1 of 49

NIS2 – Why and What

Itay Mesholam

Field CTO of EMEA Cybersecurity Services

1

Internal Use - Confidential

2 of 49

ENISA and the NIS2 Directive

Directive (EU) 2022/2555 �(known as NIS2) is amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and is repealing Directive (EU) 2016/1148

The NIS2 directive is intended to be much more dissuasive than its predecessor

��ENISA �European Agency for Cybersecurity

2

Internal Use - Confidential

3 of 49

Background

NIS2 supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016.

Member States have until Autumn / Fall 2024 to become compliant.

Administrative fines up to €10m or 2% annual worldwide turnover
Liability of top managers and C-Level executives within the organizations.

Suspension of certifications and authorizations for services or activities provided by the organization
A temporary ban from management positions within the entity for any person discharging managerial responsibilities at chief executive officer or legal representative level.

The NIS2 Directive strengthens security requirements in the EU
It expands its scope to more sectors and entities
Taking into account the security of supply chains
Streamlining reporting obligations
Introducing monitoring measures
Introducing more stringent enforcement requirements
Harmonizing and tightening sanctions in all Member States

3

Internal Use - Confidential

4 of 49

Content Overview

Scope

Large parts of industry are addressed, not limited to critical infrastructure
Very small enterprises are excluded
Small companies (up to 49 employees and up to €10 million turnover/balance sheet) are excluded. Digital infrastructures are regulated regardless of their size

Fines

In case of violation, fines of up to 10 million euros or 2% worldwide annual turnover may be imposed

Measures to be implemented

Reporting of significant incidents within 24 hours
Management is responsible for approving and supervising the cyber security risk management measures to be implemented
EU countries can require essential and important institutions to use only certified ICT products, services and processes

Competences of national authorities

National authorities are given extensive control and powers of intervention (selection)
On-site inspections, including random checks
Targeted security audits based on risk assessments and Security Scans. Order of binding instructions that the institution remedy the detected defects or violations

4

Internal Use - Confidential

5 of 49

Who Does NIS2 Apply To?

Indicative list of sectors affected by NIS2

SECTORS

Essential Entities (EE)

EMPLOYEES�~250

ANNUAL TURNOVER�€50M

BALANCE SHEET�€43M

Energy

Transport

Finance

Public Administration

Health

Space

Water supply (drinking & wastewater)

Digital Infrastructure

SECTORS

Important Entities (IE)

EMPLOYEES�~50

ANNUAL TURNOVER�€10M

BALANCE SHEET�€10M

Postal Services

Waste Management

Chemicals

Research

Foods

Manufacturing

Digital Providers

Size threshold varies by sector. �Figures are a guideline based on Articles 3.1 a & 3.2 of the NIS2 Regulation.

5

Internal Use - Confidential

6 of 49

Operator duties

Key articles to know

Cybersecurity Measures

Standards

Reporting

Registration

6

Internal Use - Confidential

7 of 49

Technical and organizational measures to manage risks

Business continuity and crisis management

Risk analysis and information system security policies

Incident handling (prevention, detection, and response to and recovery from incidents

Supply chain security including and information security-related aspects concerning acquisition, the relationships, development and including handling and disclosure

Security in network and information systems acquisition, development and maintenance including vulnerability handling and discloser

Policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures

7

Internal Use - Confidential

8 of 49

Reporting Obligations

Notify without undue delay and in any event within 24 hours after having become aware of the incident

Ensure that the exchange of information takes place within trusted communities of essential and important entities

8

Internal Use - Confidential

9 of 49

Central Registry��Entities are required to submit information to the competent authorities. The Member States single points of contact shall forward the information to ENISA. Based on the information received, ENISA shall create and maintain a registry for the entities. Upon request of Member States, ENISA shall enable access of relevant competent authorities to the registry.�

Information sharing arrangements

9

Internal Use - Confidential

10 of 49

Article 21 of the directive

This covers the cybersecurity risk management measures and lists the following (this is where to start!)

�10 areas as �the minimum recommendation -�information sharing arrangements

Policies on risk analysis and information system security
Incident handling
Business continuity and crisis management
Supply chain security
Security in network and information systems acquisition, development and maintenance
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Basic cyber hygiene practices and cybersecurity training
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
HR security, access control policies and asset management.

10

Internal Use - Confidential

Expanding the Reach

The first NIS directive introduced a clear focus on improving cybersecurity and risk management at critical infrastructure in Europe: energy (electricity, oil, and gas), transportation, drinking water supply and distribution, healthcare, banking and finance, and digital infrastructure (Internet Exchange Points, DNS service providers, and Top-Level Domain (TLD) name registries). These were defined as operators of essential services (OES’s).

The volume and frequency of cyberattacks since the first directive came into force has driven home the message that cybersecurity safeguards and improvements need to be more far-reaching. Industry sectors that may not be viewed as critical may supply components or services to critical infrastructure, from electrical equipment to medical devices. Disruption of food production and distribution or waste management can have a major impact on the function of society. Digital providers such as search engines and online marketplaces are recognized for their universal value.

Consequently, the NIS2 directive extends coverage into all these segments and more. A full list of sectors defined as high criticality or critical is below:

High Criticality Sectors

Energy.
Transport.
Banking.
Financial market infrastructures.
Health.
Drinking water.
Waste water.
Digital infrastructure.
ICT service management (B2B).
Public administration.
Space.

Other Critical Sectors

Postal and courier services.
Waste management.
Manufacture, production and distribution of chemicals.
Food production, processing and distribution.
Manufacturing (medical devices, computer, electronic and optical products, electrical equipment, motor vehicles, transport equipment).
Digital providers (online marketplaces, search engines and social networks).
Research organisations.

Furthermore, it is recognized that it is not only large enterprises that represent a target for cybercriminals or are fundamental to critical services. Consequently, the NIS2 directive also extends the scope to cover midmarket organizations with 250 or more employees and turnover of €10 million or more.

The To-Do List

So, if your organization falls within the sectors covered by NIS2, what requirements are coming your way in the next two years? There are two major aspects to this, detailed in Chapter 4 of the directive, Cybersecurity risk management measures and reporting obligations.

Article 21 of the directive covers the cybersecurity risk management measures and lists the following 10 areas as the minimum recommendation:

Policies on risk analysis and information system securityIncident handling
Business continuity and crisis management
Supply chain security
Security in network and information systems acquisition, development and maintenance
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Basic cyber hygiene practices and cybersecurity training
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
HR security, access control policies and asset management
MFA, continuous authentication, and secure communications where appropriate

It is likely that most entities within critical infrastructure sectors will already have many of these technologies and measures in place, to some degree. The question will be in the level of detail or prescriptiveness that member states go to when transposing this article into their national legislation.

The directive emphasizes that the implementation of these measures should take into account the state-of-the-art, relevant European and international standards, the cost of implementation, the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact. These considerations should be used to determine appropriate or proportional measures.

Article 23 of the directive covers reporting obligations and requires that in the case of any incident that has a significant impact on the provision of their services, essential and important entities notify their CSIRT or competent authority. An early warning should be submitted within 24 hours of the organizations becoming aware of a significant incident, and a more comprehensive incident notification should be submitted within 72 hours.

Further reporting obligations are detailed within the directive and it will be necessary for all organizations covered by NIS2 to familiarize themselves with these obligations once they have been transposed into their national law.

Conclusion

It is early days still for NIS2 and much will depend on the work done over the next 21 months. Nevertheless, the cyberthreats driving this directive will not wait and the benefits from improved cybersecurity measures will outweigh the risks.

Regardless of the final wording of the local versions of the directive, organizations can benefit from getting up to speed with NIS2 and engaging with the existing cybersecurity authorities within their countries to develop their strategies.

The first was the Digital Operational Resilience Act (DORA), which covers the finance sector and companies that provide ICT services and infrastructure to financial sector entities. The second was the long-awaited update of the Security of Network and Information Systems (NIS) directive, known as NIS 2.

The broad aim of NIS 2 is to engender a high common level of cybersecurity in the EU, across all Member States, in the long term.

This is the first in a two-part IDC blog series that will focus on the implications of NIS 2.

The Clock is Ticking

The full text of the NIS 2 directive was published in the official journal of the European Union on December 27, 2022, and enters into force 20 days after that (January 16, 2023). Thereafter, Member States will have 21 months to transpose the directive into their national law (by October 17, 2024). What happens between now and then?

Building the Frame(work)

The next 21 months will be critical for the success of NIS 2 as regional and national bodies get to work on transposing the articles of the directive into their national legislation. Who will be responsible for this part of the process?

The prime mover in this respect will be the NIS Cooperation Group, which was established in 2017 to support the first NIS directive. The Cooperation Group comprises representatives of all the EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA).

The group will provide guidance to the national authorities of the Member States on transposing and implementing the directive. It will also provide guidance, advice and cooperation on numerous related areas including cybersecurity policy initiatives, capacity building, training and awareness, exchange of information and best practices, and vulnerability disclosure. It will also be responsible for defining standards and technical specifications, as well as maintaining a central register of essential and important entities in each country.

A second key group will be a network of computer security incident response teams (CSIRTs) across all the Member States. At least one CSIRT in each country will be designated as a competent authority for various roles including international cooperation and coordination, threat monitoring and analysis, and the provision of incident response and assistance to essential entities.

The third key entity is the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). Its task is to support coordinated management of large-scale cybersecurity incidents and crises at an operational level. It will also ensure regular exchange of information among Member States and relevant entities within the union. EU-CyCLONe’s role will really crank up once the directive is in place.

Key responsibilities will include:

Developing shared situational awareness for large-scale cybersecurity incidents
Assessing the impact of large-scale cybersecurity incidents and proposing potential mitigation measures
Coordinating the management of large-scale cybersecurity incidents and supporting decision making at the political level

Between them, these organisations, along with the Member States themselves, will be tasked with ensuring that when NIS 2 comes into force at the national level, it is appropriately transposed into national law and the countries are able to put in place the necessary structures and resources.

Kicking the Tyres

One criticism of the first NIS directive was that it lacked teeth. The EC is striving to establish NIS 2 more firmly throughout the bloc and one measure through which it seeks to do this is peer reviews. These are aimed at assessing at a national level the conformity, progress and readiness of the directive. For example, peer reviews will assess:

The level of implementation of cybersecurity risk management measures and reporting obligations
The level of capabilities, including available financial, technical and human resources
The operational capabilities of the country’s CSIRTs
The level of implementation of cybersecurity information-sharing arrangements

Peer reviews are to be carried out by designated cybersecurity experts from at least two Member States, at a maximum of once every two years. The experts conducting the reviews are expected to provide reports including recommended improvement on any of the reviewed aspects. Those reports will be submitted to the Cooperation Group and the CSIRTs network where relevant.

Conclusion

These entities and processes should ensure that at a regional and national level the EU and its Member States can develop a higher level of cybersecurity and resilience by adhering to the NIS 2 directive.

The second instalment of this blog series will look at which organisations NIS 2 will apply to and what will be required of them

11 of 49

Dell Cybersecurity and Resiliency Services

Dell’s Resiliency & Security Services help organizations to prepare for NIS2

Chapter II, Coordinated cybersecurity regulatory frameworks

Article 5, National cybersecurity strategy, NIS 2 Directive
Article 6, Coordinated vulnerability disclosure and a European vulnerability registry, NIS 2 Directive
Article 7, National cybersecurity crisis management frameworks, NIS 2 Directive
Article 8, National competent authorities and single points of contact, NIS 2 Directive
Article 9, Computer security incident response teams (CSIRTs), NIS 2 Directive
Article 10, Requirements and tasks of CSIRTs, NIS 2 Directive
Article 11, Cooperation at national level, NIS 2 Directive

Chapter III, Cooperation

Article 12, Cooperation Group, NIS 2 Directive
Article 13, CSIRTs network, NIS 2 Directive
Article 14, The European cyber crises liaison organization network (EU - CyCLONe), NIS2 Directive
Article 15, Report on the state of cybersecurity in the Union, NIS 2 Directive
Article 16, Peer-reviews, NIS 2 Directive

Chapter IV, Cybersecurity risk management and reporting obligations.

Section I, Cybersecurity risk management and reporting.
Article 17, Governance, NIS 2 Directive
Article 18, Cybersecurity risk management measures, NIS 2 Directive
Article 19, EU coordinated risk assessments of critical supply chains, NIS 2 Directive
Article 20, Reporting obligations, NIS 2 Directive
Article 21, Use of European cybersecurity certification schemes, NIS 2 Directive
Article 22, Standardization, NIS 2 Directive
Article 23, Databases of domain names and registration data, NIS 2 Directive

Cybersecurity

Assessment

Penetration Testing

and Breach Attack Simulation (MDR)

Resiliency Program Management, Business Impact Assessment, Crisis & Incident Response

Application

Dependency & Business Assessments/Zero Trust

Vulnerability Assessment (MDR)

Cybersecurity�Advisory

Managed Detection�& Response (MDR)

Dell Education�Services

Dell Data Protection Solutions, Ransomware, Cyber Recovery

Zero Trust Advisory

Maturity / Capability Assessments

11

Internal Use - Confidential

12 of 49

NIS2

Strengthening the role of the CISO/CIO

12

Internal Use - Confidential

13 of 49

How to start?

13

Internal Use - Confidential

14 of 49

10 Key cybersecurity measures mandated by the NIS2 directive

Risk Analysis and information security policies ex. ISO27001

Incident handling (prevention, detection, and response to incidents)

Business continuity and crisis management

Supply chain security

Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

Policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures

Basic cyber hygiene practices and cybersecurity training

Policies and procedures regarding the use of cryptography and, where appropriate, encryption

Human resources security, access control policies and asset management

The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

1

2

3

4

5

6

7

8

9

10

14

Internal Use - Confidential

15 of 49

Response and Recovery

15

Internal Use - Confidential

16 of 49

Response and recovery

Have a comprehensive ICT business continuity policy in place
Conduct a business impact analysis (BIA) of exposures to severe business disruptions as part of the overall business continuity policy.
Test the ICT business continuity plans and the ICT response and recovery plans at least yearly,
Have a crisis management function, which in the event of activation of the ICT business continuity policy, shall coordinate the implementation of the ICT business continuity plans and the ICT response and recovery plans.
Regularly review the ICT business continuity policy and ICT response and recovery plans, taking into account the results of tests and recommendations stemming from audit checks or supervisory reviews

16

Internal Use - Confidential

17 of 49

Resiliency Services Offers

Analyze Program Maturity

Define Business Requirements

Evaluate Alternatives

Service Catalog Definition

Design & Implementation PP4 & PP5

PP1

Program Management & Integration

Resiliency Program Management (RPM)

Advisory PP2 & PP3

Design Deployment Solution (App/Infra)

Conduct Implementation Planning

Optimize PP6

Develop/Update Program Definition

Incremental Improvement

Metrics & Reporting

Resiliency Strategy

Resiliency Service Catalog

Application Dependency Mapping

Business Impact Analysis

IT Continuity Advisory

Resiliency Health Check

Resiliency Detailed Design

Resiliency Continuity Implementation

Test & Implement

Demonstrate Capability

Resiliency Program Refresh

Resiliency Implementation Tech (SDRF, RP, SRM…)

Resiliency Site

Resiliency Process Updates

Resiliency Runbooks/DR Orchestration

Cloud Suitability

Cloud Migration

IT Continuity Exercise

17

Internal Use - Confidential

18 of 49

RPM – Resiliency Program Management �(IT BC/DR & DR for Ransomware attacks)

Assess program/service levels
Validate business requirements
Evaluate availability and recovery alternatives
Design infrastructure
Conduct implementation planning
Test and Implement services
Develop recovery plans
Conduct testing

Assess program/ service levels
Validate business requirements
Evaluate availability and recovery alternatives
Design infrastructure
High-level guidance on implementation planning

Assess program/service levels
Validate business requirements
Evaluate availability and recovery alternatives
Design infrastructure
Conduct implementation planning
Test and Implement services
Develop recovery plans
Conduct recovery testing
Develop program definition
Manage resources, improvements and measurements

Helps with maturity assessment and building on an ICT/IT BC/DR program and capability. �Aligns to ISO22301, which in turn aligns with NIS2/DORA regulations and sustain

IMPROVE (6mths)

Validate readiness and establish recoverability requirements

ENHANCE (12mths)

Foundational infrastructure recoverability

TRANSFORM (18mths)

Alternate site recoverability

18

Internal Use - Confidential

19 of 49

Crisis and incident management

In order to support the coordinated management of large-scale cybersecurity incidents and crises at operational levels and to ensure the regular exchange of information among Member States and Union institutions, bodies and agencies, the European Cyber Crises Liaison Organization Network (EU - CyCLONe) is hereby established.
EU-CyCLONe shall be composed of the representatives of Member States’ crisis management authorities designated in accordance with Article 7, the Commission and ENISA. ENISA shall provide the secretariat of the network and support the secure exchange of information.

19

Internal Use - Confidential

20 of 49

Dell Crisis and Incident Response Services

	IRRS – Incident Recovery Retainer Services	IRR- Incident Response & Recovery
	Proactive Offer	Reactive Offer
What ?	Phase 1: 40hrs (one week) assessment of the client's existing disaster recovery plans: Review of the organization, business functions, network, infrastructure and sites to prepare the response in case of a cyber security incident Review of the disaster recovery plan, if available Review of data backup and recovery capabilities Review of cybersecurity insurance coverage Review of disaster recovery plan Planning summary report Carried out remotely (on-site possible but additional costs), with delivery of the summary and recommendations at the end of the week. Phase 2: Provision of 120 or 240 hours of IRR in case of an attack (to be used within the year). If the hours are not used during the year, the client can transform them into workshops (type assessment, disaster recovery planning, tabletop exercises...) targeted around cybersecurity.	Customized, tailored offering through which our certified experts, with strong experience, can help our customers to face cyber attacks. We can perform threat identification, eradication, data recovery, data sanitization and infrastructure rebuilding, remotely or onsite. Contact IRR Team on the address: incident.recovery@dell.com or by phone. In less than 2 hours the customer is contacted for a scoping call. A SOW (statement of work), a tailor-made service offer, with an estimate of the profiles and the number of hours of work required, is sent to the client as soon as possible. As soon as the client signs the SOW, we put in place the teams to accompany him urgently (within 6hrs max in remote or TBD if in face-to- face).
How ?	Standard offer, Flat rate, depending on the package chosen (120 or 240 hours of RRI).	Custom offer, subject to a SOW, Offer under the Technical Assistance format: only the hours consumed will be invoiced.

20

Internal Use - Confidential

21 of 49

At a Glance, What is Dell Doing?

Incident Response

Forensics

Help Desk Rapid Standup

Forensics

Firewall/ Network�

AD/Email/Office Restoration

Virtual CISO

Networking

Deployment/ Imaging

Monitoring and

Threat Hunting

Digital Forensics

Encryption Recovery

Data Discovery

Forensic Preservation

Drive Sanitization

and Recovery

21

Internal Use - Confidential

22 of 49

22

Internal Use - Confidential

Digital Forensics

Investigations & Response

22

Internal Use - Confidential

23 of 49

Backup policies and procedures, restoration and recovery procedures and methods�

Develop and document backup policies and procedures
Set up backup systems that can be activated in accordance with the backup policies and procedures
When restoring backup data using own systems, use ICT systems that are physically and logically segregated from the source ICT system and securely protected from any unauthorized access or ICT corruption.
Determine recovery time and recovery point objectives for each function, taking into account whether it is a critical or important function and the potential overall impact on market efficiency
Perform necessary checks, including any multiple checks and reconciliations, in order to ensure that the highest level of data integrity is maintained when recovering from an ICT-related incident.
Perform checks when reconstructing data from external stakeholders to ensure that all data is consistent between systems

23

Internal Use - Confidential

24 of 49

Data Protection Services | OA – RapidRom

Positioning Data Protection Strategic Advisory Services

Descriptions	4 weeks MVP	6-8 Weeks MVP Plus	12 weeks MVP Advanced
Finalize data protection design based on capacity (size and performance) Multi site 1 Primary and 2 backup replication sites (sites includes each cloud site)	⬤	⬤	⬤
Conduct DPS Strategic, Architecture / Technical Data & Operations Workshops, Manual Questionnaire and workshops Live Optics Scope dependent on offer level	⬤	⬤	⬤
C – Cloud or OP – On-Premise or Both	⬤	⬤	⬤
Most Common Backup technologies or Least Common	⬤	⬤	⬤
A - Quadrant SWOT & Scorecard, Roadmap, (SWOT Strengths, Weakness, Opportunities & Threats) B - CMM, Capability Maturity Model analysis (1 interview metric, 5-10 interviews , group workshop) Use Dell Data Protection Advisor in the analysis of the current customer DPS environment	⬤	⬤	⬤
Backup Surfaces also including Cloud (AWS, Azure, GCS)		⬤	⬤
Data Protection Operational model, SLAs, Training, ITSMS/ITIL alignment, Service catalogues / definitions Analysis of Data Protection Processes, Operational procedures, Staffing / Training Programs			⬤

24

Internal Use - Confidential

25 of 49

Ransomware Recovery Solution (Dell CRS - Cyber Recovery Solution)

25

Internal Use - Confidential

26 of 49

Defining Cyber Recovery

Multiple reports following real world events have indicated that technology alone is simply not enough.

The perception is that this is enough…

Dell Technologies Cyber Recovery Capabilities:

End-to-end Services

Incident Response Plan

Secure Supply Chain

Recovery Focused

Cleanroom technology

No external access

Isolation

Intelligence

Immutability

Isolation

Intelligence

Immutability

26

Internal Use - Confidential

27 of 49

Three Lines of Defense Model

Risk Management

Line of Defence I

Line of Defence II

Line of Defence III

Test procedures and run recovery scenarios
Identify gaps in policies and exposures
Risk reporting and compliance
Provide assurance on goals and art of the possible
Constantly review

Define assets, polices and manage
Develop and implement polices and procedures
Align with business security posture and goals
Implement internal controls
Constantly review

Independently assurance of the effectives of the first two lines of defence
Report to the board
Make recommendations for improvement

Dell software

Fully automated

Single solution

Security Operation Centre

Cyber Recovery Vault

Production Backup System

Internal Audit

Operational Management

27

Internal Use - Confidential

28 of 49

PowerProtect Cyber Recovery

Automate data vaulting and recovery path

Cyber Recovery Vault

Automated operational air gap

Data center

Vault will contain only a subset of

production backup data

Production

Backup

data domain

Data to be cyber protected

1

Sync

Use case driven recovery considerations

2

Copy

5

Recover

3

Lock

4

Analyze

4

Monitoring & Reporting

Minimum Viable Company

Clean Room

Landing Zone

28

Internal Use - Confidential

29 of 49

Finding Indicators of Compromise in Your Backup

28

Internal Use - Confidential

Analytics

More than 40 statistics generated from each observation. Statistics include analysis of file entropy, similarity, corruption, mass deletion/creations, and much more.

Repeat

The process repeats and a new observation is created by scanning network or backup data. New observations are compared to previous observations to see how data changes.

Scan

CyberSense scans critical data sources, including unstructured files and databases to create an observation. Data can be located on network file systems, or in backup images.

Analysis

Machine learning algorithms are used to analyze the statistics to indicate if an attack on the data has occurred.

Investigate

Forensic reporting and analysis tools are available after an attack to find corrupted files and diagnose the type of ransomware.

29

Internal Use - Confidential

30 of 49

CyberSense Optimizes Restore Time

Cyber Recovery Maturity

Time To Recovery

How to optimize MTTR?

Basic Data Protection

Production Immutability

Basic Isolation

Cyber Vault & Analytics

Restart

Room

Time

30

Internal Use - Confidential

31 of 49

Macro architecture: 1- Getting Data into the Vault

Backup

Software

Backup Software

Inner Vault Isolated / Immutable Automated Enhanced Analytics

Backup Storage

Vital Data Copies

Compute

VMs

Vault Services

Production Backup Storage

Primary Backup

Data Domain

Vital apps Storage

Block / File / Others

Vital Data

Isolation

Disconnected from the production network
All management activities start from the vault
Automated connect and disconnect Air Gap managed from the vault
Switches, FWs and vault servers can be of any type, to better differentiate the architecture/technology from production and secondary backup facilities

DR Storage

Block / File / Others

Storage & Backup replication for DR

DR Backup Storage

Automation / low touch management

Policy based
Automated replication pulled and triggered from the vault
Automated Immutable retention lock WORM
Automated reporting
Scalable automation

InfoSec

Encryption at rest and in transit
Data and files integrity checksum certification
Policy based data retention, expiration and cleanup
Network isolation enhancement with in-vault key network services deployment

Reporting & Auditability

Automated reporting and auditability

Scalability

Scale out architecture
Up to 5 Data Domain per CR Automation engine
Multiple Automation engine

Vault Management

DT Remote Access

Platform Management

Security Management

Compute VMs

Non-vital Data

31

Internal Use - Confidential

32 of 49

Macro architecture: 2 - Advanced Analytics

Backup

Software

Backup Software

Automation / low touch management

Policy based
Enhanced analytics automation
Scalable automation

Enhanced Analytics

In depth content analysis / AI/ML engine
Known threats identifications
Abnormalities identifications in data / files
Golden Copy identification

Reporting & Auditability

Enhanced alerting and auditability

Scalability

Scale out architecture
Multiple Analytics engines

Vault Management

DT Remote Access

Platform Management

Security Management

Compute VMs

Inner Vault Isolated / Immutable Automated Enhanced Analytics

Backup Storage

Vital Data Copies

Compute

VMs

Vault Services

Analytics

Production Backup Storage

Primary Backup

Data Domain

Vital apps Storage

Block / File / Others

Vital Data

DR Storage

Block / File / Others

Storage & Backup replication for DR

DR Backup Storage

Non-vital Data

32

Internal Use - Confidential

33 of 49

Macro architecture: 3.1 – Restore Data from Vault

Production Backup Storage

Primary Backup

Data Domain

Vital apps Storage

Block / File / Others

Backup

Software

Vital Data

DR Storage

Block / File / Others

Storage & Backup replication for DR

DR Backup Storage

Vault Management

DT Remote Access

Platform Management

Security Management

Compute VMs

Non-vital Data

Data

Landing

Zone

FC

iSCSI

IP

Storage

Block / File / Others

Inner Vault Isolated / Immutable Automated Enhanced Analytics

Backup Storage

Vital Data Copies

Compute

VMs

Vault Services

Analytics

Backup / Restore

Data restore

Storage is only accessible by the Backup/Restore server
IP and FC SAN
IP network for Filers and Object
Make Critical Rebuild Material available

Backup Software

33

Internal Use - Confidential

34 of 49

Macro architecture: 3.2 – Get Copies from Production

Backup

Software

Backup Software

Production Backup Storage

Primary Backup

Data Domain

Vital Data

DR Storage

Block / File / Others

Storage & Backup replication for DR

DR Backup Storage

Vault Management

DT Remote Access

Platform Management

Security Management

Compute VMs

Non-vital Data

Data

Landing

Zone

FC

iSCSI

IP

Storage

Block / File / Others

Inner Vault Isolated / Immutable Automated Enhanced Analytics

Backup Storage

Vital Data Copies

Compute

VMs

Vault Services

Analytics

Backup / Restore

WORM Replication

Block / File / Others

Data Copies from Production

Make RPO sensitive Critical Rebuild Material available
Data are copied from production

storage

Versions are isolated, WORMed and available for analysis

FC

iSCSI

IP

Vital apps Storage

Block / File / Others

34

Internal Use - Confidential

35 of 49

Macro architecture: 4 – Data Cleaning

Backup

Software

Backup Software

Production Backup Storage

Primary Backup

Data Domain

Vital Data

Storage & Backup replication for DR

Vault Management

DT Remote Access

Platform Management

Security Management

Compute VMs

Non-vital Data

Data

Landing

Zone

FC

iSCSI

IP

Storage

Block / File / Others

Inner Vault Isolated / Immutable Automated Enhanced Analytics

Backup Storage

Vital Data Copies

Compute

VMs

Vault Services

Analytics

Backup / Restore

WORM Replication

Block / File / Others

Clean Room

Security Tests and extended Forensics / Test and validate before recovery

Test and

Cleaning Tools

Compute

VMs

Compute

BareMetal

FC

iSCSI

IP

CR Testing

Test overall capabilities of the Vault over time
Validate data state / compromission

Data Cleaning

Servers can access data for manual validation
Security tooling is available in the clean room

