It is not if, but when will a cyber security event happen, and when it does – are you prepared and resilient enough to be able to continue business operations?
Business Continuity is a long-term, strategic plan, that readies an organisation for disruptive events, such as naturals disasters, pandemics, loss of key personnel, as well as many other unforeseen circumstances. The U.S. NIST Special Publication 800-34 was one of the first frameworks to identify, that organisations should consider a cyber readiness plan, and are encouraged to have a well-rehearsed playbook for a range of scenarios.
So, what exactly is cyber resilience? According to the Australian Cyber Security Centre, cyber resilience is:
The ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage, and recover from, cyber security incidents.
The U.S. NIST also published their Cybersecurity Framework, last updated in 2018, where they outline five distinct lifecycle functions – Identify, Protect, Detect, Respond, and Recover. The first two functions cover essential responsibilities of an organisation to identify critical business processes, and the cyber assets supporting them. The remaining three functions relate to the practices associated with detecting, responding to, and recovering from, disruptive cyber incidents.
Many organisations spend time identifying, then protecting their assets, using a vast array of well-known technologies and vendors, however, cyber resilience is more about a capability steeped in continuous learning, practices and improvements. As an important first step, organisations need to identify where their cyber assets are located and who is operating them. This sounds simple enough, but it is steeped in understanding nuances such as the supply chain, the concept of the extended enterprise, service providers, contracts, service level agreements, roles and responsibilities, and what constitutes an approved baseline of normal activity in order to report on, and investigate, suspected incidents.
In heading down the path of starting a cyber resilience practice, organisations will have to consider, and invest in, one of the following Security Operations Centre (SOC) models:
(1) centrally log all information and respond to incidents reactively
(2) try to build the entire capability inhouse
(3) use a co-managed solution, or
(4) use a fully outsourced solution
Each model has its pluses and minuses, including cost, sharing sensitive information, loss of key personnel, training budgets, and rehiring staff.
The next burning question is, “What sort of disruptive cyber incidents should my organisation plan for?” As a guide, organisations should seek to plan for incidents such as ransomware, denial-of-service (DoS), phishing, spear phishing, whaling, vishing, data exfiltration, rootkits, virus and worm outbreaks. Other attacks include social engineering, theft of intellectual property, unauthorised access to sensitive information, unauthorised data movements between security domains, spyware, logic bombs, and the compromising of integrity for mission critical systems that involve human safety.
The quote by Nelson Mandela is very pertinent with regards to resilience. In order to become cyber resilient, organisations need to change their mindset from, “if a cyber security event will happen”, to, “when a cyber security event will happen, and how often”. This means that an organisation will need to identify and root out potential threats using techniques such as threat hunting, red teaming, blue teaming, purple teaming, breach and attack simulations, vulnerability scanning, penetration testing, audits, user entity and behaviour analysis, and the use of continuous monitoring.
There are several inspiring stories where organisations have striven for high levels of resilience as a market differentiator. One such story, is that of Netflix, the organisation that streams digital content, and requires a reliable service in order to make income and keep all of its stakeholders happy, which includes its customers. They developed, and open sourced, software called Chaos Monkey, where the idea is to introduce chaos to your production systems during working hours. Why working hours? Well, support staff will be around in case something does not work as expected.
You might think that this is a risky strategy, but Netflix are continually striving for robustness of their service offering. Ask yourself, how confident would you be to arrange a surprise outage for your own organisation, to gauge how resilient and well-practiced your staff, processes, and technologies are? This is what cyber resilience is all about. Handling adverse events that are unexpected and have potentially detrimental consequences.
What can ALC offer regarding Cyber Resilience?
ALC offers its own 5-day certification course, NIST Cybersecurity Framework PractitionerTM, that takes delegates through the framework, where they can discover in more detail, what goes into making an organisation more cyber resilient. The course is built around a regional case study for Australia and New Zealand in the critical infrastructure space to reinforce the theory. Delegates must complete the case study and the final exam in order to be awarded the course certification and digital badge.
ALC Cyber Security