Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Synthetic recovery for cyber recovery: are restore controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: Clean-point identification is automated and the most recent uncorrupted file versions are assembled across backup estates, aiming to speed restores, reduce rollback, and avoid reinfection by excluding encrypted or malicious files before recovery begins, according to Commvault. The real shift is from manual recovery judgment to validated, machine-assisted resilience.

NHIMG editorial — based on content published by Commvault: Synthetic Recovery and clean cyber recovery in the Commvault Cloud Unity platform

Questions worth separating out

Q: How should security teams validate that a restore point is actually clean?

A: Teams should require a restore process that tests for known bad indicators, compares candidate versions across backup sets, and records why the chosen point was accepted.

Q: Why does ransomware recovery need identity governance input?

A: Because recovery systems are privileged.

Q: What breaks when organisations restore backups without clean-point validation?

A: They risk bringing encrypted or malicious files back into production, which can restart the incident and force another round of containment and rollback.

Practitioner guidance

  • Define clean restore criteria before an incident occurs Document what qualifies as a clean-point candidate, which data sources are authoritative, and who can override the selection logic during an incident.
  • Map recovery tooling to privileged access paths Review which backup operators, service accounts, and automation roles can read, select, and restore data across estates.
  • Test reinfection resistance in restore exercises Run tabletop and technical recovery tests that include malicious files already present in backup sets, then verify that the restore process excludes them before production cutover.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • AI-enabled multi-engine threat detection components used to score candidate files before recovery.
  • The Cleanpoint identification and assembly workflow for building a curated restore point.
  • Examples of how Synthetic Recovery is positioned across cloud, storage, and backup environments.
  • FAQ detail on how the restore process reduces reinfection risk in practice.

👉 Read Commvault's article on Synthetic Recovery and clean cyber recovery →

Synthetic recovery for cyber recovery: are restore controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Clean-recovery confidence is now a security control, not a backup convenience. When ransomware can sit dormant long enough to contaminate backup sets, the real control question is whether the organisation can identify a verifiable last-known-good state before restore. That is a resilience governance issue as much as a technical one, because recovery without validation simply replays the compromise. The implication is that recovery programmes must be measured by trustworthiness of the restored state, not by restore speed alone.

A few things that frame the scale:

A question worth separating out:

Q: What should teams do before automating cyber recovery workflows?

A: They should define approval boundaries, evidence requirements, and exception handling for restore actions before automation is enabled. Automation should accelerate a governed process, not replace one. If the workflow can select, assemble, and restore data, then the control question becomes who can trust that action and who can challenge it. Suggested anchor: approval boundaries.

👉 Read our full editorial: Synthetic recovery changes what clean ransomware restore means



   
ReplyQuote
Share: