Cyber resiliency and the value it brings to a company and its customers will depend on how well the business incorporates its security program as a strategic partner. Credit: Max Pixel Resiliency is that new magic word that businesses today are told they need to emulate. We constantly hear that companies are under attack and that new evolving threats are out there waiting to strike. With that idea in mind, I began to wonder what resiliency looks like, how it would fit into my strategic security plan, and how it would change my budget. I also started to contemplate if there is a way to measure high levels of resiliency or if there is an acceptable baseline. Or what level of resiliency equates to a measurable business value that justifies my expenditure of security department resources?It’s these questions that drove me to research the concept of cyber resiliency. I found that the basic definition of resilience is the capacity to recover quickly from difficulties. However, in cybersecurity the definition of resiliency is focused on how organizations recover from an incident which incorporates multiple domains such as cybersecurity, business continuity and organizational operations. The objective of cyber resiliency is for the company to be able to adapt and continue delivering services to its customers during an event, for example, a data breach. Additionally, business operations also should include processes to restore standard business services after the incident occurs.From a CISO’s perspective, I believe this concept is critical to protecting an organization’s strategic operations. While researching cyber resiliency, I discovered previous work by Mitre from 2012 that showcased their version of a Cyber Resiliency Engineering Framework. They pictured a methodology of techniques that, when incorporated together, helped organizations meet specific objectives and enabled resilient business operations. Fast forward to 2018 when those same authors from Mitre have matured that research into the current NIST SP800-160 Volume 2 publication for “Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems.”For cyber resiliency, the NIST publication states there are specific techniques that provide a level of trustworthiness when properly incorporated into a business’s security and risk management portfolio. I find many of the techniques listed by the new NIST cyber resiliency publication can be traced to fundamental cyber hygiene principles. The following are the resiliency techniques, with hygiene controls and practices in bold, that businesses can implement to mature their security programs and improve their ability to provide services to customers during a cyber incident:Adaptive responseOptimize the ability to respond in a timely and appropriate manner to adverse conditions. (Dynamic Reconfiguration, Resource Allocation & Adaptive Management) Analytic monitoringMaximize the ability to detect potential adverse conditions and reveal the extent of adverse conditions. (CDM, IDS, Threat Monitoring, Forensic & Malware Analysis)Coordinated protectionRequire an adversary to overcome multiple safeguards. (Defense-in-Depth, Network/Host IDS, Orchestration, Red/Blue Team Exercises)DeceptionMislead or confuse the adversary or hide critical assets from the adversary. (Obfuscation, Encryption of Data, Honey Pots, Encrypt Processing, DNS Cache Poisoning)DiversityLimit the loss of critical functions due to the failure of replicated common components. (Different OS, Random IP space, Alternate Communication Protocols)Dynamic positioningImpede an adversary’s ability to locate, eliminate, or corrupt mission or business assets. (Relocate sensors, change storage sites, distribute critical processes & assets)Dynamic representationSupport situational awareness, reveal patterns or trends in adversary behavior. (Real-time map of resources, threat modeling, CTI for real-time awareness) Non-persistenceProvide a means of curtailing an adversary’s intrusion. (Employ time-based or inactivity-based session termination, refresh services, SDN)Privilege restrictionRestrict privileges based on attributes of users and system elements. (Least Privilege, RBAC, Dynamic account provisioning)RealignmentReduce the attack surface of the defending organization (Whitelisting, IAM, minimize non-security functionality, outsource non-essential services to MSP/MSSP)RedundancyReduce the consequences of loss of information or services. (Retain configurations, maintain & protect backups, alternate audit & security capabilities) SegmentationLimit the set of possible targets to which malware can easily be propagated. (Subnets, Vlans, Partitions, Sandboxes, Enclaves, System/Service/Process Isolation)Substantiated integrityDetect attempts by an adversary to deliver compromised data, software, or hardware, as well as successful modification or fabrication. (Tamper seals, cryptographic hashes, SCRM, Code signing, Trusted path, fault injection)UnpredictabilityIncrease an adversary’s uncertainty regarding the system protections which they may encounter. (Rotate roles, random authentication, randomize routine actions)In reviewing these techniques, I imagined an equation that demonstrates their business value to an organization (Cyber Hygiene Controls + NIST Techniques = Objectives = Business value through resilient operations). In essence, for a business to meet the objectives for resiliency listed below, it needs to follow some type of security framework, implement controls (techniques) to manage its risk exposure, and continually monitor for changes in risk over time. This process is the mandate of the CISO and an organization’s mature security program. These techniques and their associated objectives provide the CISO with context into the value and impact proper security operations provide the business.Objectives include:Prevent or avoid. Apply basic cyber hygiene and risk-tailored controls, decrease the adversary’s perceived benefits, and modify configurations based on threat intelligence.Create and maintain cyber incident scenarios and train your incident response teams on the proper responses and procedures.Minimize degradation of service delivery.Identify potential damage and change or remove resources to limit future or further damage.Identify untrustworthy resources and damage, restore functionality, and determine the trustworthiness of restored or reconstructed resources.Understand adversaries and understand the effectiveness of cybersecurity and controls supporting cyber resiliency.Redefine mission/business functions to mitigate risks.Re-architect. Restructure systems or subsystems to reduce risks.Cyber resiliency and the value it brings to a company and its customers will depend on how well the business incorporates its security program as a strategic partner. This partnership can begin by focusing on fundamental cyber hygiene processes and techniques, and then, over time, incorporate and build redundancy into core business operations.Using these basics techniques as a foundation, the company can implement more advanced resilient security controls over time and, in the process, be able to provide their customers the services they require even in times of adversity. Related content opinion Do you know your gap? Understanding risk exposure and security control inconsistencies is one of the most important aspects of a business’s security program. While this process may seem complicated at first glance, by following these steps, CISOs can more efficientl By Gary Hayslip Aug 23, 2018 9 mins Compliance Risk Management IT Leadership opinion Hack like a CISO Developing the security officers' processes, strategies and techniques for managing their time, resources and teams. By Gary Hayslip Jul 19, 2018 8 mins IT Skills IT Leadership Security opinion 5 simple steps for SMBs to ensure cyber resiliency While these tips are by no means a complete guide for how SMBs can be resilient, they can be the start of a continuous process small and mid-sized business should implement to be better prepared. By Gary Hayslip Jun 21, 2018 7 mins Small and Medium Business Disaster Recovery Data and Information Security opinion Why data governance should be corporate policy Data is like water, and water is a fundamental resource for life, so data an essential resource for the business. Data governance ensures this resource is protected and managed correctly enabling us to meet our customer's expectations. By Gary Hayslip Apr 25, 2018 5 mins IT Governance Data Management IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe