Cyber resilience maturity model

The Destructive Cyberattack Resilience Maturity Model is now available to help organizations develop their resilience to destructive cyberattacks such as ransomware and wiper attacks. This model sets clear benchmarks and a structured roadmap for organizations to achieve effective and efficient operations resilient to cyberattacks. The Cohesity model is aligned with the most common cybersecurity response and recovery frameworks such as the SANS Institute 6 Step Incident Response Process, RE&CT framework, MITRE D3FEND, and NIST SP800-61 Computer Security Incident Handling Guide, allowing organizations a path to adopt industry-wide best practices. The maturity model allows organizations to assess their operational capability across the five stages required to achieve cyber resilience:

Preparing for an incident
Identifying and investigating the attack
Containing the spread of the attack
Eradicating threats and reducing attack surface to prevent future attacks
Recovering systems to a secure state

The levels of maturity in the model are depicted in the table below:

Maturity Level	Description
Non-resilient	The organization lacks the resilience to withstand a destructive cyberattack without significantly impacting the delivery of its products and services.
Recoverable	The organization has built disaster recovery and business continuity capabilities. But these may be subject to attack by adversaries and lack appropriate investigatory and remediation stages to prevent reinfection or reattack.
Strengthened	The organization has protected its ability to recover from attacks by adversaries.
Aware	The organization can hunt for the early stages of a destructive cyberattack that can’t be evaded and isn’t impacted by the containment stage of incident response. A shared responsibility model between IT and Security Operations to deal with incidents has also been developed.
Responsive	The organization can recover the tools needed to drive incident response and communications with stakeholders to a trusted state. It also has isolated environments that allow incident investigation, eradication of threats, and systems testing prior to recovery to production.The organization drives continuous improvements by conducting end-to-end attack drills of diverse attack situations, building muscle memory in incident responders to deal with any future situation, optimizing processes, and looking for opportunities for automation to increase effectiveness and efficiency. The organization can rapidly recover the infrastructure and resources needed to manage and respond to the incident should they be impacted by the attack.
Optimizing	The organization has metrics and telemetry to drive the continuous optimization of processes, people, and technology. Proactive discovery and classification of data ensures end-to-end governance and regulatory compliance. There is a capability to not just recover systems, but to rapidly rebuild infrastructure to a trusted state. Incident investigation, infrastructure rebuilding, and data recovery are optimized so these tasks can be done in parallel.

The Destructive Cyberattack Resilience Model provides a vendor-agnostic roadmap. This approach allows its users to align with best practice response and recovery frameworks while achieving a state of cyber resilience and developing appropriate governance, people, and processes. The roadmap ensures that technology is supporting and optimizing operational outcomes, not driving them.

The five levels of the Destructive Cyberattack Resilience Maturity Model.

A closer look at the levels of maturity

Based on our years of experience, we’ve noticed common traits and behaviors at each level of maturity. Here are some of the ways to identify the maturity of your organization:

Recoverable

An organization at this level may have a mature level of disaster recovery and business continuity. They have conducted appropriate business impact assessments to identify critical services and the infrastructure that supports them and created Recovery Point and Time Objectives (RPO/RTOs). This organization will lack the needed protections on its data management platform to protect them from attack by an adversary. They will also typically treat a destructive cyber incident as a traditional disaster recovery and business continuity scenario, without considering the complicated factors of a cyberattack. At this level, a close working relationship between IT and Security Operations to deal with cyber incidents is lacking.

Strengthened

At this level, the organization has recognized that it will be attacked by an adversary and has put protections in place to mitigate the impact of this inevitability. It has implemented security principles such as least privilege access, immutability (to prevent the malicious changing or deletion of backups), separation of duties (to prevent a rogue or compromised administrator from making damaging changes), and vaulting (to put the ability to recover beyond the reach of the adversary). Vaulting also helps the organization adhere to secure backup conventions like the 3-2-1 principle.

Aware

Organizations at this level have adopted a well-defined shared responsibility model between IT and Security Operations. They have the ability to hunt for threats and conduct digital forensics even when adversaries evade endpoint security systems. Further, the organization can continue threat hunting during containment, when hosts and networks are isolated. Threat feeds are used, but are often stale, and don’t include regular updates to reflect the latest confirmed threats from ransomware-as-a-service platforms and vulnerabilities. Organizations also lack a defense-in-depth model for hunting for those early stages of an attack before systems are impacted.

Responsive

At this level, organizations take the incident investigation and threat remediation steps necessary before systems are recovered back into production to prevent reattack or reinfection from the same actor. Isolated investigation and remediation environments are in place to achieve the requirements of containment. This level of maturity also introduces continual improvement and practice, so the processes, people, and technology required to respond and securely recover from an incident are ready ahead of time. (You don’t want the first time your SOC analysts, incident responders, and senior executives to experience a ransomware or wiper attack to be the one where your data is being held to ransomware or all systems in the business have been wiped. Tabletop exercises are useful, but they don’t test the end-to-end workflow, skills, and technology required in a real scenario.)

Organizations also conduct realistic attack scenarios that prepare all components required for cyber resilience. No two incidents are ever the same. By varying aspects of the drills, the organization is better able to optimize processes. The organization regularly looks for opportunities for automation, and to build muscle memory in staff.

Finally, organizations in this stage can rapidly reestablish trust in their networks and security tooling—and have other resources on hand within minutes to start their response activities. They have a reliable way to coordinate, communicate, and investigate the attack in a worse-case scenario. In other words, they’re prepared for scenarios where security controls are evaded, door access systems are down, and there are no CMDB, ticketing systems, email, or voice-over-IP to talk to law enforcement, cyber insurers, the press, regulators, or impacted data subjects.

Optimizing

This level represents the pinnacle of cyber resilience. The organization has taken proactive measures to discover and classify that the data it uses can not only be recovered, but that appropriate risk management steps have been taken throughout its lifecycle. Workflows are optimized to align with regulations and impacted data subject notification requirements, so fines are avoided, and the organization can comply with DORA, NIS 2, HIPAA, the Prudential Regulatory Authority, and the Security and Exchange Commission as applicable. While the Responsive maturity level seeks opportunities for automation in workflows, Optimizing looks for overall governance, orchestration, and management of the entire end-to-end incident response and recovery process. This maturity level gives senior executives, boards, and third-parties stakeholders confidence that the organization is on the forefront of cyber resilience.

Take the next step: Apply for a maturity assessment

Preparing for and dealing with cyberattacks has made a model like this one critical. These attacks represent the greatest threat to the delivery of products and services by organizations today. Cohesity cybersecurity experts and practitioners—with decades of experience in cyber incident response and recovery—designed this model so organizations like yours can understand your current capabilities, benchmark your maturity against peers in your industry or geographical area, and have a roadmap for future improvements you can make and measure over time.

Written By

James Blake

Global Cyber Resiliency Strategist

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership