Relationships Matter on the Road to Cyber Resiliency
There is no doubt that breaches, ransomware, and cyber-attacks are on the rise, year after year. The SolarWinds, Microsoft Exchange Server and the Colonial Pipeline incidents are unfortunate proof that no organization, small or large, is safe from hacks and attacks.
All organizations of all sizes, across all industries are faced with the consequences of operating in a connected world where technology is rapidly changing, and cyber-attacks are coming with increased speed, fury, and sophistication. The threat of the script kiddie living in the parent’s basement playing around for fun are long gone. Today, sophisticated nation state attackers and criminal organizations have the economic means to get whatever they want if they are willing to play the long game. Adversaries are using advanced techniques and adopting advanced technologies and automation. This also means that sophisticated threats are often weaponized and sold to criminals without the technical capability or funding on the dark web for pennies on the dollar.
Meanwhile, organizations are reliant on web applications, operate with hybrid data centers on-premises and in the cloud, and are expected to have shorter development cycles with fewer resources. This is why it’s become even more important to focus on cyber resiliency. Corporate data and key business processes are at risk from external threat actors, insiders, and technology disruptions.
Cyber resiliency is important to be able to understand not only that we will be attacked, but how to deal with those attacks in a way that supports the business. In order to achieve cyber resiliency, the organization must have unprecedented visibility and insights into their infrastructure’s true interconnectedness—the relationships and dependencies between and among users, applications, networks, and infrastructure; as well as how and where these applications are being accessed and utilized.
The Colonial Pipeline breach in particular demonstrates that cyber resiliency is absolutely required to maintain business operations, even in the midst of an attack. What we’re seeing today with the Colonial Pipeline, however, is that they cannot continue business operations. This is why a cyber resiliency strategy should be a priority for every organization. Cyber resiliency enables an organization to pivot quickly in response to disruptive cyber events.
Four Cyber Resiliency Goals from Mitre
According to the Cyber Resiliency Engineering Framework by Mitre, “the need for cyber resiliency – for information and communications systems and those who depend on them to be resilient in the face of persistent, stealthy, and sophisticated attacks focused on cyber resources – is increasingly recognized. The relatively new discipline of cyber resiliency engineering has been defined by the need to meet the challenge of how to evolve architectures, cyber resources, and operational processes to provide cost-effective cyber resiliency.” This framework is important because business functions, organizations, critical infrastructures, and nations are increasingly dependent on cyberspace and must be able to protect their infrastructure before, during and after an attack.
This particular framework I will discuss, called the Bodeau Resiliency Framework (named for the authors Deborah J. Bodeau et al), outlines four cyber resiliency goals: 1) Anticipate, 2) Withstand, 3) Recover, and 4) Evolve. To accomplish these goals, a cyber resilient organization needs to mature their cybersecurity program capabilities. Read more below to learn how to achieve cyber resiliency with these four goals and Application Relationship Management in mind.
To anticipate and prevent successful attacks is understanding the cyber battlespace by knowing the adversary, knowing the network, and understanding cyber effects to prevent and delay attackers from getting into the network or from establishing a foothold.
In order to anticipate, the first step is to have knowledge of your IT environment and knowing the adversary and the network and understanding cyber effects. It may sound simple, but the larger and more complex the IT environment, the more difficult it is to know where all your assets are, what they do and the associated application interdependencies.
Your IT network may be large and flat or highly segmented. It may include business units, on-premises and cloud data centers and cloud-based commercial services such as Microsoft 365, Salesforce, and Workday. Legacy applications may appear to be a mystery, with many connections to other applications, services, and databases. It can be difficult to find accurate application diagrams of the various required communications.
The level of interconnectedness of all these applications within the IT environment is almost too complicated for a human to comprehend because we remain overly reliant on disparate siloed, poorly connected network infrastructure and cybersecurity tools to manage, protect, and secure their operations.
Without a thorough knowledge of your IT environment, you cannot effectively apply security controls to mitigate the risk of business disruption from cyber incidents. In order to limit access to what is appropriate and trusted, consider leveraging technology that provides visibility to gain insights to identify normal traffic patterns.
To withstand is to be able to continue essential mission and business functions despite successful execution of an attack by an adversary. Organizations rely on applications, and applications and systems have vulnerabilities that can be exploited by adversaries. Good cyber hygiene and patch management go a long way to addressing vulnerabilities that are discovered. The reality, however, is that many business applications or special-purpose systems cannot simply be patched when a new vulnerability is discovered. Upgrades take time and money and need to go through adequate testing. Sometimes there are valid reasons why business owners are unable to quickly turn around and patch and upgrade. So, in addition to having a complex IT environment, there are many vulnerabilities that may exist at any time.
