Most aspects of life and work have been affected by the COVID-19 pandemic, perhaps none more so than cyber security. To be specific, the attack surface, which under normal circumstances shifts swiftly and unpredictably, has received a major shock.
In response, security professionals have scrambled to keep up and adapt, as attackers have pounced on the disruptions and security holes created by the work-from-home trend, by pandemic disinformation campaigns, and by the generalized uncertainty created by this crisis. As things have started to settle, one thing has become readily apparent: A good cybersecurity program is no longer sufficient for organizations. In this new normal reality, in order for businesses to survive and indeed thrive, they must build up cyber resilience.
Cybersecurity and cyber resilience: The progression
Cybersecurity and cyber resilience are often used interchangeably. While they are related concepts, they are far from being synonyms, and it's critical to understand the difference.
The US National Institute of Standards and Technology (NIST) defines cyber resilience as "the ability of an information system to continue to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and to recover to an effective operational posture in a time frame consistent with mission needs."
In practical terms, a cyber-resilient organization assumes that at some point it will be successfully attacked and breached by criminals. Despite having top-notch security tools and processes, they know that bad actors with plenty of time and resources will eventually find a way to break in.
And when that happens, the organization must have taken steps to weather the attack, avoid a complete collapse of its operations, and recover as quickly as possible. A great way to determine your cyber resilience is with a quick assessment that will shed light on possible security gaps.
Here are five points for increasing your organization's cyber resilience.
1. Know thy enemy
Take an adversarial mindset. What do cyber thieves really want to compromise and steal from you? Identify the most valuable assets of your organization. It is incredible how many organizations simply don't stop to think about their most important missions and the associated IT assets and data that support them.
A prime example of this was the 2015 cyber-attack against the US Office of Personnel Management (OPM). Chinese hackers exfiltrated personnel records and security-clearance files of 22 million federal employees, contractors, and their families and friends.
OPM did not adequately protect these applications, which are at the heart of its mission. It also failed to detect the cyberattacks for a whopping 10 months. The result? Millions of folks like me had sensitive personal information exposed to China due to the OPM's lack of anticipation and foresight.
2. Concentrate your efforts
Further to identifying your most critical business processes, assess how much of your budget you can afford to spend, and where you can spend it. After that assessment, decide what you can do without if you are hit with an incident.
Prepare to lose something that you value. As an example, if you have 1,000 servers and you're in the midst of a ransomware attack, which ones can you afford to lose, and which ones must be saved?
As NIST says in its "Developing Cyber Resilient Systems" report, cyber-resilient systems operate more like the human body than like a computer. "Cyber-resilient systems, like the human body, cannot defend against all hazards at all times," the report reads. "While the body cannot always recover to the same state of health as before an injury or illness, it can adapt; similarly, cyber-resilient systems can recover at least minimal essential functionality."
3. Stay ahead -- think beyond breaking the cyber kill chain
Expect attacks and remain vigilant and prepared. Your protective measures must be aligned to threats inherent to the environment and not be reactionary. That way you'll withstand the breach when it happens.
This means your core, essential technical and business architecture must be able to continue operating, even if it's in a limited capacity. Then you'll need the ability to recover and restore your environment to minimal viable functionality and adapt your technical and business processes using what you have learned.
4. Increase the use of automated tools
As recommended by the "2020 State of Security Operations" report from the CyberEdge Group, one way to achieve greater cyber resilience is by automating time-consuming and repetitive manual processes. In addition to using tools for security configuration management (SCM), security information and event management (SIEM), and network traffic analysis (NTA), you should consider adopting other types of tools, such as:
- Security orchestration, automation, and response (SOAR)
- Threat hunting
- Vulnerability management and assessment
- User and entity behavior analytics
5. Migrate SecOps functions to cloud services and MSSPs
This is another excellent recommendation from the CyberEdge report. One benefit of migrating from on-premises data centers to the cloud is that security teams can more easily access SecOps functions from anywhere, including their homes when forced to telecommute by a crisis such as the current pandemic.
The CyberEdge report lists several security functions that are commonly outsourced to MSSPs, including:
- Monitoring and managing SIEM technologies
- Managing vulnerabilities
- Analyzing and reporting events collected from IT logs
As MITRE states in its Cyber Resiliency FAQ, cyber security and cyber resilience are complementary. "Most cyber resiliency measures assume, leverage, or enhance a variety of cybersecurity measures. Cybersecurity and cyber resiliency measures are most effective when applied together in a balanced way," MITRE says.
This isn't a recommendation to jettison cyber security -- far from it. But you must evolve toward cyber resiliency to survive in this "new normal" threat landscape.
All this means you need to assume breaches will happen and, to quote NIST, "anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises."
Stan Wisseman is Chief Security Strategist and Business Development Director for Security Products at Micro Focus. In the information security field for over 30 years, he has applied security best practices to operating systems, networks, systems, software, and organizations. Prior to joining HP in 2014, Stan served as the Chief Information Security Officer for Fannie Mae. He has worked for NSA, Oracle, Cable & Wireless, Cigital, and Booz Allen Hamilton in various security roles.