice and testing the processes you\u2019ve built, you\u2019re being set up for potential failure, or at least more stress than needed when an actual incident occurs.<\/p>\n\n\n\n
\u201cRecover\u201d is where the rubber hits the road. Following the inevitable breach, it\u2019s the job of everyone on the security and IT teams to get the systems and environments back to good. But to do so requires you to step back and think about how to do this safely, effectively, and without recovering the bad guys and everything they\u2019ve poisoned.<\/p>\n\n\n\n
Each element must be given the same level of rigor and attention to be effective. Unfortunately, that\u2019s not always the case. Historically, organizations have focused most efforts and investments on preventing cyber incidents rather than establishing technology, processes, and strict workflows to abide by when a cyber incident occurs.<\/p>\n\n\n\n
With data spread across hybrid environments, prevention is no longer adequate. Enterprises of all sizes seek peace of mind in a chaotic hybrid world. Security leaders and CISOs must adapt their strategies to address frictionless recovery and cyber resilience, and implement practices, processes, and technology around data cleanliness and recoverability.<\/p>\n\n\n\n
Ransomware has changed the face of recovery. Due to increased cyber threats, security leaders are evaluating isolated recovery environments (IRE) to serve as clean and uninfected locations to recover to. However, with the nuanced type of attacks that occur, that IRE needs to be more than just a secure space. It is a part of the recovery process, but not all.<\/p>\n\n\n\n
Commvault\u00ae Cloud Cleanroom\u2122 Recovery is a comprehensive testing and failover offering, providing a safe, new IRE that promotes (1) testing cyber recovery plans, (2) conducting forensic analysis, and (3) business continuity in the event of a breach.<\/p>\n\n\n\n
Pivot from preventive measures and invest in response and recovery<\/strong><\/p>\n\n\n\n Whether you look at the CSF as a list, organizations have, for better or worse, started at the top or the right. The problem lies in the sequential nature of the work. Most organizations don\u2019t get to Respond<\/em> or Recover<\/em> because they\u2019ve spent all their time and money on Protect<\/em> and Detect<\/em>.<\/p>\n\n\n\n The fact that organizations have not spread their budget and resources over all sections of the CSF has meant that attackers still have the upper hand. When they get through your defenses and evade your detection, the typical cyber security team\u2019s incident response can do an excellent job of investigating the breach but not much in the way of recovering from it.<\/p>\n\n\n\n You can\u2019t always rely on the IT team\u2019s backups<\/strong><\/p>\n\n\n\n With the average dwell time of attackers in organizations standing at 204 days<\/a>, chances are that the attackers have likely found, infiltrated, and possibly poisoned your backups. This is something we\u2019ll cover in a future blog, but it\u2019s absolutely worth noting here. When dealing with breaches, not only will your production data likely be tampered with, but more threat actors are actively seeking also to take down and compromise some of the efforts you\u2019ve made to ensure that you can restore good copies of data.<\/a>\u00a0<\/p>\n\n\n\n