The US Cyber Incident Reporting for Critical Infrastructure Act, signed into law as part of the Consolidated Appropriations Act of 2022, gives IT teams yet another reason to examine their network infrastructure and data protection measures for vulnerabilities.
The law mandates reporting of cyber-attacks within 72 hours of an incident for organizations within 16 designated critical national infrastructure (CNI) categories. Required steps were published in two playbooks governing incident and vulnerability response to Federal Civilian Executive Branch (FCEB) information systems.
Under the Act, organizations must show that data is preserved from the moment an incident or vulnerability is detected until the incident is closed out. In today’s environment of international cyber wars and increasingly sophisticated bad actors, the law is raising the bar on security preparedness across all industries, not just those designated as CNI.
Figure: Incident Response Process
Backup, Data Protection, Immutability Take Center Stage
While protection from ransomware is multi-faceted, backup and restore methods play an oversized role in containing the attack surface and speeding up recovery, enabling investigation of the attack in parallel.
For instance, technical analysis often involves pinpointing anomalies and rolling back to versions of the data from shortly before an incident. Digital evidence preservation now extends far beyond capturing forensic images and backing up laptops to showing full audit logs and proof of a chain of custody.
Backup implementations should follow a “3-2-1-0” rule: 3 different copies of data, 2 different media from 2 different technologies or providers, 1 copy offsite, and 0 errors after automated recovery and verification. Yet achieving backup effectiveness at efficient cost levels requires a deeper look at both processes and technology.
Four Considerations for Effectiveness, Efficiency
Teams should review ransomware protection across their networks from four dimensions:
1) How does backup/archive affect the recovery experience and workload placement?
Organizations increasingly rely on cloud backups to help ensure that incident data and the process of isolating system segments don’t impact ongoing operations. Yet public cloud hosting costs can climb unpredictably, especially when analytics will be performed against that incident data. In addition, not all public clouds have federally certified entities, and even when they do, those regions or locations can be limited.
Maintaining the flexibility of cloud-native storage service orchestration to isolate systems or network segments on-premises can help teams maintain exceptional end-user performance, whether replicating to a trusted public cloud entity or to their own on-premises infrastructure.
2) How does the infrastructure provide protection when the last line of defense is unavailable due to an outage?
Cloud outages are as likely as network attacks to compromise a network. Approaches that enable recovery from local or remote copies can ensure always-on availability and smooth business operations. Four key features are becoming table stakes:
1) Copy-based data protection for replication that enhances data durability.
2) Parity-based data protection to enable self-healing if nodes in a cluster fail.
3) Data immutability and versioning capabilities for protection against tampering or deletion, either malicious or accidental.
4) WORM (write-once, read-many) backup technology accompanied by object locking for peace of mind.
The latter two prevent updates to data in place and deletion of locked assets. Data is unmodifiable and undeletable until retention dates expire and then permit deletion when no longer needed.
3) How does the proliferation of multi-cloud architectures impact recovery?
The CISA Vulnerability and Response Playbook suggests that effective vulnerability management includes inventorying and monitoring:
- Agency-operated systems & networks
- Systems & networks used in partnership with other organizations
- Systems & networks operated by others (public cloud)
To do this requires leveraging multiple tools with varying ability to highlight signs of exploitation. An authoritative copy of data will help with the identification of a vulnerability, but having that copy on-premises, with an ability to natively replicate to and from any public cloud entity, speeds evaluation and remediation.
4) How does the analysis/response ensure IT the freedom to more easily change its mind on cloud providers?
Network architectures are constantly changing with business and regulatory needs – as is guidance from the CISA. Organizations that assign incident response and tracking to a third party can be forced to rethink the decision when scrutiny of their invoice reveals that every action generates an upcharge.
Maintaining the capability to seed the data on-premises avoids tasking a third party with activities that can be more cost-effectively handled internally. Choosing solutions that support as many public clouds as possible also allows for increased flexibility in moving to, from, and across external entities when needed.
The lasting impact of the Cybersecurity Act’s passage may be how it elevates a comprehensive view of data protection processes, encouraging organizations to use the right mix of on-premises assets and technologies that support these key features. In doing so, recovery from any ransomware incident is swift and minimizes business impact and cost.
Brian Bashaw is field CTO, Americas, for DataCore Software.