Cyberattacks have changed shape. Many are quiet, fast and intent on disrupting your business before you notice anything is wrong. Protection alone is not enough. The real question is how quickly you can detect, isolate and recover to clean data so that operations continue with minimal impact. That is the core of cyber resilience today. Insights in this article are drawn from an expert fireside discussion with storage specialists Alex Durkin, from IBM, and James Poole, from Trustmarque and Ultima.
Attackers often target backups first, then corrupt data across primary and secondary sites. When that happens, traditional DR plans struggle because they were built for physical outages rather than silent, data-level attacks. You need rapid identification of abnormal behaviour, recovery points that cannot be tampered with, and a tested path to bring clean data back online.
Sixty seconds is not a promise for every incident. It is a target made possible when several capabilities work together. Four pillars stand out:
Detect fast using machine learning that monitors every I/O and flags abnormal patterns in under a minute.
Isolate clean data with immutable, separated copies that cannot be altered.
Recover quickly by automating rollback to known good data.
Test often with a repeatable runbook.
Identify the moment of compromise
Machine learning that continuously profiles normal data behaviour helps you spot silent encryption and destructive changes early.
Create recovery points you can trust
Immutable, isolated snapshots are designed to resist tampering. They provide a clean baseline to restore from when standard backups are suspect.
Design for performance and consistency
Recovery is only useful if the platform can bring services back at speed. Flash‑based, low‑latency storage keeps critical workloads responsive during failover and recovery, including virtualised and hybrid environments.
Meet rising expectations from regulators and boards
Resilience programmes are aligning with global frameworks such as NIST and EU DORA, as highlighted in IBM’s guidance and echoed in our session.
Cybersecurity focuses on preventing and detecting attacks. Cyber resilience adds the ability to continue operating and recover quickly when incidents occur. It brings together detection, isolation, recovery and regular testing, which were emphasised in the expert discussion and supported by IBM content on cyber‑resilient storage.
AI and machine learning continuously analyse storage I O to spot unusual patterns such as encryption spikes, permission anomalies or data entropy changes. IBM describes sub‑minute anomaly detection that can trigger protective actions and guide recovery to clean copies.
Immutable snapshots are designed so they cannot be modified or deleted once created. They are logically separated from production, giving you a trustworthy recovery point even if attackers have reached your backups. This is central to IBM’s cyber resilience approach.
Under the right conditions, you can start serving clean data very quickly. Sub‑minute detection plus isolated, ready‑to‑restore copies and a tested runbook make minute‑level recovery possible for targeted datasets. Your actual time depends on scope, data size and automation maturity, a nuance called out in the session.
No. Immutable copies and rapid rollback complement your backup and DR strategy. Think defence in depth. Backups remain vital for long‑term retention and compliance. Immutable snapshots focus on fast, clean operational recovery.
Aim to reduce both. Frequent immutable copies shrink RPO. Automated rollback on high‑performance storage reduces RTO. The goal is to cut the window of business disruption to minutes rather than hours.
Map your controls to recognised frameworks such as NIST and DORA and document test evidence that shows how quickly you detect, isolate and recover. IBM’s materials explicitly reference alignment with NIST and DORA.
Begin with an assessment to find blind spots, define your minimum viable business data, and prioritise automation. Then introduce immutable copies, improve detection, and rehearse your recovery steps. These practical steps were underlined by Alex Durkin and James Poole in the recorded session.