IBM Resiliency Orchestration with Cyber Incident Recovery

IBM Resiliency Orchestration with Cyber Incident Recovery Purpose-built cyber resilience for fast, reliable and scalable recovery in hybrid multicloud environments Table of contents You might be overdue for a change

2 Your cyber resilience might be The more your data and applications traverse an overdue for a change increasingly interconnected infrastructure of on- premises, public cloud and multicloud environments, 3 An architecture that enables an the more ways cyberattackers can disrupt the agile approach to cyber resilience continuity of your business. The complex nature of hybrid multicloud environments exposes your critical 4 Cyber Incident Recovery for data and system configurations to higher levels of platform configuration risk than ever before, so much so that the likelihood of a successful cyberattack has become an absolute 5 Cyber Incident Recovery for data certainty. No matter how vigilant your IT security team may be, a cyberattack will eventually lead 6 Dashboards and reporting that to a business disruption in the form of an outage, simplify management data theft or data corruption—causing reputational damage and financial fallout. 7 Why IBM? In the not-too-distant past, traditional disaster recovery solutions could be counted on to help mitigate the damage of most conventional cyberattacks. But that was long before hybrid multicloud environments were a reality. While IT infrastructures have grown in complexity, cyberattackers have grown more sophisticated, too. Data encryption and malware attacks are now being designed to target data backups in ways that were once unimaginable. As a result, these attacks are gaining access to backup and disaster recovery locations, leaving both primary and backup data unusable and significantly delaying the ability to restore production-level operations.

IBM Resiliency Orchestration with Cyber Incident Recovery minimizes the business impact of cyberattacks with its fast, reliable and scalable recovery across hybrid multicloud environments.

Page 2 Purpose-built cyber recovery for a hybrid multicloud world IBM Resiliency Orchestration with Cyber Incident Recovery can recover your data and platform configurations at rapid speed in the event of a cyber outage. It provides intelligent automation of data protection and disaster recovery workflows, and enables recovery testing, data immutability, anomaly detection, monitoring, management and reporting across hybrid multicloud environments. The solution delivers automated, reliable and fast recovery of physical and virtual workloads, including business processes, applications, systems and databases from cyberattacks.

Cyber Incident Recovery provides: – Easy testing capability that does not impact production environments – Faster detection of data corruption and quick response to reduce downtime – Efficient point-in-time recovery that optimizes recovery point objectives (RPOs) – Scalability to handle large, site-level detection and recovery in minutes – Simplified visibility and reporting to help address regulatory requirements

IBM Resiliency Orchestration with Cyber Incident Recovery delivers automated, reliable and fast recovery of physical and digital workloads from cyberattacks.

Page 3 An architecture that enables an agile known malware, captures and compares the change patterns in backed up data to predict the data approach to cyber resilience anomalies with high accuracy. This anomaly detection capability at the DR site will help identify anomalous The technology building blocks that make up backed up snapshots and restore from clean copies. the Cyber Incident Recovery capability provide a platform that spans compute and data layers of both Configuration data verification production and disaster recovery environments. This This component uses the in-built, AI-based anamoly enables an agile approach to recovery across your detection capability to help ensure the configuration virtual and physical workloads. or data being protected is clean and recoverable. The process, built into Resiliency Orchestration, Immutable storage will automatically detect when your system Using unalterable storage technology for configurations have been modified. Resiliency configuration data or write-once-read-many (WORM) Orchestration will also integrate with client- storage for application data helps prevent corruption provided application validity scripts to provide and ensure recoverability by not allowing changes application-and data-level testing. to be made to backups once they are saved. For application data, this approach also helps reduce Automation and orchestration your storage costs by only writing new copies of By automating the end-to-end recovery process point-in-time incremental changes. for data and applications, Resiliency Orchestration enables quick restoration of your IT environment. Air-gapped protection Resiliency Orchestration replaces the traditional Network isolation separates production environments manual processes with pre-determined workflows from the WORM storage that contains the protected, that have been tested and validated, allowing you backed-up data at a remote or disaster recovery (DR) to recover an entire business process, application, site. Access to the WORM storage is also restricted database or discrete system with the click of a to only those times when data is available to backup. button. These workflows orchestrate the multiple This approach, combined with immutable storage, steps required to recover interconnected systems and helps prevent protected data from being corrupted data, limiting human error. Resiliency Orchestration by malware that can traverse networks or that is helps speed solution implementation by leveraging designed specifically to target backup data. an extensive library of more than 800 predefined patterns that can be combined to build workflows. Anomaly detection IBM Resiliency Orchestration includes an anomaly detection capability that uses rule-based heuristic identification, augmented by artificial intelligence (AI). It is trained on different change patterns of

Page 4 Cyber Incident Recovery software. To enable fast restoration of services, Cyber Incident Recovery replicates a “golden copy” for platform configuration of server and device configuration data to air-gap protected immutable storage. Malware often alter the configurations before corrupting the data itself; hence it is critical to Responding to invalid and valid detect any configuration changes before the actual configuration changes data is infected. The platform configuration feature In the case of a valid change, configuration of Cyber Incident Recovery protects configuration data is protected by replication of a new data of virtual and physical workloads, applications, “golden copy” to immutable storage. If an invalid storage systems and network devices across on- change is identified, the latest clean copy of device premises, public cloud, hybrid cloud and multicloud configurations is quickly restored to the production environments. infrastructure by Resiliency Orchestration, based on pre-established policies and with the appropriate Keeping business going with a “golden copy” management consent. Dedicated and virtual This component uses the built-in technologies machine configurations are restored onto a clean to identify any change in production endpoint production infrastructure. Incase of valid changes, configurations and alerts the user for any authorized a new “golden copy” is created in an immutable and unauthorized change. The alerts can also provide storage. relevant tickets from change control management

IBM Cyber Recovery as a Service Cyber Incident Recovery for Platform Conﬁguration IBM Resiliency Orchestration

Servers Air-gap protection 2 for platform configuration Validate Validation Process Replication Engine Dashboard 1 change Early identification Replication/Proxy of anomalies in Monitor config platform configuration change and fetch data 3 Rapid restore of device For authorized Storage changes, update Servers golden copy Frequent testing capability

4 Visibility and reporting Change Control Storage Network For unauthorized change, restore from clean copy

Immutable Production Infrastructure Storage Network (On Prem/IBM Cloud)

Production Infrastructure

(On Prem/IBM Cloud)

Restart services 5

Replicate the validated configuration Monitor for configuration change and Run analysis/forensics using Change Control If invalid change, restore the configuration to WORM storage Apply the same fetch the Configuration and data Management, to validate the change from the “clean” copy change in DR infrastructure

*airgap not supported for Immutable storage hosted on cloud

Page 5 Cyber Incident Recovery for data recovery or alternate site, creating the PIT copies. PIT copies can also be made and stored at the The data feature of Cyber Incident Recovery enables production site for quick restore capability. highly reliable, fast recovery against cyberattacks that corrupt the data itself. It protects data through the Responding quickly to cyberattacks use of air-gapped protection and immutable storage to maintain business continuity while orchestrating fast recovery at the disaster When a disaster recovery manager receives a recovery site. notification that a data breach or an encryption malware infection has been discovered, automated Protecting large volumes of data testing of PIT copies is performed at the disaster across every environment recovery site to verify the recoverability of the data. Cyber Incident Recovery is designed to handle The latest “clean” copy identified by the testing large volumes of application data, no matter where and verification process is then recovered on the that data lives. It employs copy data management disaster recovery infrastructure by the Resiliency technology to create and maintain incremental point- Orchestration software. Testing can also be in-time (PIT) copies of data. Because these copies conducted frequently at the disaster recovery site, are kept on immutable storage like cloud object helping to ensure recoverability of data without storage or storage with WORM capability, they are impacting business operations. Resiliency “forever” copies that cannot be changed. Copy data Orchestration helps ensure that platforms management software replicates data to a disaster can be recovered quickly, in parallel.

