Why Indian Organisations Need a Cyber Resilience strategy for Business Continuity
Sathish Murthy is an experienced regional engineering and technology solutions leader, who brings over two decades of experience in the information and communications technology industry.He is focused on helping customers to transform their business by harnessing the power of data and protecting their data.
In a conversation with Charulatha, a correspondent in Siliconindia magazine, Sathish discussed ransomware trends and cybersecurity in India. AI aids data mana- gement, notably in backup and recovery for cyber incidents, ensuring swift recovery.
1. Tell us about the evolution of new ransomware tactics and the state of cyber security in India
In this respect, India is no different to the rest of the world, with cyberattacks like ransomware a true digital scourge. Part of the challenge that ransomware poses lies in the fact it has continued to evolve over time and has become more complex, potent, and targeted. The first iteration of ransomware, or Ransomware 1.0, was and is relatively easy for organisations to shield themselves against through backups where data could be recovered from and business processes restored. Then Ransomware 2.0 upped the ante and could foil recovery by destroying backups first and encrypting the data. More recently we’ve seen attacks emerge that could be considered Ransomware 3.0, whereby double extortion occurs after data has been encrypted or exfiltrated.
Ransomware tactics have also certainly evolved, with ransomware-as-a-Service (RaaS) emerging in the last few years. RaaS has in many ways not only gone a long way towards democratising ransomware by lowering the technical barriers to entry for threat actors, but has also allowed cybercrime gangs to scale their operations and revenue generation. We have seen RaaS kits such as Locky, Goliath, and Shark provided by groups like DarkSide, Hive, and REvil to allow a wider set of cybercriminals to target organisations’ vulnerabilities and technology infrastructure.
Ransomware attacks are firmly a case of ‘when’ and not ‘if’, which means Indian organisations need a holistic strategy centered around cyber resilience that allows them to recover their data - regardless of the type of attack or attack technique - and restore their usual business processes.
2. How should businesses protect themselves against cyberattacks?
It all starts, and in many instances ends, with cyber resilience because that is what is going to sure-up business continuity against the cyber threat landscape of today. Key capabilities and solutions that ensure this, include:
▪ Immutable backups:These cannot be modified or changed, unlike traditional backup offerings that can be deleted or modified. Backups with immutability built in are also highly useful for forensic investigation, regulatory compliance, and ensuring the integrity of the data before recovery.
▪ Data Access Controls: These allow organisations to maintain or establish a state of zero trust by modulating and limiting over-access to critical or sensitive data. Capabilities like role-based access controls (RBAC), multi-factor authentication (MFA), and Quorum (requiring a minimum of ‘two pairs of eyes’ to validate any data altering action) all allow organisations to restrict unauthorised or malicious changes to data.
▪ Data Encryption: Organisations should only use data management, security, and recovery technologies or technology platforms that encrypt their data in transit and at rest, and to an AES-256 standard.
▪ AI & ML powered threat and anomaly detection: Best-in-class data security, management, and recovery technology is now being enhanced with AI. In fact, some technology innovators now offer critical capabilities like anomaly detection that monitors any change to data, such as size or format, that usually indicate malicious activity, as well as AI-powered threat intelligence where data environments are analysed against the latest set of known threats and vulnerabilities.
▪ Instant Mass Restore: Organisations should be looking to adopt and implement data recovery technologies that allow them to instantly mass restore thousands of virtual machines in a matter of hours and not days or weeks, as this is vital to organisations being able to refuse to pay ransoms.
3. How does AI play an important role in data management, especially for backup and recovery for cybersecurity incidents?
Threat actors are leveraging artificial intelligence (AI) to make their attacks more sophisticated and automate them to be continuous until a vulnerability is found. On the flipside, public and private organisations can also leverage AI to bolster their cybersecurity defences:
▪ AI and machine learning (ML)-powered anomaly detection can help monitor data and detect when malicious activity is taking place or has taken place by recognising patterns, triggering an alert to respond quickly to limit the damage.
▪ AI-enabled MFA can be used to monitor anomalous behaviour (such as different typing speed), require additional authentications depending on data risk, or block if a user’s access strays beyond normal boundaries.
▪ AI-based activity monitoring can establish norms for both user and application behaviour based on continuously analysing activity logs with AI, and alert for any suspicious activity.
▪ AI-enabled optimised scheduling of backups ensure recovery point objectives (RPOs) are always met. As part of the backup process, AI can also help determine data that has become dormant for archival. This helps reduce recovery time by eliminating the recovery of unused data as well as creating efficiency and cost reduction in storage.
"AI-based activity monitoring can establish norms for both user and application behaviour based on continuously analysing activity logs with AI, and alert for any suspicious activity"
4. What are reasonable recovery times for any business experiencing a cybersecurity incident?
Data recovery times are highly specific to each and every organisation, however, the more important questions that organisations need to ask themselves are:
● How much data do I have, and what types of data do I have?
● Where and how is my data stored?
● Is it secure, and can I recover it if attacked?
● Is it backed up in an immutable solution and encrypted at transit and at rest?
● Can I recover it to the point before it was infected (RPO) and recover it quickly to restore my usual business processes quickly (RTO), and to pre-identified targets?
By being able to answer all of these questions, even if some areas need to be worked on, organisations will be able to establish or maintain effective response times, and with the right modern data security and management technology should be able to recover in hours, not days or weeks as is the case for most companies.
5. Why do organisations consider paying the ransom if it increases the risk of more ransomware attacks in the future?
Primarily this occurs because of their cyber resilience gaps or not even prioritising cyber resilience in the first place, which means that when they suffer a cyberattack business processes are disrupted or stopped to the point that when ransomware is involved a ransom is paid to recover the data and restore business processes or do so faster. In fact, in our State of Cohesity Data Security and Management Report 2023, 95% of respondents said it would take over 24 hours to recover data and 41% said it would take over a week. No organisation can afford to be offline or have the majority of their business operations disrupted for more than a few hours, hence why some organisations opt to pay ransoms. However, it is vital that organisations choose not to pay ransoms because rarely will their data be fully recovered or recovered quickly, in many instances it is corrupted or vulnerable once returned, and it further encourages threat actors to continue attacks and even coming back to the organisation again, and in some jurisdictions paying ransoms is against existing regulations or legislations.
In a conversation with Charulatha, a correspondent in Siliconindia magazine, Sathish discussed ransomware trends and cybersecurity in India. AI aids data mana- gement, notably in backup and recovery for cyber incidents, ensuring swift recovery.
Some technology innovators now offer critical capabilities like anomaly detection that monitors any change to data, such as size or format
1. Tell us about the evolution of new ransomware tactics and the state of cyber security in India
In this respect, India is no different to the rest of the world, with cyberattacks like ransomware a true digital scourge. Part of the challenge that ransomware poses lies in the fact it has continued to evolve over time and has become more complex, potent, and targeted. The first iteration of ransomware, or Ransomware 1.0, was and is relatively easy for organisations to shield themselves against through backups where data could be recovered from and business processes restored. Then Ransomware 2.0 upped the ante and could foil recovery by destroying backups first and encrypting the data. More recently we’ve seen attacks emerge that could be considered Ransomware 3.0, whereby double extortion occurs after data has been encrypted or exfiltrated.
Ransomware tactics have also certainly evolved, with ransomware-as-a-Service (RaaS) emerging in the last few years. RaaS has in many ways not only gone a long way towards democratising ransomware by lowering the technical barriers to entry for threat actors, but has also allowed cybercrime gangs to scale their operations and revenue generation. We have seen RaaS kits such as Locky, Goliath, and Shark provided by groups like DarkSide, Hive, and REvil to allow a wider set of cybercriminals to target organisations’ vulnerabilities and technology infrastructure.
Ransomware attacks are firmly a case of ‘when’ and not ‘if’, which means Indian organisations need a holistic strategy centered around cyber resilience that allows them to recover their data - regardless of the type of attack or attack technique - and restore their usual business processes.
2. How should businesses protect themselves against cyberattacks?
It all starts, and in many instances ends, with cyber resilience because that is what is going to sure-up business continuity against the cyber threat landscape of today. Key capabilities and solutions that ensure this, include:
▪ Immutable backups:These cannot be modified or changed, unlike traditional backup offerings that can be deleted or modified. Backups with immutability built in are also highly useful for forensic investigation, regulatory compliance, and ensuring the integrity of the data before recovery.
▪ Data Access Controls: These allow organisations to maintain or establish a state of zero trust by modulating and limiting over-access to critical or sensitive data. Capabilities like role-based access controls (RBAC), multi-factor authentication (MFA), and Quorum (requiring a minimum of ‘two pairs of eyes’ to validate any data altering action) all allow organisations to restrict unauthorised or malicious changes to data.
▪ Data Encryption: Organisations should only use data management, security, and recovery technologies or technology platforms that encrypt their data in transit and at rest, and to an AES-256 standard.
▪ AI & ML powered threat and anomaly detection: Best-in-class data security, management, and recovery technology is now being enhanced with AI. In fact, some technology innovators now offer critical capabilities like anomaly detection that monitors any change to data, such as size or format, that usually indicate malicious activity, as well as AI-powered threat intelligence where data environments are analysed against the latest set of known threats and vulnerabilities.
▪ Instant Mass Restore: Organisations should be looking to adopt and implement data recovery technologies that allow them to instantly mass restore thousands of virtual machines in a matter of hours and not days or weeks, as this is vital to organisations being able to refuse to pay ransoms.
3. How does AI play an important role in data management, especially for backup and recovery for cybersecurity incidents?
Threat actors are leveraging artificial intelligence (AI) to make their attacks more sophisticated and automate them to be continuous until a vulnerability is found. On the flipside, public and private organisations can also leverage AI to bolster their cybersecurity defences:
▪ AI and machine learning (ML)-powered anomaly detection can help monitor data and detect when malicious activity is taking place or has taken place by recognising patterns, triggering an alert to respond quickly to limit the damage.
▪ AI-enabled MFA can be used to monitor anomalous behaviour (such as different typing speed), require additional authentications depending on data risk, or block if a user’s access strays beyond normal boundaries.
▪ AI-based activity monitoring can establish norms for both user and application behaviour based on continuously analysing activity logs with AI, and alert for any suspicious activity.
▪ AI-enabled optimised scheduling of backups ensure recovery point objectives (RPOs) are always met. As part of the backup process, AI can also help determine data that has become dormant for archival. This helps reduce recovery time by eliminating the recovery of unused data as well as creating efficiency and cost reduction in storage.
"AI-based activity monitoring can establish norms for both user and application behaviour based on continuously analysing activity logs with AI, and alert for any suspicious activity"
4. What are reasonable recovery times for any business experiencing a cybersecurity incident?
Data recovery times are highly specific to each and every organisation, however, the more important questions that organisations need to ask themselves are:
● How much data do I have, and what types of data do I have?
● Where and how is my data stored?
● Is it secure, and can I recover it if attacked?
● Is it backed up in an immutable solution and encrypted at transit and at rest?
● Can I recover it to the point before it was infected (RPO) and recover it quickly to restore my usual business processes quickly (RTO), and to pre-identified targets?
By being able to answer all of these questions, even if some areas need to be worked on, organisations will be able to establish or maintain effective response times, and with the right modern data security and management technology should be able to recover in hours, not days or weeks as is the case for most companies.
5. Why do organisations consider paying the ransom if it increases the risk of more ransomware attacks in the future?
Primarily this occurs because of their cyber resilience gaps or not even prioritising cyber resilience in the first place, which means that when they suffer a cyberattack business processes are disrupted or stopped to the point that when ransomware is involved a ransom is paid to recover the data and restore business processes or do so faster. In fact, in our State of Cohesity Data Security and Management Report 2023, 95% of respondents said it would take over 24 hours to recover data and 41% said it would take over a week. No organisation can afford to be offline or have the majority of their business operations disrupted for more than a few hours, hence why some organisations opt to pay ransoms. However, it is vital that organisations choose not to pay ransoms because rarely will their data be fully recovered or recovered quickly, in many instances it is corrupted or vulnerable once returned, and it further encourages threat actors to continue attacks and even coming back to the organisation again, and in some jurisdictions paying ransoms is against existing regulations or legislations.