Arbitrate which version of data to use

Ready to use Vault Gold Copies
WORM copies from Production are available

DR Storage

Block / File / Others

DR Backup Storage

FC

iSCSI

IP

Vital apps Storage

Block / File / Others

35

Internal Use - Confidential

36 of 49

Macro architecture: 5 – Service Restart in MVB

Backup

Software

Backup Software

Production Backup Storage

Primary Backup

Data Domain

Vital Data

Storage & Backup replication for DR

Vault Management

DT Remote Access

Platform Management

Security Management

Compute VMs

Non-vital Data

Data

Landing

Zone

FC

iSCSI

IP

Storage

Block / File / Others

Inner Vault Isolated / Immutable Automated Enhanced Analytics

Backup Storage

Vital Data Copies

Compute

VMs

Vault Services

Analytics

Backup / Restore

WORM Replication

Block / File / Others

Clean Room

Security Tests and extended Forensics / Test and validate before recovery

Test and

Cleaning Tools

Compute

VMs

Compute

BareMetal

FC

iSCSI

IP

DR Storage

Block / File / Others

DR Backup Storage

Restart Room Minimum Vital DC Isolated / Rebuilt

Near-ready for production

Network services AD / DNS / NTP / KMS / others
Vital Apps Rebuilt environments
Compute VMs
Compute BareMetal

Rebuild

Vital apps Storage

Block / File / Others

Restart Minimum Vital Applications

Ready to start infrastructure is available
Material to rebuild runtime

environment is available in the Data

Landing Zone

Needed network services are rebuilt
Application are rebuilt
Validated version of data is accessible
Restart room network is opened to clients and keeps isolated from nominal production

FC

iSCSI

IP

36

Internal Use - Confidential

37 of 49

Resiliency and Program Management (RPM)

IT BC DR

Ransomware / Cyber Recovery

Data Protection (Backup & Recovery)

Mature programs incorporate secure technologies with people and processes to increase conventional resilience & cyber resilience

Identify

Respond

Recover

Protect

Detect

Governance

37

Internal Use - Confidential

38 of 49

Important business processes inform critical data

To recover important business processes, a business needs to protect the applications and materials that support each process.

Below details how data will influence the availability and recovery of a process.

Business services and processes run on applications.

To maintain key services and processes, businesses need to protect critical application data.

Important applications are built on key infrastructure materials like Active Directories or DNS. To recover applications and make them available, Critical Materials need to be protected in the vault alongside critical applications.

Critical Materials

Active Directories: AD authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.

Domain Name System or DNS: is a distributed directory that resolves human-readable hostnames, such as www.dyn.com, into machine-readable IP addresses like 50.16.

Important Business Services (IBS)

Defines Minimum Viable Company (MVC)

Business Critical Applications and Data

ERP or enterprise resource planning system: process management software that manages and integrates a company’s financials, supply chain, operations, reporting, manufacturing, and human resource activities.

CRM of Customer Relationship Management or CRM System: System that manages company relationships

38

Internal Use - Confidential

39 of 49

What to Protect in a Cyber Vault

Best practice guidance to select your most important data and applications to protect

Authentication, Identity & Security

Active Directory / LDAP
DNS dumps
Certificates
Event logs (including SIEM data)

Networking

Switch / router configuration
Firewall / load-balancer settings
IP Services design
Access Control configuration
Firmware / microcode / patches

Storage

Backup hardware configuration
SAN / array configurations
Storage abstraction settings
Firmware / microcode / patches

Host and Build Tools

Physical/Virtual platform builds
Dev Ops tools & automation scripts
Firmware / microcode / patches
Vendor software

Intellectual Property

Source code
Proprietary algorithms
Developer libraries

Supporting infrastructure

Documentation

CMDB / asset D/R and Cyber Recovery
Run-books & checklists
Management extracts
HR resources & contacts lists

Applications

39

Internal Use - Confidential

40 of 49

Strategy and Design

Advisory Services deliver proven methodologies, collaborative approaches and�industry best practices to help you accelerate security initiatives and become more resilient

Create a roadmap to drive program maturity and support your organization cross-functionally

Speed solution design through optimizing architecture

Build consensus between key stakeholders

Identify data and applications to protect in the cyber recovery vault

Tie agile and incremental activities to the bigger picture

40

Internal Use - Confidential

41 of 49

Building a runbook tailored for business recovery

Cyber Recovery Solution Runbook

Table of Contents:

Cyber Recovery Vault Runbook overview ………………………………....4 Section 1: Plan Activation and Criteria ……………………………………..8 Section 2: Perform Forensics ……………………………………………....12 Section 3: Invoke Cyber Recovery Plan …………………………………..14 Section 4: Prepare for Recovery/ Restore Operations …………………..16 Section 5: Recovery Procedures……………………………………………17 Section 6: Backup Recovery………………………………………………...20 Section 7: Event Recording Log…………………………………………….24

CR Vault Recovery Runbook

CONFIDENTIAL

Restore

Restore data from known Point in Time

Repair

Restore data and apply known fixes

Rebuild

Assume nothing, rebuild new environment, restore transactional configs and data

Critical Rebuild

Materials

OS Images

Applications

Business

Processes

Gather recovery requirements

What How

Create tailored documentation

41

Internal Use - Confidential

42 of 49

Large Telecom in EMEA

Business needs

Customer wanted to put in place a first Disaster Recovery automation. More specifically, Customer was looking for a solution to automate multiple Business Continuity and Disaster Recovery (BCDR) planning capabilities and functions, to bring more efficiency and accuracy to the IT DR/BC program and at the same time, reduce human dependencies.

