What is cyber resiliency and how can it help your company?

If you’ve attended any security conference, webinar, or had coffee with a peer, the conversation often drifts to zero trust as the strategy and framework to secure our digital future. Zero trust is a concept first developed by a pair of analysts from Forrester in the early 2010s. They realized applications and data were becoming distributed and security concepts of the past, like large data center firewalls, had become an anachronism. Rather, they said, focus on determining the location of your prized assets and build “protect surfaces” to create a security mechanism much like what watertight compartments do for a ship. If one section of the ship is damaged and flooded, the water does not leak into other parts. As a result, the company can survive.

Around the same timeframe (the 2010s), another complementary security concept was being discussed. This one went further than zero trust and covered additional aspects of the business, namely, recovery. As the concept did not have the snazzy name or a title of the debut paper like “No More Chewy Centers,” it did not receive as much attention. Fast forward 10 years, the cyber resiliency framework is gaining attention. What is it and how can you enhance your security program with it?

The origins of cyber resiliency come from several sources, mostly standards-based organizations and governmental agencies. NIST, in 2011, published it’s “Guide for Conducting Risk Assessments (800-39),” which introduced the concept as part of risk management strategy. MITRE also got into the game with “Cyber Resiliency Engineering Framework,” which called out the need to ensure that mission critical systems continued to operate during cyber stress or attack. Finally, various U.S. governmental agencies such as the Department of Defense (DoD) and Department of Homeland Security (DHS) chimed in on the need for a strategy which went beyond protection.

What are the tenets of cyber resiliency and how can you incorporate them into your company’s strategy for security? NIST’s definition is: “ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Put another way, cyber resiliency is like a “run flat tire.” If your company is attacked, you have a mechanism in place to get you to a safe place where you can remediate the problem on your terms vs the attacker’s. The framework involves much more than technology and tools, it’s more about process and strategy. This is a critical callout as for the strategy to work, you need to actively engage your leadership to stress test how they will perform under when the company is under attack. As humans can be the unpredictable element in a response scenario, keep this front and center in your planning.

The four pillars

In terms of breaking down the framework, NIST calls out four pillars:

• Anticipate: The ability to predict and prepare for potential cyber threats and vulnerabilities before they cause harm.

• Withstand: The ability to maintain essential functions in the face of cyberattacks or other adverse events, mitigating the immediate effects of such disruptions.

• Recover: The capacity to restore critical services and systems quickly after an attack or disruption.

• Adapt: The ability to evolve defenses and responses based on lessons learned from past incidents and changes in the threat landscape.

Together they provide a continuous feedback loop, similar to John Boyd’s OODA loop for security leadership — to be constantly improving defenses, educating the company, running regular tabletop exercises, and testing recovery mechanisms.

As someone who has participated in cyber-resiliency projects, here are a few pro tips if you want to get started:

Make sure an Incident Response Plan (IRP) is in place

• If not, create one. This is well worth the time and investment. Note — be sure to include your legal and comms team!!

• Example: Creating a well-documented and rehearsed incident response plan that outlines actions in the event of a breach.

• Implementation: Some organizations have a dedicated incident response team that conducts regular tabletop exercises to simulate cyberattacks and improve their response to actual incidents.

Backup and disaster recovery

• Yes, I know, disaster recovery is a fundamental item, but how often is recovery tested? Verify your backups and run tabletops exercises to find areas of improvement.

• Example: Implement regular data backups and ensure disaster recovery processes are in place to restore operations quickly. A critical item is to go beyond short test recoveries. See if you can recovery an entire application stack.

• Implementation: Cloud solutions provide built-in data backup to ensure rapid recovery in case of data loss or cyber incidents.

Network segmentation

• It may seem old school, but network segmentation is key pillar to any cyber resiliency strategy. Engage your network team on this one.

• Example: Isolate critical systems from less-sensitive networks through network segmentation, to limit the impact of a breach.

• Implementation: Manufacturing companies use network segmentation to separate critical infrastructure such as IoT systems from other business networks to reduce the risk of lateral movement in case of an attack.

Zero trust architecture

• Review employee remote access and 3rd party solutions and move to modern technologies to reduce exposure of critical assets

• Example: Adopt a zero trust security model that requires continuous verification for all users and devices, regardless of their location.

• Implementation: Consider ZTNA technology, where users must authenticate every access request to corporate resources, minimizing the risk of unauthorized access and lateral movement

Adapt and learn from incidents

• Perhaps the most critical aspect to any cyber-resiliency program is understanding how humans respond and learn from incidents. Run post-incident tabletop exercises and retrospectives and make sure to distribute the learnings broadly!

• Example: Continuously improve defenses by learning from past incidents and updating processes accordingly.

• Implementation: Incidents can significantly improve cyber resiliency by learning from mistakes and lead to improved security measures and additional safeguards for infrastructure.

Cyber resiliency is all about preparing for both known and unknown threats, minimizing the impact of incidents, and ensuring business can operate in the face of a cyberattack or outage. If you’ve not started down the path of understanding how this framework can help your business, now is the time to start considering how you can start your own program.