Protect IT: Keep Incident Response Top of Mind When Designing Your Backup and Data Log Recovery

October 21, 2019

Cybersecurity Awareness Month (CSAM) is a global initiative created by the Department of Homeland Security 16 years ago to recognize the importance of digital security for consumers and organizations alike. Enterprises, employees, and end-users alike need to band together to #BeCyberSmart.

Herjavec Group is proud to be a CSAM Champion!

Contributed by Matt Anthony, VP of Incident Response, Herjavec Group

According to NIST standards, a strong cybersecurity program includes five elements:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover (and lessons learned)

We’re going to focus this summary on Recovery – an unfortunate afterthought for many organizations until they’re in the midst of incident response.

Recovery includes a timely return to normal operations following a cybersecurity incident. Your backups and data logs are crucial to achieving this. Many organizations may not be able to take full advantage of backups if the backup architecture isn’t optimized correctly.  

Organizations typically have the backup and log architecture based on business continuity requirements. However, this approach doesn’t always account for risks associated with cyber attacks.

If backup systems—either on-premise or in the cloud—are on the same network as all other systems and therefore can be accessed with the same login credentials, cyber criminals are just as likely as your system administrator to access that data.

You may also face additional recovery issues if logs are kept on the same device that generated them, and there’s no verification that they’re being sent to a source they can be recovered from. Without these security measures, attackers can delete or modify logs and erase their footprint. With this in mind, it is essential that servers and workstations log information correctly.

Matt Anthony, VP of Security Remediation Services at Herjavec Group, says, “You can’t recover from a security incident if you don’t know how the incident happened or what happened during the incident. Our advice to customers is to review how they store and protect their logs. Additionally, ensure that the logs for critical infrastructure are set at a level that allows you to backtrack and identify events historically.”

So how should you approach backup and data log recovery? Matt Anthony says all organizations should consider the following:

Make sure your team understands how to design backup and log architecture for incident response.

Avoid tunnel vision about the purpose of backups. Backup schemas are generally designed for a specific business purpose, including a speedy return to business continuity. However, the purpose of backups is also to restore lost data after cyber intrusions, ransomware attacks, and malicious insider attacks. 

Help your team understand that it’s essential for backups and logs to be properly constructed, tested for recovery and protected from potential erasure and encryption.

Encourage collaboration between the IT team and all other departments.

IT teams usually design backup and recovery systems based on current business needs or ease of access. IT teams should align with the C-level executives and each individual department to determine the “crown jewels” that must be protected.

Segment backups and logs from the rest of the network.

Backups and logs located on the same network that gets compromised may not be available to use in recovery operations. Backups should be segmented from the standard network and use different login credentials than any other administrator login credentials. Ensure logs are extracted from the device that generated them into a security incident event manager (SIEM) or a log aggregator.

Test your backup systems regularly.

Testing and verification are often neglected because short-term operational requirements are prioritized on a day-to-day basis. Build daily, weekly, monthly, and yearly run books for your operations team that include control processes on testing and validating your backup systems.  

“If you don't have backups, a good recovery isn't possible. If you haven't tested your backups and made sure they're available, you might find out in an incident that you're in worse condition than you thought,” says Matt Anthony.

The good news is that when backups and logs are configured correctly, they’re accessible, they work well for recovery, and most importantly, they demonstrate how a security incident happened. In many cases, this allows companies to avoid paying ransom and focus on recovering systems.

Learn more about how Advisory Services can help you evaluate your log architecture and bolster your organization’s cyber hygiene practices. For help building an effective security incident response plan, connect with a Herjavec Group specialist today.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn