Most of us awestruck by the exponential speed at which the Coronavirus, Covid-19 spread throughout the world. This has affected our personal life as well as the way business work, most of the organization turned to Work From Home (WFH) for their employees. This resulted in migrating business applications or workloads to the cloud and speeding up other digitization projects. These initiatives were expected to happen in the next five years were accelerated to executed in just a few months. This also provided opportunities for malicious intention actors or adversaries to take advantage of the uncertainty. We have seen the cyber-attacks have grown at lightning speed in the recent past.
Cybersecurity professionals, who are already overburdened, are finding it very challenging to protect organizations from cyber-attacks when unmanaged devices are getting used for accessing organization assets. These devices are connecting from the environment where the security team does not have visibility and control.
Pandemic has taught us, the organization’s IT infrastructure which enables businesses to work efficiently is not static, as a cybersecurity professional, we need to adapt to the dynamic business environment and changes faster than we were used to.
The current environment has confirmed the fact that cybersecurity defense is not about either your environment is secure or not secure. It is not only difficult but nearly impossible to anticipate all potential attack vectors and scenarios, it is reasonable to assume that hackers will eventually gain access to enterprise data or disrupt the operations, that is why organizations should work on strategies to withstand these cyberattacks and if not possible recover faster with minimum impact on the business.
It is time to build resiliency into security controls and infrastructure. Cyber resiliency is a measure of how well an enterprise can manage a cyberattack or data breach while continuing to operate its business effectively. This needs to be achieved by taking cybersecurity to the next phase.
“Threat is a mirror of security gaps. Cyber-threat is mainly a reflection of our weaknesses. An accurate vision of digital and behavioral gaps is crucial for a consistent cyber-resilience.”
What is Cyber Resilience?
The definition of Cyber Resilience as per the NIST CSRC, publication SP 800-37 Rev 2 is, “The ability of an information system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack.”
Cyber resilience is an organization’s ability to prepare, respond, and recover from cyberattacks. It is the capability to defend itself against cyberattacks, limit the impact of the security incident, and guarantee the continuity of operation during and after the cyberattack.
The cybersecurity program’s main objective is to protect the organization’s IT systems and data from cyber-attacks. The ultimate goal of cyber resilience is to keep your business up and running in an environment where advanced, persistent threats are continuously maturing and evolving.
The Advance Persistence Threats (APTs) can simulate and take advantage of other of adversity. APTs can establish, maintain persistent, covert presence. The objective cyber resilience is enhancing cybersecurity to anticipate, withstand, recover from, and adapt to the cyberattacks, and maximizes continuity of business operations despite the presence of an adversary.
“The five most efficient cyber defenders are Anticipation, Education, Detection, Reaction, and Resilience. Do remember: “Cybersecurity is much more than an IT topic.” ― Stephane NappoStephane Nappo – Vice President Global Chief Information Security Officer 2018 Global CISO of the year
Cyber Resilience Requirements
Cybersecurity and Cyber resilience are somewhat similar, while implementing cyber resilience we need have made fundamental changes in mindset, following are the questions we need to ask :
- Does this program have senior management approval and a defined, long-term budget to address cyber resilience requirements at every level?
- Is your organization have an enterprise risk management program in place? Is this program is aligned with IT Management and Disaster Recovery management?
- Are all the assets in scope are identified and classified? Have we done the business impact analysis of downtime?
- Are you conducting risk assessments and Disaster Recovery drills on regular basis?
- Are your disaster recovery and backup plan being fail-safe?
- The cybersecurity requirements to protect and restore organizations’ services and data (e.g., security measures intended to preserve the confidentiality, integrity, and availability of information) are in place. These will provide the foundation for techniques and implementation approaches specific to cyber resiliency.
To take cybersecurity to the Cyber resiliency level the organization may need to implement additional technical and process controls to deter, deceive, or divert the adversary, or delete/erase adversary modifications and/or insertions. Trading off these new controls with conventional tools and technologies may be an additional financial burden but it will help to minimize the risk and achieve the cyber resiliency goal.
Cyber Resilience Framework
The following diagram depicts the Cyber resilience framework, which is based on Mitre Cyber Resiliency Framework
Cyber resilience is all about keeping the business operations running at an optimal level despite the cyberattack. To achieve this the cybersecurity team should be able to anticipate the attack before it materializes. If this cannot be achieved than IT infrastructure should be able to withstand the attack and the optimal performance of the business-critical applications need to be maintained (e.g. DDoS attack with DDoS mitigation tools/ services and multiple connectivity service providers). If the attack takes down the business services than it should be possible to recover from the attack to start services at an optimal level as fast as possible. The lessons learned from the attack should be incorporated to enhance cybersecurity.
This can achieve by understanding the cyber threats, residual risks, and hosting environment of the business applications and preparing for preventing cyberattacks. It is not only difficult but impossible to stop the zero-day attacks. The resilience program should be able to deter the zero attack progression. To do this it may be required to transform the policy, technology, process architecture.
The hackers are utilizing the latest tools and technologies to make attacks stealthier, successful, and more destructive. They change and enhance the old attacks with new techniques hence it is difficult to predict the attacks, the above framework provides the techniques that can be used in such an unpredictable environment. These techniques are, minimizing the privileged access, limit it to session-based, by periodically refreshing services via non-persistence, and in doing effectively “flush” the adversary from the system even without detecting them.
Benefits of Cyber Resilience
The ever-increasing cyber-attacks and data breach cost has made us realize the traditional cybersecurity is not enough to protect the business. This is the reason in the past few years’ cyber resilience is getting more attention. Cyber resilience drives to enhance cybersecurity, anticipate, withstand, recover from, and adapt to cyberattacks. It also maximizes continuity despite the presence of an adversary in a system. When implemented properly cyber resilience offers the following benefits to the organization:
- Reduced Financial Loss – Cyber resilience program will keep the business-critical operations running in spite of cyberattacks. This will prevent an abrupt reduction in sales, or worse, loss of business and pay fines to regulators.
- Protecting Organisational Reputation – In the past few years we have seen when a cyberattack, data breach is announced, the share value of the organization goes down immediately. Cyber resilience prevents an organization from public scrutiny
- Enhanced Internal Process & Security Culture – To achieve cyber resilience, security, and other IT infrastructure management team has to work towards the same goal of keep business services and IT operations running optimally. This will help teams to work in co-operation with each other and fine-tune processes that will lead to cyber resilience.
- Enhancing Client and Supplier Trust – Once the data breach is announced the clients or the suppliers start looking for an alternative and they took money along with them. The Cyber resilience will reduce the impact, help to bounce back faster from the attack, and will help to improve the trust of clients and suppliers.
- Improving the IT Operations – To implement and manage Cyber resilience all teams including IT infrastructure management teams need to work together to work on improving backup, and BCP/DR processes as per the resiliency guidelines.
The cybersecurity triad, Confidentiality, Integrity, and Availability (C-I-A), the focus was always on C and I part of cybersecurity. With the inclusion of Cyber resilience, the Availability arm of the tried will get the required focus. This will ensure the availability of business-critical services.
If it is not possible to stop the cyberattacks, by including controls to deter, deceive, or divert the hackers, or purge adversary modifications or insertions, by implementing cyber resiliency as a part of cybersecurity strategy will help to reduce the impact of cyber-attacks and maintain the availability and optimal performance of business-critical applications. Cyber resiliency will take cybersecurity to the next level of business enablement.