What Is Cyber Resilience?
As the cyberthreat landscape darkens each day, the term, cyber resilience is increasing in importance. A cyber resilient company is in the best position to prepare for, respond to, and recover from a cyberattack. Being resilient, however, means much more than attack prevention or response. A cyber resilient enterprise can continue to function during an attack and is agile enough to adapt and recover from the incident. While a protection-focused approach may have worked in the past, today’s enterprise must now move to adopt a strategy that is based more on endpoint resilience which, beyond protection, emphasizes adaptability, exposure reduction, information gathering and discovery. Cyber resilience transcends technology and can protect the interests of everyone involved, including the C-suite, staff, shareholders, and the board of directors. Resilience comes down to having a self-healing capability. Think of it this way: if your company must rely on an external source to resurrect you, then you can’t call yourself resilient. Only those organizations with a self-healing property (being able to recover without human intervention) can be truly classified as resilient. Ultimately, if the organization has its eye on becoming more resilient, then it must incorporate technologies with the capacity of self-healing. Running around putting things back together isn’t the preferred state of a resilient enterprise.
Self-healing: The Only True Resilience
In the hardware world, we buy and deploy redundant systems: multiple firewalls, routers, switches, clouds, and cables. We do this because we expect our hardware defenses to fail; there’s even a name for it: “failover”. The other term used often is High Availability, which just means more hardware deployed for failover. In the software universe, the equivalent is resilience. But unlike hardware, you can’t just have clones of the same tools, controls, apps, and agents that play understudy to the primary control. When the primary control fails, the clone steps into the spotlight is not an idea that exists with software. So, enterprises need to rely on resilient software controls, apps, and agents. But the only way you can claim you are resilient is if you have a self-healing capability. Without it, you don’t have the replacement, so there is no failover. It’s a crack in your security fabric.
It All Starts With A Framework
While this resiliency may sound daunting and difficult to achieve, thankfully there is an existing framework from which the enterprise can leverage to improve their resiliency. The NIST Cybersecurity Framework (NIST CSF) outlines specific actions that organizations can perform to see success in their cybersecurity programs.
The five pillars or actions of the NIST CSF are:
Identify:
- Identify each endpoint for a comprehensive inventory
- Identify authorized and unauthorized hardware and software
- Prioritize endpoints based on classification, criticality, and business use
- Benchmark device controls against security standards and policy
- Quantify risk based on device vulnerabilities and exposures
- Catalog device, data, user, and application relationships across the end point population
Protect:
- Gain physical access control and geofencing for distributed endpoints
- Freeze, delete, and wipe devices through remote commands
- Enable secure remote access systems (e.g. VPN) on all endpoints
- Validate and restore encryption for at-risk data
- Automate validation for data integrity in software, firmware, and cloud storage apps
- Control communication from endpoints to the corporate network or domain
- Authorize telemetry analysis and remote command for maintenance and repair
Detect:
- Establish baseline behaviors for users, data, devices, and applications
- Unify asset intelligence across the device population
- Monitor user activity and enforce role-based security controls
- Score high-risk users with access to sensitive data
- Access geo-tracking and user-device awareness
- Detect and log configuration changes
Respond:
- Utilize dynamic remediation and control changes
- Perform role-based access control for in-console response commands
- Deliver continuous device logs and forensic documentation
- Isolate a device or group of devices for containment
- Push control changes to prevent spread of detected compromise
- Command hotfixes to mitigate indicators of exposure (IOEs)
Recover:
- Enforce policies within device controls
- Monitor device use and locally accessed sensitive data
- Control incident investigations, digital forensics, and documentation
- Augment and push new controls for endpoint hygiene
- Access documentation instantly for continuous improvement to endpoint hygiene and data protection
A Blueprint for Resilience
Each focal point of the NIST CSF is designed for resilient cyber defense and protection and aims to ensure data confidentiality, integrity, and availability. Much of the work that’s needed to be resilient is simply doing the basics: patching, strong authentication, control monitoring, etc. What’s practical about something like NIST CSF (or CIS Top 20 or ISO or any others for that matter) is that it is a blueprint. Just like a blueprint to a building, the CSF is like having the architect’s plans for a well-engineered structure. With NIST in particular, the goal is resilience — especially in the protect and recover sections. The Protect (initial resilience) and Recover (learn and grow more resilient) steps are emphasized as the target/goal.