Expected business results

Customer wanted to put in place a a heterogenous capable Disaster Recovery orchestration / automation.
Improve Efficiencies.
Simplify the defined, measurable, validates IT BC/DR and Ransomware recovery
Provide and validate confidence to the regulator, central bank and internal stakeholder

NEXT Steps

Resiliency AIOPs to integrate into the reporting service and operations plane

Solutions at a glance

Heterogenous AUTOMATION, Cloud, DB’s, O/S, Security, Network, Containers, Hypervisors, Oracle, SAP, AWS, GCP, Azure, Oracle & IBM clouds
Cover DevSecOPS with monitor, secure,

alerting, reporting wrap

Use case Conventional DR & Ransomware cyber recovery
Full site and individual service failover and ransomware recovery
Regulatory aligned reporting
Realtime monitoring
Workflow Orchestration

Taking steps to Orchestrate & Automate recovery their core from Disaster & Cyber Ransomware events

Business Resiliency and Cyber Recovery | Industry: Telco | Country: EMEA / Global

42

Internal Use - Confidential

43 of 49

Ransomware Readiness Assessment

Gain broad visibility of readiness against an attack with a comprehensive assessment and recommendations

Assess your tools, technology and processes to identify, protect, detect, respond and recover from ransomware attacks

Receive a risk maturity profile and actionable insights on weaknesses in security controls

Gain technical recommendations to enhance your security posture and how to mature your readiness for a ransomware attack

Alignment to Security frameworks: NIST CSF, NISTIR 8374 Ransomware Profile, Mitre ATT&CK

MATURITY PROFILE CATEGORIZED BETWEEN BASIC, INTERMEDIATE AND ADVANCED CONTROLS

Assess Readiness

Actionable Insights

Enhance Maturity

Storage

Systems

Backup +

Restore

Remote

Access

Risk

Assessment

Monitoring

Response

Plan

43

Internal Use - Confidential

44 of 49

Conduct regular security tests and audits

44

Internal Use - Confidential

45 of 49

Conduct regular security tests and audits

Central securities depositories and central counterparties must perform vulnerability assessments before deploying or redeploying new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
Set up backup systems that can be activated in accordance with the backup policies and procedures

45

Internal Use - Confidential

46 of 49

Attack simulation services�

In today's dynamic environment, the boundaries of network security encompass cloud infrastructure, Bring Your Own Device (BYOD) policies, and remote work arrangements.

This expansive and diverse attack surface provides ample opportunities for rapidly evolving and persistent adversaries to exploit vulnerabilities.

Vulnerability

Assessment

Internal

External

Penetration testing

Internal pen-test
External pen-test
Wi-Fi Network pen-test
Phishing simulation
Ransomware simulation

Application Security Testing

Web Application security assessment
Web Service/ API Assessment
Mobile Application security Assessment

Goal Based Testing

Red Team

Purple Team

Continuous

Monitoring

Breach and Attack Simulation

OFFENSIVE SERVICE STACK

OSINT

Report

Recommendations

Remediation Support

Optimized Operations

Area

Service

Deliverables

Obtain actionable insights, enhance threat detection, and establish a well- defined kill chain strategy.

Recognize vulnerabilities and shortcomings, enabling proactive anticipation of potential threat actors.

Evaluate and strengthen your organization's security controls and procedures.

Augment incident response capabilities and streamline processes for increased efficiency.

Expected Outcome

46

Internal Use - Confidential

47 of 49

Conclusion

47

Internal Use - Confidential

48 of 49

Reference Architecture NIS2.0

Business Mission

Organizational Risk MGMT

Financial Risk

Vendor 3^rdparty risk

Legal

Business Input

ICT Risk Framework Development

Governance

Risk Mgmt

Data Privacy

Regulatory & Compliance			Strategy		Education & Awareness
	Security Leadership

Threat

Intel

Vulnerability

Management

Incident Response

Data Classification

Application Dependency

BC\DR

Asset Management

Cyber Resilience

Security Operations

Users

Devices

Network

Applications

Data

Automation Visibility

Edge

On Prem

Cloud

Tabletop

BAS

Pen Test

Advanced Threat Hunting Monitor

KPI & Monitoring

Architecture

Validation & Continuous Improvement

Security leadership

48

Internal Use - Confidential

49 of 49

End logo slide

49

Internal Use - Confidential