To remain competitive in the face of cyberattacks, companies must ensure the security of their applications, networks, and business processes. But traditional security methods are no longer enough to ward off today's complex attacks. Many enterprises are turning to new resilience strategies to safeguard their business operations before, during, and after cyberattacks.
We asked seven experts to share their advice on how organizations can go from a traditional security strategy to cyber-resilient operations. Here's what they had to say.
1. Build a solid security culture
Going from traditional security to cyber resilience requires a mindset shift about every application that you deploy. Applications span the web, mobile, or the Internet of Things, and each externally facing application is an enticing treat that an attacker cannot resist.
Approach securing your applications holistically. This involves building a solid security culture that educates developers about secure coding, inventories all applications, assesses all third-party/open-source software for vulnerabilities, and tracks and protects any exposed API endpoints.
A cyber-resilient organization relies on a mature secure development lifecycle, ensuring that security is distributed equally and rigorously to each application. Threat modeling is at the center of cyber resilience, assessing every application, minimizing any discovered threats, and eliminating unnecessary attack surfaces.
Cyber resilience also requires nimble software organizations with the capability to patch known vulnerabilities within minutes; secure DevOps is how you deploy applications quickly and securely.
—Chris Romeo, CEO and co-founder of Security Journey
2. Consider detection and response capabilities
Cyber resilience formalizes a couple of key ideas that have been around information security for a while. First, not all threats can be prevented by security tooling, and thus, security risk mitigation must incorporate an approach that more equally weights detection and response capabilities.
Second, business continuity concepts have a place in information security planning. It's not an entirely novel concept; availability is a part of classic security models, such as the CIA triad (confidentiality, integrity, and availability). When I was a chief information security officer, I was also quickly made the head of business continuity; my CIO at the time recognized the overlapping concerns of the two disciplines.
The discussion of advanced threats a few years ago brought home the concept that preventive security solutions—those that automatically prevent active security threats—were going to be evaded by an advanced or persistent adversary. Thus, security teams needed to also think critically about, and give more serious weight to, detection and response capabilities.
A company unfortunately can't stand still during and after an attack, so security teams need to ensure that services are either resilient enough to keep running or at the very least degrade gracefully and can be quickly recovered. That includes, but is not limited to, considering how redundancy, failover, and backup in the technology architecture will respond to specific security incidents—for example, a denial of service. But this also requires planning around available incident response skill sets and processes.
—Daniel Kennedy, research director, information security and networking, 451 Research
3. Embrace a zero-trust approach
The pandemic has forever changed the ways that work gets done. In addition to location flexibility, today's workforce demands choice in the applications and devices they rely on to do their best work. To keep the workforce optimally productive and engaged, IT needs to provide flexibility—but not at the expense of security.
By embracing a comprehensive zero-trust-based strategy, the right balance can be achieved. With the guiding principle that all trust must be earned, zero trust upends outdated trusted device, network, and user security models. Every access and usage request must be scrutinized to be continuously situationally aware and contextually risk-appropriate.
In embracing a zero-trust approach, IT can increase cyber resilience and position the organization for success.
—Kurt Roemer, chief security strategist, Citrix
4. Build security into every code release
DevOps is all about "building in" security for code releases and release processes. This is opposed to the traditional approach of security being an afterthought because, due to the pace of rapid software innovation in the cloud and agile arenas, there's no time afterwards to worry about security.
To help ensure a safe operating environment, things such as zero trust come to mind. Also consider:
- Good credential management; avoid/detect leakage
- Vulnerability management; manage certificate expiration, vulnerability discovery/patching, etc.
- Release process maturity; secure code repositories, change management, etc.
—David Stuart, senior director of product, ZeroFOX
5. Make cyber resilience part of your digital transformation effort
Transitioning from traditional security practices to a cyber-resilient posture must be part of an overall digital transformation effort.
First, this is a strategic change, not a reporting-chain reorganization. This evolution will affect nearly every aspect of people, process, technology, and culture across the organization. While some change will occur from the bottom up, executive leadership must set the tone for where the organization is headed and the culture in which it will operate while it's getting there.
Second, you must approach it with a flexible two-year plan. Over that time, not only will you uncover different views of risk, risk appetite, risk tolerance, and risk management, but those views will also change over time—and implementation flexibility will be critical to success.
Third, everyone must understand that you can't buy cyber resilience. It's not an enterprise product, a SaaS offering, or anything else that you can just bolt on to your existing organization. Similar to the way we've approached "build security in" and "shift left" for software security over the years, we now need to "build resilience in" to many of the same skill building, process improvement, technology insertion, and culture shift efforts.
Finally, cyber resilience is—if you'll pardon the overused word—a journey, with successive destinations that each demonstrate a new level of maturity. Tracking this improvement requires solid business objectives, good key performance indicators and/key results indicators, and integrated telemetry capture across every important business process.
Each organization's destinations will be different, but they must encompass acceptance of new testing methods, e.g., chaos, a rapid move to automate-first approaches, business-as-usual blameless post-mortems, and a healthy intolerance of systemic and repeated people, process, and technology errors.
—Sammy Migues, principal scientist, Synopsys Software Integrity Group
6. Enforce the principle of least privilege
When I think about traditional security versus cyber resilience, it's all about facing the inevitable. Mandiant is the first company I heard, probably back in 2008, telling us that "compromise is inevitable"—and it has shaped my thinking ever since. How can an organization withstand a compromise without breaking the business? Lately, I've been thinking about this from an identity security perspective.
This year, we did a joint survey with Tag Cyber revealing that over-privileged accounts are involved with two-thirds of breaches. If we can ensure that an identity has only the exact entitlements it needs to have—and nothing more—we're going to limit the blast radius if (or when) that account is compromised.
We're investing heavily in machine-learning technology to automate this because there's no way that humans (or human-driven spreadsheets) can keep up with the volume of accounts, resources, SaaS apps, contractors, cloud systems, etc. in the modern enterprise.
—Grady Summers, executive vice president of product, SailPoint
7. Develop strategies that encompass protection, response, and recovery
To become resilient, organizations need to build strategies that encompass protection, response, and recovery.
The National Institute of Standards and Technology's cybersecurity framework, which is one of the most popular security frameworks, calls out identify, protect, detect, respond, and recover. But for many, the recovery aspect is an afterthought.
You need more than an incident-response plan and a good backup as your cyber-resilience strategy. Organizations need to build resilience into their designs, leveraging data replication, redundancy, vaults, and other controls that can help them recover when it all tips over—because chances are that will happen. One of the most interesting exercises is to place your technology into the NIST cybersecurity framework buckets and understand whether your security controls are lopsided, by asking yourself:
- Is your focus purely on prevention?
- Are you able to use capabilities such as cyber vaults to complement ransomware protection with resilience?
No security control is foolproof, so a security control should be complemented by layers of controls, including a strategy for how the organization will recover if all the security controls are bypassed. We see time and time again with ransomware attacks that a single user error can bring down an organization's operations.
Not having the ability to operationally recover in the face of growing cybercriminal activity and cyberwar shows a lack of good security architecture. We must change the way that we design our security and how we budget for security to ensure that our investment is not being made based on the fallacy that our security controls cannot be bypassed.
We must shift left, not only with security controls but with resilience, so our infrastructure must be designed to withstand attacks and be resilient to them. Cybersecurity refers to the company's capability to protect and avoid damage. Cyber resilience is the ability to respond and to recover, which is what everyone should be striving for.
—Sushila Nair, vice president of security services, NTT DATA Services
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.