Is Cyber-resilience quickly gaining traction as a consequence of our proven inability to stop cyber-attacks?
Barely a week goes by without a ground-breaking story of how another major organisation has been attacked by cyber criminals, breaking previous records in terms of both severity and amount of data breached. Whether millions of IDs were stolen, or personal data compromised, it’s clear that no business, irrespective of the money they throw at security solutions, is safe.
Due to the complexity of the topic, in particular when applied to sectors or nations, it’s important to start with some definitions.
The National Institute of Standards and Technology (NIST) defines cyber-resilience as: the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enable by cyber resources.
Cyber-resilience is intimately related to other disciplines:
- Information Security and Privacy, which is basically the organization’s ability to safe-guard data from unauthorized access or modification while ensuring availability, confidentiality and integrity.
- Business Continuity: ensuring that an organization will have the capability to operate its critical business functions during emergency events.
- Organizational resilience: the capability of an organization to anticipate, respond and adapt to incremental change and sudden disruption in order to survive and prosper.
- Fault Tolerance: the property that enables a system to continue operating properly in the event of the failure.
- Reliability: the quality of being trustworthy and performing consistently well.
- Safety: the condition of being protected from or unlikely to cause danger, risk, or injury.
- Resilience and Survivability: in engineering, survivability is the quantified ability of a system, subsystem, equipment, process, or procedure to continue to function during and after a natural or man-made disturbance.
The concept of cyber-resilience not only covers IT systems, but also critical infrastructure, societies, business processes, organizations and nation-states.
According to NIST, a key fundamental assumption of cyber- is the fact that a sophisticated adversary cannot always be kept out of a system or be quickly detected and removed from that system, regardless of the quality of the design, functional effectiveness of the security components and trustworthiness of the selected components.
Additionally, the NIST continues that cyber-resiliency assumes that the adversary presence in the system may be a persistent and long-term issue and recognize that the stealthy nature of the APT makes it difficult for an organization to be certain that the threat has been eradicated. It also recognized that the ability of the APT to adapt implies that mitigations that were previously successful may no longer be effective.
What are the existing frameworks?
There are multiple frameworks purposely designed for different entities, sectors or environments, such as critical infrastructure, territorial governments, engineering systems and CERTs. Some of these frameworks are listed below:
1.) Department of Homeland Security (DHS) – Cyber Resilience Review (CRR): a voluntary examination of operational resilience and cyber security practices offered at no cost by DHS to the operators of critical infrastructure and state, local, tribal and territorial governments. The CRR is offered in a facilitated workshop format and as a self-assessment package.
2.) The National Institute of Standards and Technology (NIST) offers a framework for engineering secure and reliable systems-treating adverse cyber events as both resiliency and security issues (NIST Special Publication 800-160- Volume 2).
3) MITRE has developed its cyber resilience engineering framework (CREF) to support the development of structured and consistent cyber resiliency guidance.
4) Cyber Resilience Evaluation Method and the CERT® Resilience Management Model (CERT-RMM).
How do we measure cyber-resilience?
Considering the previous assumption that independently of the measures taken we might not be able to prevent an entity being breached, it is absolutely crucial to assure that we are able to measure its cyber resilience and to guarantee that it is appropriate and kept appropriate in a quickly changing threat landscape.
We need to define the different scopes and the metrics applicable for each one:
- Systems and Missions: metrics would be related to either how well the system or mission handles disruption or to their architectural properties.
- Organizations: metrics are sought in the contexts of cybersecurity, contingency planning and overall risk management.
- Sectors: metrics can be defined using a framework based on risk metrics, relying on a resilience analysis process.
- Nations and transnational entities: this is very complex due to interdependencies among organizations, systems, and critical infrastructures, as well as significant differences between preparedness and response for different types of disruptions and consequent present major challenges to resilience assessment for regions or communities.
This article is designed for general guidance and the definition of specific metrics will require a detailed analysis which might in some cases become very complex, particularly for sectors, nations and transnational entities.
Ways to improve cyber-resilience
As recent global cyber-attacks have demonstrated, it is crucial for our increasingly interconnected society to strengthen its cyber security and resilience.
There are different approaches to improve cyber-resilience. Among them:
- Build a strong foundation: Identify high-value assets and harden them (customer data, IP rights, personal information of staff, etc). Prioritize legacy systems and prepare for the worst.
- Implement a strong risk management practice: be cognizant of the new threats associated with new technologies like IoT-IIoT, Cloud, mobility and adjust your cyber posture to these new threats.
- Address the People risk by properly educating your staff and by putting procedures and policies in place to ensure that all angles are covered in the event of an incident.
- Pressure test resilience like an attacker.
Enhance both red attack and blue defense teams with player-coaches that use threat intelligence and communicate closely to provide analysis on where improvements need to be made.
- Employ breakthrough technologies.
Automate defenses. Use automated orchestration capabilities and advanced behavioral analytics.
- Be proactive and use threat hunting.
Develop strategic and tactical threat intelligence. Monitor for anomalous and suspicious activity.
- Implement a good crisis management strategy
- Evolve the role of CISO.
Progress the next-generation CISO—business adept and tech-savvy.
Let’s not forget the key fundamental assumption that in today’s world, a sophisticated adversary cannot always be kept out of your organization or be quickly detected and removed.
Moreover, it is very important to understand that cyber-resiliency cannot be achieved without planning and resources.
Finally, leadership, governance and accountability are absolutely crucial ingredients.
- Building Cyber Resilient Systems, MITRE
- Cyber Resilience Metrics: Key Observations, MITRE