Today's reality is that if the enterprise uses networked computers, they will get hit at some point. Not having and practicing a recovery plan could be the doom of any organization.\n\nJohn Bruce, CEO and co-founder at IBM Resilient said, "Resiliency is the ability of an organization to maintain its core purpose and integrity in the face of cyber incidents."\n\nCyber resiliency is a critical element of the overall organizational resiliency, which includes the many things that organizations grapple with in the real world. Bruce said that in the digital world, the enterprise should also have disaster-recovery plans.\n\n"The whole notion of resiliency is a new phenomenon. It\u2019s tough to do in the cyber world," Bruce said. \n\nThe challenge is that resiliency is so much about the people, processes, and the technologies. When the disaster is one in the digital world, people often want to rely on technology as a fix.\n\nIt's not that easy. While it might have been cyber that created the disaster, the recovery and ability to return to productivity will need to focus on the people and processes as well.\n\n"The overwhelming number of organizations do not feel they have a high degree of resiliency. We've seen that in many cases it\u2019s taken a long time to respond to these things," Bruce said.\n\nResiliency takes a long time to plan, but that most organizations "Either don\u2019t have a plan, or they don\u2019t use it in the way they should, but they need to sit down and really grapple with this stuff before they need to."\n\n"Recovery isn\u2019t particularly sexy," said Alex McGeorge, senior penetration tester at Immunity. "It\u2019s that thing that they have to prepare for and practice and do, but it only really comes to save the day in their darkest hour."\n\nWhether it's through ransomware or some other attack, if they are an accounting firm, and one-fourth of their CPAs get affected, that\u2019s huge. "Larger enterprises have personnel redundancy, so the impact isn't as significant, but the impact could even be a benign outage where everybody\u2019s desktop is fried," said McGeorge.\n\nPeople want to believe they can recover from a back up but if they aren\u2019t practicing, the likelihood of recovery is minimized.\n\n"You pay a vendor for a backup solution, but the actual process of trying to restore their accounting department from a backup today rarely happens," McGeorge said.\n\nSecurity practitioners need to plan and preparr for disasters so that they know what their total time to return to productivity is, if all of the machines end up under water.\n\n"They have faith in the promises from vendors, but putting it into practice and going through the process from start to finish once a quarter gives peace of mind," McGeorge said.\n\nFrom a pen tester perspective, McGeorge said, "When I think of resiliency in companies, the ones that have impressed me the most have invested in virtualization."\n\nWith virtualized desktops, all PCs are created equal. "Nobody worked from the host operating," said McGeorge.\n\n"They were virtualized desktops in the company cloud, so If I am able to detect Sam and Sally from sales have been compromised, I can nuke them, kick them off the VM, and create a new version and put them back on it so that everything is back."\n\nThe incident-response team can then look at what they can pull off of the compromised image and give back to the users. The down time is that of maybe an hour, which is ideal for any organization. The problem, though, is that it's very expensive to implement.\n\n"They have to make a huge investment in virtualization. Another problem is that if Sam and Sally are compromised, and we are saving all of their stuff onto the servers, the attacker has access to all the things they did before I detected they were compromised," said McGeorge.\n\nThere is no perfect solution, but the goal is to make recovery as painless as possible.\n\n"This is where monitoring gets into play," said McGeorge. "They can tell when one user is making multiple modifications, changing a lot of documents all of the sudden." \n\nVersioning also lets the incident-response team identify when a user has been compromised, and they can minimize the impact of many people having access to one document.\n\n"If Sam gets infected with ransomware, the document management will let me go back to the version before it was compromised," McGeorge said, "but this is very expensive and logistically complex."\n\nThe CSO or CISO has the authority to discriminate across the organization and determine which documents are critical and should be added to the document management. "Only those documents that are mission critical should go into the document library," McGeorge said.\n\nWhether they use virtualization, monitoring, or versioning, "They need to practice their backup and recovery strategy for different parts of the enterprise, from the sales team to the desktops and mail server, all the stuff that can not fail," McGeorge said.\n\nRyan Manship, Red Team Security's security practice director, said that the ability to respond to and recover from an incident or an attack is great, "But we also need to think about identification, about detection and intrusion prevention. This is a big thing. It\u2019s a big deal and it matters."\n\nSecurity from a corporate perspective is a very complex situation, and Manship said it also includes the realities of business. "There are different types of businesses, business verticals, assets that need different protections as it retains to the value of those assets."\n\nThey need to first have the commensurate level of security in relation to the value of the assets that\u2019s in line with the business risk appetite. "They should have options for protecting themselves against risks and adopt the procedures and controls to be in alignment with that understanding," Manship said.\n\nThe ability to be resilient after an attack begins with any organization knowing their vulnerabilities so that they can protect against those. "It starts with knowing what their attack surface consists of--the risks--to make prioritized risk-based decisions," Manship said.\n\nOther key pieces to having a resilient organization include robust monitoring that gives them the capacity to identify threats as early as possible within the cyber kill chain so that they can react accordingly.\n\n"It's difficult to accurately and appropriately tune these solutions so that they aren\u2019t getting too much noise. Noise makes us desensitized. If the solutions aren\u2019t well tuned, they just produce noise," Manship said.\n\nRed teaming is another holistic approach to understanding their attack surface along with application or network pen testing, depending on the value of your assets.\n\nWhichever approach they decide upon, they need to practice, just like anything else, said Manship. They should have processors and procedures that they test so that in the event that a disaster takes place, they have determined the people that they need to notify.\n\nOne piece of advice that Manship offered, "Mare sure they have the right people helping them who understand all of their risk holistically and are enabling them with the information they need to make those decisions."