Cyber recovery vs DR with Lenovo’s Tim Brazier

• Disaster recovery gets systems back online; cyber recovery restores clean data by scanning backups in a vault/air‑gap before anything returns to production.

• Immutable backups only work if retention is enforced and malicious admin actions are blocked, then proven with regular restore tests.

• Reduce lateral movement by verifying user, device, and application at every access and segmenting aggressively across critical tiers.

• Run quarterly tabletop reviews and timed restore drills, assuming normal comms are down, so decision paths and sequencing are proven.

• Track the right KPIs: patch latency, restore success rate, malware‑scan pass rate in the vault, and time‑to‑recover for tier‑1 apps.

All details and quotes below—transcript follows.

Vault/air‑gap scanning
[00:02:10] Host: Let’s start with the big misconception—people think disaster recovery is the same as cyber recovery.
Guest: They aren’t. DR brings systems back; cyber recovery brings back clean data. That’s why we copy backups into a vault or air‑gapped environment and scan there before any restore to production.
[00:04:05] Host: So the scan happens off the production network?
Guest: Exactly. The vault is isolated—connect only to ingest data, then lock it. Run integrity and malware scans in the vault. If it’s clean, promote it to a staging restore; if not, roll back to the last known‑good copy.
[00:06:22] Host: What’s the quick workflow?
Guest: Isolate → replicate to vault → lock → scan → stage → go/no‑go → restore to prod.

Immutable backups that hold up
[00:07:40] Host: “Immutable” gets thrown around—what actually matters?
Guest: Enforce retention so copies can’t be changed or deleted early. Require multi‑admin approvals for destructive actions. Then prove it with scheduled restore tests—immutability only counts if you can restore quickly under pressure.
[00:09:18] Host: Where do most teams fail?
Guest: Admin bypass and untested policies. If one credential can change retention, you’re exposed. Split duties and audit every change.
[00:11:02] Host: Test cadence?
Guest: Quarterly for tier‑1 apps at minimum, with documented timings and outcomes.

Zero Trust and lateral movement
[00:12:30] Host: How does Zero Trust reduce reinfection risk?
Guest: By verifying user, device, and application every time, and segmenting networks so a compromise can’t roam. Even during recovery, privileged actions require fresh verification and device health checks.
[00:14:05] Host: Practical first steps?
Guest: MFA for all admins, device compliance enforcement, application allow‑lists, and segmenting crown‑jewel systems. Tie elevated restore actions to step‑up verification.
[00:15:42] Host: Metrics to watch?
Guest: Authentication failures on privileged actions, policy drift, and segmentation exceptions—plus time‑to‑patch for exposed services.

Drills and comms under outage
[00:17:00] Host: Why do drills still go wrong?
Guest: Because plans assume email and phones work. In a real incident, you might have neither. Pre‑define out‑of‑band channels, decision rights, and a restore sequence that people have actually rehearsed.
[00:18:36] Host: Give us a 45‑minute drill.

Guest:

• 0–10 min: Declare incident; switch to out‑of‑band comms; assign roles.

• 10–20 min: Identify vault copy; unlock briefly; ingest; re‑lock.

• 20–35 min: Run malware/integrity scans; validate admin identity/device; document results.

• 35–45 min: Restore to staging; go/no‑go; record timings and gaps with owners.
  [00:21:10] Host: What should be reported monthly?
  Guest: Patch latency, vault malware‑scan pass rates, restore success rates, and time‑to‑recover for tier‑1 applications.