Sophisticated and novel attacks have required new classes of security tools that are designed to detect and prevent emerging and evolving threats. This is why cyber recovery is becoming more prevalent. A cyber response differs from the known disaster response in that it detects an attack, isolates it, and analyses to then provision a recovery environment.
Why cyber recovery is important
These changes to modern attacks and architecture also drive the need for a fundamental change to the incident response and recovery process. Historically, a system compromise would be identified and a disaster declared, after which compromised systems would be restored from backup. Much of this process was manual, requiring human interaction at each decision point in the effort to restore individual systems to a point in time, after which services could be resumed, tested, and stood up as the production instance.
Increasingly sophisticated ransomware attacks have strained this capability for many victims for a variety of reasons. First, the backup system is a key target of attackers looking for a big payout, meaning thorough vetting of restored data is critical. Second, downtime has a huge cost for system owners, making a timely return to full operational capacity a high priority. Finally, the sophistication of modern attacks makes it critical to be thorough in ensuring all forms of persistence have been removed from corporate systems, otherwise the costs of the recovery process are wasted and the breach is not resolved.
How cyber recovery tools work
According to IDC Worldwide Cyber-Recovery 2023 Vendor Assessment, modern cyber recovery products are architected to minimize the initial damage of an attack, and then facilitate an efficient recovery with full confidence in the return to service. Ideally, these solutions should be able to detect the initial attack, mitigate the breach automatically, and facilitate forensic analysis into the nature of the attack. This forensic analysis should include what resources and systems have been compromised through the course of the attack, forming the basis of what the scope of the recovery process looks like.
Once the scope of an attack is established and recovery needs are identified, a modern cyber response system should be capable of performing a restore into an isolated sandbox, providing a safe space for additional analysis away from potentially compromised systems and production workloads. These sandboxed systems can then be thoroughly scanned for malware to be mitigated or potentially as an indication that a previous restore point for one or more resources should be used. Once a recovery path has been validated it can be applied to production hardware and systems and services can be fully restored and operational status resumed.
Another set of features that collectively contribute to a quick and efficient cyber recovery process falls under the heading of continuous data protection (CDP). CDP monitors critical systems on a real-time basis, tracking each change and enabling extremely granular restoration both in terms of individual files as well as restoring to a specific a point-in-time. CDP obviously has a higher overhead cost to system performance than snapshot-based backups, but in a world where seconds matter CDP provides unprecedented restore capabilities. Itâs worth noting that while CDP has similarities to replication or mirroring the data being protected by CDP is retained as a read-only copy and can be restored back to a previous point-in-time when necessary.
Cyber recovery vendors
Cyber recovery doesnât always come in a single product but tends to be part of a platform or offer as part of other products. IDC states that cyber recovery is not a capability unto itself, but rather a combination of capabilities. Below we list 10 vendors that cover cyber recovery.
Acronis Cyber Protect and Cyber Protect Cloud
Acronis is one of a few well-known names in the backup and recovery space bringing their expertise into modern cyber recovery tools. Fully recognizing that cyber recovery requires features well beyond backup and recovery, Acronis offers two comprehensive platforms: Cyber Protect and Cyber Protect Cloud. AI-backed antimalware, endpoint detection and response, and email security form the basis of proactively detecting attacks to quickly find and mitigate threats. Other notable features offered by Acronis in Cyber Protect include forensic backups, where not only the disk is backed up but a memory dump and key information about running processes, and the ability to perform notarization, which uses certificates to digitally sign files providing assurance to their validity.
Cohesity Data Protect, DataHawk, FortKnox, and SiteContinuity
Cohesity offers a range of products that fill different business needs relating to cyber recovery. Data Protect safeguards a variety of workloads using immutable snapshots with strict consistency, in conjunction with an optimized restore process that gives you the tools to quickly identify your restore point and efficiently restore system resources. Another option is Cohesity DataHawk, which focuses heavily on protecting against ransomware attacks using tools and techniques like security posture monitoring, threat and anomaly detection, and data classification using machine learning. DataHawk also includes Cohesity FortKnox, their SaaS cyber vaulting and recovery product that brings features like flexibly recovery targets, granularity in the data being recovered, and tools to confidently identify a trusted restore point. Finally, Cohesity SiteContinuity has built-in orchestration capabilities utilizing automation to facilitate hot standby or recovery of business applications.
Commvault
Commvault has a full catalog of products that lend themselves to cyber recovery. Commvaultâs cyber protection capabilities start with threat detection and early warning, including Threatwise (cyber deception and decoy/bait systems) and Security IQ (risk monitoring, system and backup hardening, and multi-authorization workflows for critical management operations). Commvaultâs cyber recovery systems leverage immutability, air gapped backups, and zero trust principles to protect critical systems against a variety of attack methods. All these components are backed by Commvaultâs Metallic AI, which bolsters anomaly detection, facilitates placement of decoy and bait systems, and guides you through the restore process should the need arise.
Dell PowerProtect Cyber Recovery
Dell is first and foremost a hardware company, and their cyber recovery offerings bear this out, but Dell also brings a robust set of software tools that help form a complete cyber recovery solution. PowerProtect Cyber Recovery isolates critical data from potential attack, while also leveraging machine learning through Dell CyberSense to identify suspicious activity and to determine a safe restore point. Dell also offers PowerProtect appliances as either a backup target or as an integrated focal point of your cyber recovery platform. Dellâs professional services branch can be engaged to assist with building out your cyber recovery, performing testing, or can even be placed on retainer for incident response.
Druva
Druva may not have the name recognition as some of the vendors on this list, but their cyber recovery product does not suffer from a lack of features. Druvaâs cloud-based control panel provides a single pane of glass into protecting workloads hosted in the cloud or on-prem. Dru, Druvaâs AI copilot, acts as a guide to simplify management of backup jobs, delving into errors, or reviewing history of backup jobs. Druva combines orchestration with curated snapshots, offering insight into file change history — particularly malicious activity such as infection or encryption — and then provides flexible recovery options such as system rollback, quarantined snapshots, or recovery to a sandbox environment. Druva includes access to both Druva Learning Management and Druva Academy for licensed users, and offers professional services for training, fire drill testing, playbook development, and incident response.
Quest
Quest has long been a leading vendor in IT management software and tools, and their cyber recovery systems run the gamut from full system backup and recovery to niche tools focused on protecting individual enterprise systems. Questâs NetVault Plus provides a backup and recovery system engineered to provide ransomware protection, replication for disaster recovery, and CDP. KACE Cloud brings device patching and endpoint management, both of which are critical components of a modern security stack. Several of Questâs solutions focus on protecting Active Directory and Microsoft Entra. Two notable mentions are Recovery Manager for AD Disaster Recovery Edition, which automates the Active Directory recovery process at the Forest level, and SpecterOps BloodHound Enterprise, which analyzes Active Directory for weaknesses and potential attack paths, providing mitigation steps to harden your enterprise directory and strengthen corporate security.
Rubrik Threat Containment and Cloud Vault
Rubrikâs solution portfolio offers comprehensive coverage of the modern cyber recovery checklist. Rubrik Threat Containment identifies malware and infected files, isolates those snapshots, and facilitates recovery of clean files, removing the risk of re-introducing compromised files. Infected data can be retained for forensic review, while also being restricted to users with specific permissions to prevent accidental restoration. Rubrik Cloud Vault offers logically air-gapped backups in a fully managed platform that simplifies implementation and long-term management. Rubrikâs data analysis tools evaluate file content, and backup activity, applying classification rules to backups even to the point of identifying potentially sensitive data that isnât fully protected. As the cherry on top, Rubrik includes their Ransomware Response Team at no additional cost beyond your support contract.
Veeam Data Platform
Veeam may not have been in the backup and recovery game as long as some of the other players on this list, but theyâve certainly earned their way into the top weight class at this point. Veeam offers multiple solutions in the cyber security and recovery space under the banner of the Veeam Data Platform, each of which cover key elements of an enterpriseâs cyber recovery needs. Veeam Backup and Replication provides ransomware protection, immutability, and CDP with point-in-time recovery. Veeam ONE is built to enable a proactive posture when it comes to protecting corporate resources, detecting and mitigating malicious activity, and giving a comprehensive view of your data protection status. Veeam Recovery Orchestrator closes the loop between protection and detection, enabling automation of testing or recovery, providing easily repeatable workflows to bring your systems back online efficiently and effectively.
Veritas 360 Defense
Veritas 360 Defense is the latest in a long history of data protection tools from Veritas. Veritas 360 Defense brings all aspects of cyber protection and recovery under a single set of integrated tools. These tools encompass hardening your corporate systems and improving security posture, classifying data via policy templates targeting multiple file and media types, and identifying areas where security and protection measures should be bolstered. It also performs anomaly detection and end-user sentiment analysis, identifying cases where users donât comply with company policy or industry regulations, or even capturing instances of malicious activity. Backup immutability is applied end-to-end from capture, through transport, and to storage. The Veritas 360 Defense recovery orchestrator supports dependency mapping, test scenarios and rehearsals, and extensibility to other elements of your technology stack.
Zerto
If Zerto is an unfamiliar name, know that itâs now part of HPE after the 2021 acquisition. Zertoâs focus is on virtual and cloud environments, integrating tightly with hypervisors to fully secure your workloads. Zerto can even detect encryption events within running virtual machines, automatically noting them within the timeline to support clean and effective restores when necessary. Zertoâs journaling system captures write transactions using CDP, enabling highly granular restoration should the need arise, while anomalous activity is recorded and evaluated using an entropy calculation to avoid false positives.