IBM Cyber Recovery as a Service Cyber Incident Recover for Data IBM Resiliency Orchestration

Move clean copy to a target location 5 Servers Validation Process Dashboard Restore validated copy Copy Data Manager Copy Data Manager

Protection of virtual machines and data Storage 1 Servers Management Backup Network of Clean Room incremental Segregation Point In Time (PIT) copies Detection Customer of anomalies Storage Sandbox in data Network Rapid recovery of clean copies Clean Room 2 Production Infrastructure Frequent Maintain testing capability (On Prem/IBM Cloud) Immutable Storage Network 4 immutable PIT copies Production Infrastructure Visibility and Receive (On Prem/IBM Cloud) Reporting validation notiﬁcation

Restore PIT Copies and 3 validate to identify clean copy

Resore PIT copies and run Move the “clean” copy Optional local point in time Backup incremental forever Maintaine immutable point in validation/foresnices to to productionstorage copies for quick restore point in time copies copies in WORM storage identify “clean” copy* for performance

Page 6 Dashboards and reporting each. You can track open vulnerabilities and make decisions informed by visibility into cyber RPO that simplify management deviation, cyber RTO deviation, snapshot validation status and current cyber readiness. Cyber Incident Recovery includes a dashboard that simplifies cyber recovery management Robust reporting functionality and the monitoring of platform configuration The built-in reporting module offers a rich set changes and data changes. It provides real-time of reports, including cyber resilience or disaster visibility into RPO and recovery time objective recovery posture, which can be exported and shared (RTO) deviations, snapshot validation status with regulators for compliance purposes, along with and critical cyber recovery updates. charts captured during normal business operations. Meanwhile, senior management or the board of directors can receive real-time critical cyber recovery updates for faster, more informed decision making. Cyber Incident Recovery

Better tracking of vulnerabilities provides real-time visibility and increased visibility into RPO and RTO deviations, The Cyber Incident Recovery dashboard tells snapshot validation status you the number of vulnerabilities across your environments, along with the severity level of and critical updates

Page 7 Why IBM?

IBM Business Resiliency Services has decades of experience © Copyright IBM Corporation 2020 helping clients worldwide with IBM Corporation New Orchard Road their backup and recovery needs. Armonk, NY 10504

Produced in the United States of America October 2020 IBM advantage IBM, the IBM logo, ibm.com, IBM Cloud, and IBM Services are trademarks – Expertise across the resiliency lifecycle of International Business Machines Corp., registered in many jurisdictions – Automated recovery of physical, virtual worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the and cloud workloads web at “Copyright and trademark information” at www.ibm.com/legal/ – 800+ predefined patterns for faster, efficient copytrade.shtml.

implementation and scalability This document is current as of the initial date of publication and may be – IBM Cloud® and Red Hat® for enterprise scalability changed by IBM at any time. Not all offerings are available in every country in which IBM operates. – Flexible payment plans and options with IBM Global Financing THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. Trusted IBM products are warranted according to the terms and conditions of the – Over 9,000 customers are protected with IBM agreements under which they are provided. disaster recovery and data management services Statement of Good Security Practices: IT system security involves protecting – IBM has more than 3.5 exabytes backed up systems and information through prevention, detection and response to annually and under management improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including A global reach for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can – There are more than 300 IBM Resiliency Centers be completely effective in preventing improper use or access. IBM systems, in more than 50 countries around the world products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational – IBM dedicates over 6,000 professionals procedures, and may require other systems, products or services to be most worldwide to resiliency effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Ready to learn more? 2 Gartner press release. WXZGPA3G Watch the demo and see what ibm IBM Resiliency Orchestration with Cyber Incident Recovery can do for you.

Page 8