The 5 Pillars of IT Resilience: A Practical Framework

Pillar 1: Prevention #

Goal: Reduce the attack surface and make intrusions harder.

Core technologies:

• Patch management: Automated updates for OS, middleware, software. Critical patches within days, not weeks.
• Endpoint Detection and Response (EDR): Agent on all workstations, servers, and endpoints. Real-time threat detection, behavioral analytics.
• Network segmentation (Zero Trust): No implicit trust based on network proximity. Every access is authenticated and authorized. Micro-segmentation isolates critical assets.
• Multi-factor authentication (MFA): On all access points, especially for admin accounts and VPN.
• Vulnerability management: Regular scans, prioritization by severity and exploitability, remediation tracking.

Maturity measurement: How long until you are notified of a known CVE and have patched it? Best practice: critical patches within 3 days.

Value: Prevention significantly reduces the probability of an attack, but not to zero.

Pillar 2: Detection #

Goal: Detect intrusions early to limit the extent of damage.

Core technologies:

• SIEM (Security Information and Event Management): Centralized log collection and analysis. Correlation of events across multiple systems. Anomaly detection.
• Network Detection and Response (NDR): Monitoring network traffic for suspicious patterns. Detection of command-and-control communication.
• Threat intelligence: Internal (behavior-based) and external feeds (IOCs, CVE, threat reports).
• Behavioral analytics: Baselining normal user and system activity. Detection of deviations.
• Logging standard: All critical systems send logs: firewall, proxy, DNS, AD, endpoints. Retention of at least 1 to 3 years.

Maturity measurement: How long between attack and detection? Best practice: under 1 to 2 hours for significant activity.

Value: Reduces dwell time (how long an attacker works undetected). Every day of dwell time means more data exfiltration.

Pillar 3: Response #

Goal: Respond to detected attacks quickly and in a structured manner.

Core technologies and processes:

• Incident Response Plan (IRP): Documented in writing, reviewed at least annually. Clear definition of ​“incident,” escalation levels (SEV 1 to 4), roles.
• Incident commander structure: Designated person who leads IR coordination. No discussions, a clear chain of command.
• Roles and responsibilities: IT incident response team, security team, forensics, legal, communications, management escalation.
• Communications plan: Who informs the CIO? When is the board notified? When must customers be informed? And the regulatory clock: NIS2 requires an early warning to the national CSIRT or competent authority within 24 hours, an incident notification within 72 hours, and a final report within one month. In Germany, the BSI is the competent authority; other EU member states have their own designated bodies.
• Forensics capacity: Either internal or through a retained service provider. Ability to collect, preserve, and analyze evidence.
• Isolation and containment: Procedures to quickly disconnect infected systems from the network without destroying evidence.

Maturity measurement: Can you detect and contain an incident within 1 hour? Can you produce the 24-hour early warning for the authority with substance, not guesswork?

Value: Reduces the extent of damage during an active attack. The difference between fast response and slow response can mean millions of euros.

Pillar 4: Recovery #

Goal: Restore systems from a known-good state.

Core technologies and processes:

• Multi-tier backup architecture:
  • Tier 1 (Online): High-frequency daily backups for fast RTO.
  • Tier 2 (Air gap): Isolated backups that production credentials cannot reach, for example on a Silent Brick System with physical (SB Pro) or galvanic (SB Max Air) separation. This layer is resilience-critical.
  • Tier 3 (WORM archive): Long-term retention on hardware WORM storage (Silent Cubes), immutable at the hardware level.
  • Tier 4 (Geo-redundancy): External or geographically distributed copies.
• Isolated Recovery Environment (IRE): Network-isolated infrastructure for testing and performing recovery. No connection to production AD, no internet access during initial recovery.
• Recovery runbooks: System-by-system restoration guide. Dependency diagram (which system first?). Estimated RTO per system. Verified instructions.
• RTO/RPO definition: Recovery Time Objective (how long can the outage last?) and Recovery Point Objective (how much data loss is acceptable?). These must be derived from a Business Impact Analysis.
• Recovery tests: Perform and verify recovery regularly (at least quarterly). Do not only test backups, test complete recovery. For financial entities, DORA (Regulation (EU) ²⁰²²⁄₂₅₅₄) makes resilience testing a legal obligation.

Maturity measurement: Can you restore all critical systems within your RTO targets from backups? Have you tested this in the last 3 months?

Value: Recovery is the last line of defense. When pillars 1 to 3 fail, recovery is your insurance against existential risk.

Pillar 5: Adaptation #

Goal: Continuous learning and improvement.

Core technologies and processes:

• Post-Incident Review (PIR): After every incident (or regularly, if you are fortunate enough not to have one): What happened? Why did it happen? How could we have detected it faster? How do we improve?
• Lessons learned sessions: Regular meetings with IT, security, management, legal. Sharing of findings.
• Tabletop exercises: Play through simulated scenarios. ​“What would happen if…?” without affecting real systems.
• Red teaming and penetration testing: External security professionals attempt to breach your systems. Finds gaps that internal tests miss.
• Architecture improvements: Rebuild systems based on findings. For example, if ransomware reached a system it should not have, improve segmentation.
• Training and awareness: Employee security training. Quarterly phishing simulations. Training on new threats.

Maturity measurement: Do you have documented improvements based on incidents or tests? How many findings from penetration tests are remediated within 3 months?

Value: Closes the feedback loop. Without adaptation, you repeat the same mistakes.

Integrating All 5 Pillars #

A robust resilience strategy orchestrates all five pillars. An illustrative sequence:

1. Prevention reduces the probability of a successful intrusion substantially.
2. If an attack succeeds anyway, Detection identifies it within hours instead of weeks.
3. Response isolates infected systems, notifies the board, and files the 24-hour early warning.
4. Recovery restores critical systems within hours from the isolated air gap tier.
5. Adaptation identifies the compromised admin account and improves credential management.

The result: an attack that would otherwise have caused an existential, weeks-long outage becomes a contained incident with forensics costs, some IT overtime, a brief outage, and lasting improvements.

Frequently Asked Questions #

Can we skip a pillar? Theoretically yes, but with significant risks. A missing recovery capability (Pillar 4) is a fatal vulnerability against ransomware. Missing detection (Pillar 2) means long dwell times and massive data exfiltration. For entities in scope of NIS2, skipping pillars also means non-compliance.

Which pillar is most important? Pillar 4 (Recovery) is the baseline. You MUST know that you can recover. Then, in this order: 2 (Detection), 1 (Prevention), 3 (Response), 5 (Adaptation).

How much does this cost? This depends heavily on size and complexity. Treat any flat number with suspicion. The relevant comparison: a complete five-pillar program for a mid-sized organization costs a fraction of a single uncontrolled ransomware incident, for which industry reports put average recovery costs (excluding ransom) in the seven-figure range.

---

Further Resources #

→ IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Incident Response Plan Template (/en/blog/incident-response-plan-vorlage/) → Multi-Tier Backup Architecture (/en/blog/mehrstufige-backup-architektur/)