What should a cyber-resilient business look like?

Resiliency is that new magic word that businesses today are told they need to emulate. We constantly hear that companies are under attack and that new evolving threats are out there waiting to strike. With that idea in mind, I began to wonder what resiliency looks like, how it would fit into my strategic security plan, and how it would change my budget. I also started to contemplate if there is a way to measure high levels of resiliency or if there is an acceptable baseline. Or what level of resiliency equates to a measurable business value that justifies my expenditure of security department resources?

It’s these questions that drove me to research the concept of cyber resiliency. I found that the basic definition of resilience is the capacity to recover quickly from difficulties. However, in cybersecurity the definition of resiliency is focused on how organizations recover from an incident which incorporates multiple domains such as cybersecurity, business continuity and organizational operations. The objective of cyber resiliency is for the company to be able to adapt and continue delivering services to its customers during an event, for example, a data breach. Additionally, business operations also should include processes to restore standard business services after the incident occurs.

From a CISO’s perspective, I believe this concept is critical to protecting an organization’s strategic operations. While researching cyber resiliency, I discovered previous work by Mitre from 2012 that showcased their version of a Cyber Resiliency Engineering Framework. They pictured a methodology of techniques that, when incorporated together, helped organizations meet specific objectives and enabled resilient business operations. Fast forward to 2018 when those same authors from Mitre have matured that research into the current NIST SP800-160 Volume 2 publication for “Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems.”

For cyber resiliency, the NIST publication states there are specific techniques that provide a level of trustworthiness when properly incorporated into a business’s security and risk management portfolio. I find many of the techniques listed by the new NIST cyber resiliency publication can be traced to fundamental cyber hygiene principles.

The following are the resiliency techniques, with hygiene controls and practices in bold, that businesses can implement to mature their security programs and improve their ability to provide services to customers during a cyber incident:

Adaptive response

Optimize the ability to respond in a timely and appropriate manner to adverse conditions. (Dynamic Reconfiguration, Resource Allocation & Adaptive Management)

Analytic monitoring

Maximize the ability to detect potential adverse conditions and reveal the extent of adverse conditions. (CDM, IDS, Threat Monitoring, Forensic & Malware Analysis)

Coordinated protection

Require an adversary to overcome multiple safeguards. (Defense-in-Depth, Network/Host IDS, Orchestration, Red/Blue Team Exercises)

Deception

Mislead or confuse the adversary or hide critical assets from the adversary. (Obfuscation, Encryption of Data, Honey Pots, Encrypt Processing, DNS Cache Poisoning)

Diversity

Limit the loss of critical functions due to the failure of replicated common components. (Different OS, Random IP space, Alternate Communication Protocols)

Dynamic positioning

Impede an adversary’s ability to locate, eliminate, or corrupt mission or business assets. (Relocate sensors, change storage sites, distribute critical processes & assets)

Dynamic representation

Support situational awareness, reveal patterns or trends in adversary behavior. (Real-time map of resources, threat modeling, CTI for real-time awareness)

Non-persistence

Provide a means of curtailing an adversary’s intrusion. (Employ time-based or inactivity-based session termination, refresh services, SDN)

Privilege restriction

Restrict privileges based on attributes of users and system elements. (Least Privilege, RBAC, Dynamic account provisioning)

Realignment

Reduce the attack surface of the defending organization (Whitelisting, IAM, minimize non-security functionality, outsource non-essential services to MSP/MSSP)

Redundancy

Reduce the consequences of loss of information or services. (Retain configurations, maintain & protect backups, alternate audit & security capabilities)

Segmentation

Limit the set of possible targets to which malware can easily be propagated. (Subnets, Vlans, Partitions, Sandboxes, Enclaves, System/Service/Process Isolation)

Substantiated integrity

Detect attempts by an adversary to deliver compromised data, software, or hardware, as well as successful modification or fabrication. (Tamper seals, cryptographic hashes, SCRM, Code signing, Trusted path, fault injection)

Unpredictability

Increase an adversary’s uncertainty regarding the system protections which they may encounter. (Rotate roles, random authentication, randomize routine actions)

In reviewing these techniques, I imagined an equation that demonstrates their business value to an organization (Cyber Hygiene Controls + NIST Techniques = Objectives = Business value through resilient operations). In essence, for a business to meet the objectives for resiliency listed below, it needs to follow some type of security framework, implement controls (techniques) to manage its risk exposure, and continually monitor for changes in risk over time. This process is the mandate of the CISO and an organization’s mature security program. These techniques and their associated objectives provide the CISO with context into the value and impact proper security operations provide the business.

Objectives include:

• Prevent or avoid. Apply basic cyber hygiene and risk-tailored controls, decrease the adversary’s perceived benefits, and modify configurations based on threat intelligence.
• Create and maintain cyber incident scenarios and train your incident response teams on the proper responses and procedures.
• Minimize degradation of service delivery.
• Identify potential damage and change or remove resources to limit future or further damage.
• Identify untrustworthy resources and damage, restore functionality, and determine the trustworthiness of restored or reconstructed resources.
• Understand adversaries and understand the effectiveness of cybersecurity and controls supporting cyber resiliency.
• Redefine mission/business functions to mitigate risks.
• Re-architect. Restructure systems or subsystems to reduce risks.

Cyber resiliency and the value it brings to a company and its customers will depend on how well the business incorporates its security program as a strategic partner. This partnership can begin by focusing on fundamental cyber hygiene processes and techniques, and then, over time, incorporate and build redundancy into core business operations.

Using these basics techniques as a foundation, the company can implement more advanced resilient security controls over time and, in the process, be able to provide their customers the services they require even in times of adversity.