Software Sales Specialist
The Convergence of Security and Data Management for Enhanced Cybersecurity
Security breaches are usually about monetary gain for bad actors, which they accomplish by stealing data. Historically, security and data management have been separate groups within an organization, having their own resources and objectives. The security team watches the perimeter while data management protects the data within the perimeter. When a data breach occurs, the perimeter is exploited and data is exfiltrated.
Bad actors typically take advantage of zero-day exploits; they hack in, steal data, and get out before a fix becomes available. However, several years ago, there was a cyber incident caused by a known bug in Apache Struts that was a two-month exploit. 150 million credit reports were stolen and both security and data management teams failed to prevent this data exposure. This has caused the lines between the two groups to get blurred.
This article addresses strategies to reduce your cyber risk and strengthen your cybersecurity and cyber resilience with collaborative efforts between security and data management.
Different Types of Cyber-Attacks
Data theft often involves personal identifiable information (PII) which can be sold on the dark net. Theft accounts for most cybersecurity breaches, but there is another type of cyber-attack that is causing significant disruption to organizations. This cyber-attack locks up data, disrupting business continuity. Then a ransom is demanded to unlock the data. Alternatively, the crypto-locked files are replaced with clean files from a restore and recovery operation. Unfortunately, many organizations pay the ransom because they do not have confidence in their ability to restore their data safely and successfully.
Defense and Recovery Mechanisms for a Cybersecurity Breach
Conventional wisdom suggests that bad actors will eventually get through the perimeter to launch their nefarious exploits, which means the data needs to be protected. In the case of data theft, the best defense for data exfiltration is encryption. Modern storage systems have encryption built in, but it must be a layered approach, requiring both hardware and software encryption to fully protect the data from unauthorized exposure.
In the case of ransomware, the best defense is early detection and decontamination. If the first line of defense is defeated, then a restore and recovery operation must take place—however if the ransomware is not halted in the production environment, it will be backed up to the data protection system. This happens because ransomware can lay dormant in the production system for a duration of time before being activated, causing it to be captured by the backup process before any alarms are set off. For instance, the dedupe ratio of backup data will not change until files are crypto locked, so analytics will not pick up any anomalies. The good news about the backup environment is that it is inert, so ransomware cannot be launched within the backup system, but infected data can be restored and cause problems again. A forensics process is required to understand how pervasive the malware contamination is within the backup copies so the appropriate quarantining can be applied to them.
Cybersecurity Defense Strategy
Bad actors know that one way to thwart an organization’s ability to restore data and thereby eliminate ransomware is to disable the backup system. This was observed with “SamSam” malware. It maximized damage by encrypting the backup system in addition to the production data, so restoring data was not an option. The backup system’s defense against malware depends heavily on reducing the cyber-attack vectors. This can be accomplished by eliminating user access, for instance.
To protect against cyber threats, organizations need a strategy that includes both cyber insurance to provide monetary protection from successful data breaches and a cyber resilience plan to mitigate impact. This risk management plan should include:
- Identifying cyber risks and vulnerabilities
- Protecting apps and data
- Detecting data corruption and configuration anomalies
- Responding to changes in configurations and data
- Restoring and recovering access to critical application data
- Building a cyber vault
A cyber vault is isolated from both production and backup environments. It allows for decontamination of data before restoration and is one of the key components in a well-defined, multi-layered cyber resilience strategy.
IBM Solutions for Cyber Resiliency
IBM has well-developed technologies, frameworks, and services to improve cyber resilience and protect your data from cyber-attacks.
- IBM storage encryption can protect data at rest.
- IBM Spectrum products like Discovery and Protect can provide detection and recovery benefits, respectively.
- IBM tape products can provide an air gap.
- IBM Cloud Object Storage can create an immutable storage environment that cannot be crypto locked.
These solutions work together to secure the perimeter as well as the data within, however they require cooperation between an organization’s two watchdogs—the security and data management teams. This collaboration and convergence of responsibilities will go a long way in bolstering cybersecurity.
To learn more about solutions to improve cyber resilience, please contact your Mainline Account Executive directly, or click here to contact us with any questions.
You may be interested in: