In This Article

Assuming a breach

The proliferation of high-profile, sophisticated ransomware attacks has brought cyber resilience into the spotlight. Board members, regulators and government leaders are asking CISOs to get their organizations "resilient" ASAP. But what does a cyber resilience program actually look like?  

To answer this question, it's important to understand that cyber resilience differs from traditional security disciplines in that it's not preventative in nature. Instead, cyber resilience assumes a breach will occur. The goal of cyber resilience is to make sure an organization maintains critical business operations when one does. 

Many organizations mistakenly lean on the NIST cybersecurity framework of identify, protect, detect, respond and recover to implement cyber resilience. But the NIST framework is founded in the idea of preventing a breach, not getting ahead of one. 

Luckily, there is a proactive framework specific to cyber resilience and it includes four pillars.

Pillar 1: Anticipate

The cyber resilience framework starts by anticipating the threats bad actors are most likely to use to disrupt your organization. 

For example, cyber resilience is less applicable when it comes to the vulnerabilities in your guest lobby wireless access, because a breach wouldn't impact critical business operations. It might however zero in on weak spots in your payroll's network as a breach would have enterprise-wide consequences. 

The anticipate pillar includes threat modeling and understanding your risk posture. With threat modeling, cyber teams research bad actors and the types of attacks and vulnerabilities that are a high priority given an organization's security posture.

This pillar also includes cyber intelligence to identify the biggest vulnerabilities in your network. Cyber intelligence helps teams understand what tactics bad actors would use to exploit these vulnerabilities and the business impact if successful.

One of the biggest benefits of establishing the anticipate pillar is that it starts to get everyone thinking proactively.

Executives start thinking about what areas of the business hold the most value to the organization. Business leaders start thinking about the workstreams needed to support critical operations. Cyber teams start looking for gaps in the kill chain. IT starts looking at gaps in legacy systems.

All of this inspection allows teams to react quickly when under attack.

Pillar 2: Withstand

When a bad actor successfully breaches your organization and starts exploiting your vulnerabilities, how do you manage through it? 

The withstand pillar is all about limiting the impact of an attack. This requires action not just from cyber operations but also IT and business leaders. While cyber operations performs incident response, IT and the business need to reroute systems and users, and do everything they can to maintain successful business operations. 

For all this to work, a set course of actions (COAs) must be created based on the anticipate pillar. For example, cyber operations should be operating from a playbook of the most likely attacks on their organization. Traditional security tactics like an incident management plan is part of this, but it also includes tactics like cyber deception. For example, you might set a honeypot to draw attackers away from assets that are truly critical. 

The same playbooks should specify what actions IT should take to reroute traffic and what changes business leaders need to make ensure the business can continue to operate. 

Hopefully, sound COAs, playbooks and streamlined cyber operations is enough to manage through an attack. But cyber resilience is about assuming the worst. There's nothing wrong with actions in the withstand pillar failing under attack, if you have a plan to recover. 

Pillar 3: Recover

Many organizations think they have a recovery plan in place, because they have a disaster recovery plan that includes the ability to restore business-critical data. The problem is that this only accounts for recovering data, not the services and workstreams surrounding the data. Successfully restoring key systems from an attack means restoring applications, platforms and networks. It also means restoring account access, database services, access to cloud systems and all the security needed to stop an attacker from being successful. 

If you can't manage through an attack under the withstand pillar, you need to have the ability to very quickly redirect elements of your business to an exact duplicate of an application or series of applications and associated security wrappers so nothing else becomes infected. 

Ideally, duplicates of applications and associated services are stored in a cyber vault. Residing in an offsite location, a cyber vault allows organizations to recover accounts for application services like Active Directory, key management systems, public key infrastructure, DNS, VPNs, firewalls and authentication.  

Bad actors are counting on an organization not having a cyber vault and performing a traditional disaster recovery restore, because then they can use advanced persistent threats to break other parts of the network. You might have protected your data from one type of attack, but it won't stay safe for long without the ability to recover the appropriate security services. 

Pillar 4: Adapt

Good cyber resilience programs don't end by managing through an attack; they always look back to see how well the organization was prepared for the attack. In doing so, organizational leaders can make tweaks to business functionality, architecture and cybersecurity to be better prepared for the next attack.

Some security and IT teams may end up killing legacy systems and move more business-critical applications to the cloud. Others may find assets in the cloud need to be brought on premises. In some cases, business leaders might determine that they can streamline the number of services they need for business-critical applications to continue under an attack. 

This retrospective informs how you can bolster the anticipate pillar of a cyber resilience program as your organization readies itself for the next attack. 

Answering the call

Despite our best efforts to reduce risks, we likely won't always be able to prevent attacks that target business-critical resources. While that may seem like a dreary reality, accepting this fact is far from defeatist. 

By starting to take steps to proactively protect our organizations when under attack, we demonstrate how cybersecurity can power business performance.   

Building cyber resilience into an organization doesn't happen overnight, regardless of how much we'd like it to. But by leaning on the four pillars of cyber resilience, CISOs can answer the call for their organizations to become resilient with confidence.