Isolating these systems may seem like a logical solution. However, along with locking down the communications to and from vulnerable systems comes the risk that you may break critical dependencies. The technology you deploy should enable trusted communications and protect established business processes, while blocking untrusted connections. This type of orchestrated segmentation must leverage sources of truth about your network, systems, and identities in order to automate the creation of rule sets in an intelligent and dynamic fashion.
To recover is to restore mission and business functions to the maximum extent possible, subsequent to successful execution of an attack by an adversary. The Recover goal in this framework is designed to help develop and implement strategies and activities to maintain business continuity. In addition to having knowledge of your IT environment and vulnerabilities that exist, it is necessary to identify (and protect) business-critical systems and data. When you leverage threat intelligence to understand new attacks leveraging newly disclosed vulnerabilities, knowing what is business-critical can help you to prioritize your response. The ability to quickly leverage layered defenses and respond effectively requires several things. Many organizations have a diverse set of IT and security products from multiple vendors that need to share data and work well together. The reality is that they are often disparate, siloed and don’t integrate well. This makes it difficult to respond quickly and in an orchestrated way to a cyber threat.
The ability to withstand and recover from disruptive events requires more than technology. It also requires staff who are well-prepared to respond and communicate effectively. People, processes, and technology all have a role to play in building a cyber resilient organization.
While it may seem like an industry buzzword, many organizations are implementing a Zero Trust security model. In this case, the model is to verify and then trust. Access is granted based on identity of the user and device and other risk factors such as location. Organizations adopt this strategy in order to control user access to the network, systems, and applications, and to have real-time visibility across their IT environment.
The final resiliency goal is to evolve. To evolve requires planning a strategy to minimize adverse impacts from real adversary attacks and to recover fully from the cybersecurity event to maintain business continuity. Simply put, this means that you cannot deploy a bunch of security technology and sit back. The threat landscape is always growing and evolving. Similarly, the IT environment and trust relationships are dynamic. Any process needs to be continuously assessed and improved, and any technology that gets deployed needs to also adapt to keep up with these changes.
Most IT and security organizations have poor or limited visibility into their enterprise’s true interconnectedness—the relationships and dependencies between and among users, applications, networks, and infrastructure; as well as how and where these applications are being accessed and utilized. These blind spots adversely affect understanding of policy intent and consistency across environments; and whether applications exist that are not being protected or accessed as they should.
Thus, Relationships Matter on the Road to Cyber Resiliency. To fully grasp security and operational risk, enterprises must understand the totality of the relationships among users, applications, and workloads. You need total visibility to clearly understand what the assets are, what the dependencies of the assets, the state of the assets, and understand what’s connected to what to accurately make data-driven decisions. You need automation to expedite the data-driven decisions and to further minimize operational and financial consequences.
Achieving Cyber Resiliency with Application Relationship Management
With an Application Relationship Management (ARM) approach, enterprises can gain unprecedented visibility and control into all their applications in real-time across every environment to achieve the aforementioned four cyber resiliency goals.
ARM lies at the intersection of applications and users—and the dynamic relationships and interactions between and among them. With ARM, organizations can fully understand the totality of interactions or communication between applications, workloads, and identities. The continuous ability to identify assets and their dependencies, protect those assets with personalized policies, and detect deviations from those policies also creates the foundation for scalable deployments of Zero Trust. With this greater operational understanding and confidence, ARM enables organizations to make better and faster decisions that significantly improve business performance, cyber resiliency and security.
To learn more how Application Relationship Management can help your organization meet these four cyber resiliency goals, download the Application Relationship Management Overview brief here.
About John D. Johnson, Ph.D., CISSP, CRISC
John D. Johnson, Ph.D., has more than 25 years of information security leadership experience across federal and various industry segments, developed the CISO executive certificate program with University of Chicago, Booth School of Management and has taught graduate cybersecurity for 16 years. John is currently Cybersecurity Leader for a large consumer manufacturing company. He was previously Senior Manager at Deloitte, focused on IoT and industrial cybersecurity. Prior to that, John was a Security Architect at John Deere for 18 years. John has been active with the Chicago CISO community for many years and is a founding board member and advisor for several non-profits and technology companies, including Docent Institute, a 501(c)(3) research and education foundation which focuses on the intersection of society with cybersecurity and emerging technologies and cybersecurity outreach and education for K-12 and the community.