There are a lot of fancy buzzwords in cybersecurity. One of this year’s most popular terms is Cyber Resilience but it is far from just a buzzword! In fact, The World Economic Forum agrees stating “Cyber resilience is more than just a buzzword in the security industry; it is an essential approach to safeguarding digital assets in an era where cyber threats are not a matter of IF but WHEN.”
With cyber incidents like ransomware on the rise Check Point’s 2024 Cyber Security Report mentioned that there were over 5000 publicly extorted ransomware victims in 2023. This is a 90% increase from the prior year. So with these alarming statistics, what can organizations do to protect their networks and data? To start it might be helpful to understand what cyber resilience really means.
The National Institute of Standards and Technology (NIST) defines cyber resilience as “The ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.” This means that organizations need to adopt a holistic and comprehensive strategy for managing cyber risk, built on people, process, and technology.
To achieve this goal, organizations should align their cybersecurity program to a recognized industry framework to identify and close gaps and ensure completeness. The NIST Cybersecurity Framework (CSF) is a flexible and adaptable methodology, enabling organizations to develop a comprehensive approach to cybersecurity and managing risk.
Earlier this year NIST released the much-anticipated version 2.0 of the ten year old framework. This update revised the framework’s focus to help all organizations, regardless of size or industry, manage and reduce risk vs the previous focus on critical infrastructure. It also expanded the framework from five core functions; Identify, Protect, Detect, Respond and Recover to include a sixth core function named Govern.
Through alignment with a framework such as the NIST CSF organizations can implement a comprehensive defense in depth strategy for cybersecurity. This is accomplished by leveraging the appropriate balance of administrative, technical and physical controls (also known as safeguards) necessary to achieve their risk management goals from both a proactive and reactive perspective.
Administrative controls are the policies, standards, and procedures that define an organization’s expectations, criteria for meeting those expectations, and how it will be accomplished. Technical controls are those hardware and software solutions that are implemented to provide protection of systems and data. Lastly, physical controls and those security controls that provide protection of an organization’s physical locations and assets.
There are five types of controls: preventative, detective, corrective, deterrent, and compensating. It is through the layering of controls that enables organizations to achieve defense in depth.
To become cyber resilient organizations must establish numerous capabilities as outlined within the NIST CSF. Here is a summary.
- A cybersecurity risk management strategy, expectations, and policies. This includes establishing roles and responsibilities to declare who is responsible, accountable, consulted, and informed regarding decisions, activities, and oversight. Defining the organization’s risk appetite and tolerance, enabling an organization to determine how identified risks should treated and prioritized. Formalizing policies, standards, and procedures to define expectations regarding the use of technology, including what it can be used for, how it will be used, requirements for security, and operating procedures.
- Cybersecurity risk assessment capabilities to enable the identification and assessment of risk. This capability is dependent on the foundational ability of maintaining an up-to-date inventory of assets, including applications, systems and data. If an organization does not understand their assets, including the locations of those assets it is not possible to accurately assess risk. Risk identification can be accomplished by conducting periodic business impact assessments, tests and audits. After a risk has been identified it should be assessed to understand its severity. The established risk management strategy, appetite and tolerance will provide guidance on whether an assessed risk should be accepted, mitigated, transferred/shared, or avoided. Processes need to be established to continuously improve based on information provided through exercises, tests, and lessons learned.
- Safeguards to protect technology assets and reduce cybersecurity risk. Assets should be protected commensurate with their level of sensitivity and criticality. To facilitate this, segmentation and communication control should be leveraged to isolate and restrict communication between of different asset classifications. Encryption should be used to protection data at rest and in transit. Solutions should be implemented to prevent the installation and execution of unauthorized and malicious software. Identity and access management (IAM) with multifactor authentication (MFA) to identify, authenticate and authorize entities using role-based access control (RBAC) following the principle of least privilege. A security awareness and training (SAT) program should be established to educate all users of cybersecurity risks, as well as an organization’s policies and procedures.
Change and configuration management should be implemented and formalized, ensuring configurations are aligned with best practices and defined standards. Changes are evaluated to determine their potential impact and risk. A multitiered backup strategy aligned to the 3-2-1 rule should be implemented to enable the recovery of assets with specified recovery point objectives (RPOs). Business continuity and disaster recovery strategies should be established to enable the continuation of operations and ability to recover technology assets.
- Capabilities to monitor and correlate security event information from assets to enable the detection anomalous or malicious activity. The ability to analyze discovered adverse events 24/7/365 to identify cybersecurity attacks and incidents. A security information and event management (SIEM) solution should be implemented to aggregate, normalize, correlate and retain event information. Threat intelligence and indicator of compromise (IOC) information should be incorporated to enhance detection and analysis capabilities.
- Capabilities and documented plans to effectivity and efficiently respond to identified cybersecurity attacks and incidents. Clearly defined and documented processes for declaring, determining the severity, prioritizing, escalating and documenting a cybersecurity incident. Endpoint detection and response (EDR), security orchestration, automation and response (SOAR and other solutions should be leveraged to streamline containment and response activities. Processes should be established to appropriately communicate with internal and external stakeholders as well as the public during and after a cybersecurity incident.
- A strategy and capabilities to effectivity and efficiently recover assets impacted by cybersecurity attacks and incidents. Clearly defined and documented criteria and processes for declaring a disaster, determining the recovery required, scope of the recovery, prioritization of resource recovery and successfully carry out recovery activities. This includes verifying the integrity of recovery media and that recovered assets are in a known good and clean state. Validating that recovered assets were restored successfully and operate as expected. Information about the recovery activities and progress should be appropriately communicated to internal and external stakeholders. Updates to the public should be communicated using approved procedures and messaging.
A nearly limitless number of risks exist each with the potential to compromise and disrupt technology solutions which are vital to conducting business. These risks are quite diverse; ranging from ransomware, hacktivism, insider threats, cyber-gangs, nation states, and script kiddies. With that, it is imperative that organizations achieve a state of cyber resilience to enable them to thrive in the face of these adverse conditions and actors.
To learn more about cyber resilience, cyber incident recovery, and data security please check out the following resources from 11:11 Systems.