Overview
The Recovery Intelligence (Cyber Recovery) feature provides an overview of Cyber Resiliency features specifically for Exchange Online resources, leveraging insights from the Druva console. Understanding these capabilities is crucial for maintaining a strong security posture and ensuring rapid, secure recovery from cyber threats like ransomware. For more information, see How to use the Cyber Recovery feature.
βImportant:
To view and access the Cyber Recovery feature, you must have either an Accelerated Ransomware Recovery or a premium license.
To view and access the Cyber Recovery details for the Threat Hunting feature, the Premium license is mandatory.
Access Path
To access this feature for Exchange Online resources, navigate to the Cyber Recovery tab using the following procedure:
Log in to the Druva Cloud Platform Console. On the Global Navigation Panel, click Microsoft 365 > Exchange Online. On the Users page, select a Data Source, select Exchange Online.
Click on the required user name to view their details. For Cyber Recovery restore, click Backups tab > Cyber Recovery tab.
How to use the Cyber Recovery feature
You can do the following using the Cyber Recovery tab:
Cyber Recovery tab dashboard: Get a comprehensive view of your Exchange Online snapshots available for restore.
Run Threat Hunt: Manually scan backed-up data for indicators of compromise (IOCs). Once initiated, track progress and results on the Threat Hunting dashboard. Atleast one snapshot should be indexed to use this option.
You must have the Druva Cloud Admin role to access this feature.
Cyber Restore: Select a snapshot and perform a Cyber Restore. This feature allows for the restoration of Exchange Online data with an emphasis on security. It is distinct from standard operational recovery and is typically used when there is a suspicion of compromise.
Filters: Sort and view specific Cyber Recovery details for available snapshots based on the following criteria:
Date Range: Specify the start and end date
Indexed - Snapshot indexing state. Threat Hunt scan eligibility for Snapshots
Snapshots according to the scan status
Understanding the Cyber Recovery dashboard
The Cyber Recovery dashboard provides a comprehensive view of your configured Exchange Online backups that helps you quickly ascertain:
Snapshots: The total number of available snapshots for restore.
Indexed: Threat Hunt scan eligibility for Snapshots - Specifies if a backed-up snapshot meets the requirements to be scanned for threats. Threat hunting execution is limited to snapshots that have undergone indexing. The Threat Hunt scan results are displayed only for the indexed snapshots.
Size: The size of backed up data for a snapshot.
Scan Status: Details of the scan status for each snapshot. The status can be as follows:
Not Scanned: The snapshot was not scanned for malicious data.
No Matches Found: The snapshot does not contain malicious files and is deemed safe for restore. Click to view the details. It displays Zero if no matches are found.
Matches Found: The snapshot contains malicious files. Click to view the file matches details, download the scan report for further investigation, and take appropriate action. The Scan Status pop-up is displayed with the details such as the date and time of the scan; the feature used for scan (Scan Source) which is Threat Hunt, total count for file matches found in the scan job.
Click Download Report to download Threat Hunt File Level and/or Snapshot level details report for offline investigation and auditing purposes.
Understanding Cyber Restore feature
Druva offers specialized recovery options designed for cyber incident scenarios - Cyber Restore.
This feature allows for the restoration of Exchange Online resources with an emphasis on security. It is distinct from standard operational recovery and is typically used when there's a suspicion of compromise.
Use the Cyber Restore feature in the Exchange Online restore workflow to recover a specific snapshot, preceded by a Threat scan. You can certify whether the selected snapshot is clean and safe for restore based on the scan results.
Cyber Restore for Exchange Online resources:
On the Cyber Recovery tab, select the Exchange Online snapshot and click Cyber Restore.
On the Restore Data window, select the snapshot from which you want to restore and proceed with restore. The Exchange Online Restore page provides Threat Scan details during the restoration process. These insights assist you in determining if a snapshot is safe and suitable for recovery.
Threat Scan details include snapshot size and scan status of the snapshot.
Trends tab
This section provides vital security insights over the last 30 days for indexed snapshots only:
Snapshots Data Trend (Last 30 days): This graph visualizes the data size of your snapshots over time. It highlights key metrics:
Unscanned Snapshots: Indicates backups that have not yet undergone a security scan.
β Action: Ensure regular and comprehensive scanning is configured for all critical backups.Impacted Snapshots: Represents snapshots where suspicious activity (e.g., malware, ransomware indicators) has been detected. These are critical for immediate investigation.
Snapshots with no file matches: Indicates snapshots that do not have malicious files and can be deemed safe for restore.
π‘ Tip: Click on the vertical bar to navigate to the Exchange Online Restore page.
Actionable Insights for Security Administrators
Based on the console's insights, security administrators should take the following actions:
Configure and verify Scan Status: Ensure that all critical Exchange Online snapshots are being scanned for malware and ransomware. The Not Scanned status (as seen in the Backups tab) indicates a significant security gap. Implement and monitor your scanning policies. For more information, see Threat Hunting.
Leverage Threat Intelligence: Integrate and utilize Druva's curated Threat Intelligence (IOC Sets) and your custom IOC Sets to enhance detection capabilities during scans.
Develop Cyber Recovery Playbooks: Incorporate Druva's Cyber Recovery features (Cyber Restore) into your organization's incident response and disaster recovery playbooks.
Things to consider for Cyber Recovery
Run Threat Hunt: You cannot run two Threat Hunt jobs at a time on the same resource triggered by the same administrator for the same resource from the Cyber Recovery tab.