The cybersecurity battleground for companies has expanded in scope and complexity. The response is a broadening from traditional enterprise security operations to full-fledged cyber resilience. In doing so, companies can preempt and respond to attacks with minimal disruptions and resource/reputation loss.

What is the current state of cyber resilience, especially as attacks have become less predictable and more harmful?

“Having been on the other side of the table and subjected to vendor positioning for years, I was quite keen as an organization that we don’t create our own framework or workflow,” said James Blake (pictured), vice president of cyber resiliency strategy at Cohesity Inc. “What we did is to align to industry ones. Incident response and cyber resiliency is a team effort. Business continuity and disaster recovery, just bringing back the last snapshot, brings back the vulnerabilities. It brings back the persistence mechanisms and all the gaps or evasions in your controls.”

Blake spoke with theCUBE Research’s Christophe Bertrand during a recent CUBE Conversation. They discussed how organizations can evolve their strategies to stay resilient in an era of unpredictable and devastating attacks. (* Disclosure below.)

Exploring the paradigm shift from BC/DR to cyber resilience

Traditional business continuity and disaster recovery strategies are no longer sufficient to handle modern cyber incidents like ransomware. Treating ransomware attacks like traditional IT disruptions — restoring the last snapshot — often reintroduces vulnerabilities and leaves organizations exposed to reinfection, according to Blake.

“What we see in those instances are customers that have to recover multiple times because ransomware as a service, they’ve got multiple affiliates that are targeting the same vulnerability,” he said. “So, if you bring a system back without caching it and understanding its vulnerabilities, it just either gets re-tacked again or still has persistence mechanisms in there or evasions of controls.”

Organizations must shift their mindset from solely restoring operations to actively investigating and mitigating threats. This involves a multi-stage approach, aligning closely with established frameworks, such as NIST and the SANS six-step incident response lifecycle. For its part, Cohesity advocates for integrating these best practices into workflows, ensuring teams are equipped to detect, contain and recover from cyber threats systematically.

Importantly, cyber resilience is more a team sport than a technical challenge. There’s a strong need for collaboration across IT, security and infrastructure teams. Breaking down silos ensures that everyone — from system admins to security analysts — is aligned in their response, according to Blake.

“If you can’t access or log in to your business applications because your network or your identification tools have been affected, then there’s no business,” he said. “I think it’s very important to be comprehensive, and I think just what you’ve just explained here demonstrates why it is that you need to have this collaboration between security teams and infrastructure teams across the board.”

Vendor ecosystems also play a critical role. Cohesity’s Data Security Alliance, which includes partners such as Splunk Inc. and Zscaler Inc., facilitates seamless integration between tools. This interoperability enhances containment, investigation and recovery efforts, creating a unified front against cyber threats.

The ‘clean room’ approach: Building trust from the ground up

One of Cohesity’s standout strategies is its “clean room” approach, a methodical framework for cyber resilience. The clean room, in this context, is a secure and isolated environment that enables organizations to recover from unforeseen incidents with confidence, according to Blake.

“The important thing to remember is that initiation stage, it’s only about getting the response capability, security tooling and identities needed for response and recovery, not the identities of the whole company,” he said. ” We’ve dealt with those that stage, but now what we’re starting to do is work on those critical business applications. This is when we use the native capability of a data management platform like Cohesity to aid in overcoming some of those around the containment issues.”

Preparation begins long before an incident occurs. The “digital jump bag” is an immutable, vaulted storage area containing essential tools, workflows and authentication mechanisms. This resource ensures teams can quickly establish a trusted environment to initiate response efforts, even if primary systems are compromised, Blake explained.

“Typically the investigation environment is owned by security, and now what we do is we go into a mitigation stage,” he said. “There are two strategies to mitigation, and that can be rebuilding systems. This is where you can hold the golden masters of those systems and trusted configurations in the digital jump bag. So, you do a volume level backup, you’re able to recover that system and then clean with that information you learned from the investigation stage.”

Here’s theCUBE’s complete video interview with James Blake:

(* Disclosure: Cohesity Inc. sponsored this segment of theCUBE. Neither Cohesity nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE