The Gartner Risk conference was the first commercial conference of the more than dozen I have attended this year where resiliency was a core focus, from the opening keynote onwards. Perhaps the event’s proximity to DC was a factor, since in the Defense Community cyber resiliency has almost replaced cyber security as the core mission focus.
The agenda at Gartner included multiple sessions on resiliency and came on the heels of a series of notes published on the topic. NIST also released a draft of their new guidelines for cyber resiliency (800-160 Vol 2.) earlier this spring. It is one of the most forward-thinking documents on both the strategy and implementation of cyber resiliency. At over 150 pages, the NIST guide can be a bit much to take down in one sitting, but I would highlight in particular the 14 specific tactics for adding resiliency to computer systems.
So why resiliency now?
Resiliency can, at its most basic, be defined as “hard to kill.” Whereas security tries to stop anything bad from happening, resiliency focuses on how quickly a system can respond to bad things happening and assure survival and success even in the toughest circumstances.
As modern cyber systems begin to rival biological systems in complexity, it is not surprising then that strategies for defending cyber environments are evolving to follow the methods nature has used to defend biological ones.
Living organisms, like their silicon counterparts are often individually very fragile, but when viewed at an ecosystem level are incredibly resilient. That resiliency relies on a number of factors which can and should be replicated in cyber systems.
A few strategies to aid resiliency:
1. Be Dynamic.
Living things virtually never stop moving, on both a micro and macro level. Computer systems, until only recently, have been static systems using static defenses. Attackers on the other hand have been dynamic changing methods and means to penetrate and compromise systems. The balance is now beginning to shift with forward looking system architects embracing dynamism to create more adaptive and resilient systems. The tools to do this are multiple. Virtualization in particular offering some of the most promising areas to create systems that shift and change constantly.
To give a practical example, VPNs are fairly ubiquitous in enterprise environments. And yet, they create a static profile, a known point to attack. We’ve heard from customers that using their corporate VPN on untrusted networks paints a target on their back rather than protect their transmissions. Why not introduce dynamism into that VPN access point? Instead of connecting to a single point, connect to a new one each day.
2. Plan for regeneration
A single organism in an ecosystem may be vulnerable and fragile, but a species does not depend on a single organism to survive. Species rely on constant death and rebirth to protect themselves, with death used as a means to isolate diseases that might threaten the overall health of a population. In cyber systems, automation coupled with virtualization is unlocking the ability to have computer systems that are constantly refreshing, rebuilding themselves on a regular schedule or when triggered by an event.One area we’ve seen advancements in this theory is virtual desktops. Security conscious companies are purposefully destroying virtual desktops every evening and providing fresh, updated instances for their employees in the morning.
3. Create diversity.
Biological systems are remarkably diverse both within and across species. These differences allow for life to survive a wide range of circumstances from the freezing depths of the oceans to the arid heat of the desert. In engineering systems, there is a strong desire to standardize processes and elements to produce economies of scale and process improvement. Yet now we need to construct more complex systems which need to survive in uncertain and hostile conditions. Incorporating diversity creates systems that are both more resilient to attack, and more easily able to adapt to changing circumstances. Some of the best designed systems provide for multiple means to accomplish a task.
One simple way to implement diversity is to wrap unpatched or legacy systems. For example, if you are concerned with how best to protect that Windows 2003 server in your environment, start by inserting an access layer between it and the rest of the world. Even better, make that layer use a Unix operating system. Now to penetrate that 2003 server your attacker needs to first break through an entirely different operating system, which has the latest patches and security updates.
Does resiliency improve security?
Yes. The hardest things to kill are those that are proactive in their defensive posture. They exist where you do not expect them to, and shift without hindering their ability to function at an optimal level. Moreover, a resilient system is often micro-segmented such that when issues arise, they only concern a small part of the whole, and do not have the ability to spread laterally.
Making Cyber Resiliency a Reality
Theory is great, but how can organizations implement these strategies in practice? It’s easier than you think, and the team at Dispel has been helping organizations around the world become more resilient to survive and thrive in these challenging times. If you’re ready to start, give us a call or shoot us an email.
Scaling Trust and Resilience-Cut the Noise and Enable Action, Ramon Krikken, Craig Lawson, & Katell Thielmann, State of Organizational Resilience 2018 Mark Thomas Jaggers & Roberta Witty ↩︎
Organizational Resilience Is More Than Just the Latest Trends Roberta Witty & Mark Thomas Jaggers, Delivering Resilience and Recoverability for Distributed Transactions Poses a Whole New Challenge Andy Kyte, Rick Greenwald, Stefan Van Der Zijden and Deacon D.K. Wan ↩︎