Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How to boost your enterprise's immunity with cyber resilience

Stan Wisseman Chief Security Strategist, CyberRes

The COVID-19 pandemic has turned the world on its head, affecting all aspects of life and work, including sudden and major changes to cyber security. Specifically, the attack surface, which already under normal circumstances shifts quickly and unexpectedly, has gotten a major extra jolt.

In response, security pros have scrambled to keep up and adjust, as attackers have pounced on the disruptions and security holes created by the work-from-home trend, by pandemic disinformation campaigns, and by the generalized uncertainty created by this crisis.As the dust has started to clear, one thing has become evident: It's no longer sufficient for organizations to have a good cybersecurity program. For businesses to survive and thrive in this new normal reality, you must build up cyber resilience

Once a "nice to have" capability, cyber resilience is now a must. Here are five tips for improving your organization's cyber resilience.

1. Think like the bad guys

You need to take an adversarial mindset. What do cyber criminals really want to compromise and steal from you? Identify the crown jewels of your organization. It never ceases to amaze me how many organizations simply don't stop to think about their most important missions and the associated IT assets and data that support them.

A textbook example of this was the 2015 cyber attack against the U.S. Office of Personnel Management (OPM). Chinese hackers exfiltrated personnel records and security-clearance files of 22 million federal employees, contractors, and their families and friends.

OPM failed to adequately protect these applications, which are at the heart of its mission. It also failed to detect the cyber attacks for a whopping 10 months. The result? Millions of folks like me had sensitive personal information exposed to China due to the OPM's lack of anticipation and foresight.

2. Prioritize your efforts

In addition to identifying your most critical business processes, you must assess where you can afford to spend your money—and how much. Once you've focused on protecting your most important functions, what can you let go if you're hit with an incident?

Prepare to lose something that you value. If you have 1,000 servers and you're in the midst of a ransomware attack, which ones can you afford to lose, and which ones must be saved?

As NIST says in its "Developing Cyber Resilient Systems" report, cyber resilient systems operate more like the human body than like a computer. "Cyber resilient systems, like the human body, cannot defend against all hazards at all times," the report reads. "While the body cannot always recover to the same state of health as before an injury or illness, it can adapt; similarly, cyber resilient systems can recover at least minimal essential functionality."

3. Think beyond breaking the cyber kill chain

Anticipate attacks, and remain vigilant and prepared. Your protective measures must be aligned to threats inherent to the environment and not be reactionary. That way you'll withstand the breach when it happens.

This means your core, essential technical and business architecture must be able to continue operating, even if it's in a limited capacity. Then you'll need the ability to recover and restore your environment to minimal viable functionality, and adapt your technical and business processes using what you have learned.

4. Boost your use of automated tools

As recommended by the "2020 State of Security Operations" report from the CyberEdge Group, one way to achieve greater cyber reliance is by automating time-consuming and repetitive manual processes. In addition to using tools for security configuration management (SCM), security information and event management (SIEM), and network traffic analysis (NTA), you should consider adopting other types of tools, such as:

  • Security orchestration, automation, and response (SOAR)

  • Threat hunting

  • Vulnerability management and assessment

  • User and entity behavior analytics

As the report states: "Tools are a force multiplier."

5. Transfer SecOps functions to cloud services and MSSPs

This is another excellent recommendation from the CyberEdge report. One benefit of migrating from on-premises data centers to the cloud is that security teams can more easily access SecOps functions from anywhere, including their homes when forced to telecommute by a crisis such as the current pandemic.

Meanwhile, MSSPs help augment organizations' SecOps staff, and thus their ability to respond to incidents in a timely manner. The CyberEdge report lists several security functions that are commonly outsourced to MSSPs, including:

  • Monitoring and managing SIEM technologies

  • Managing vulnerabilities

  • Analyzing and reporting events collected from IT logs

  • Monitoring and managing web app firewalls

Cybersecurity and cyber resilience: It's an evolution

Cyber security and cyber resilience are often used interchangeably. While they are related concepts, they're far from being synonyms, and it's crucial for everyone to understand the difference.

Security is like wearing a mask or using other forms of personal protective equipment to reduce your risk of being infected with a virus. Resiliency is, after having been infected, fighting through the illness and giving your body a chance to return to good health.

This means that cyber security is the protection and restoration of IT assets—hardware and software, in the cloud and on premises—and the data they contain, to ensure their availability and integrity.

Resiliency, on the other hand, focuses on the ability of the business to withstand and recover from these breaches. The scope extends beyond IT and information to business operations and processes.

The U.S. National Institute of Standards and Technology (NIST) defines cyber resilience as "the ability of an information system to continue to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and to recover to an effective operational posture in a time frame consistent with mission needs."

In practical terms, a cyber-resilient organization assumes that at some point it will be successfully attacked and breached by criminals unleashing malware, phishing attacks, or advanced persistent threats. Despite having top-notch security tools and processes, they know that bad actors with plenty of time and resources will eventually find a way to break in.

And when that happens, the organization must have taken steps to weather the attack, avoid a complete collapse of its operations, and recover as quickly as possible.

As MITRE states in its Cyber Resiliency FAQ, cyber security and cyber resilience are complementary. "Most cyber resiliency measures assume, leverage, or enhance a variety of cybersecurity measures. Cybersecurity and cyber resiliency measures are most effective when applied together in a balanced way," MITRE says.

This isn't a recommendation to jettison cyber security—far from it. But you must evolve toward cyber resiliency to survive in this "new normal" threat landscape.

As the 2018 Public-Private Analytic Exchange Program report from the U.S. Department of Homeland Security explains it:

  • Adapting involves a management approach change or a proactive adjustment of response strategies, based on lessons from previous disruptions, events, and threats.

  • Evolution also includes predicting, anticipating, and planning for potential threats, and identifying and monitoring the critical functions of the systems at risk.

  • Withstanding is about maintaining business operations during an attack without experiencing performance degradation or loss of functionalities.

  • Recovering involves rebounding from an attack and restoring full business operations, performance, and functionalities.

All this means you need to assume breaches will happen and, to quote NIST, "anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises."

Keep learning

Read more articles about: SecurityInformation Security