I very much like the idea to move from protection to resilience. If you buy into the idea that it’s not a question if you get breached but only when then this is a very sensible approach in my opinion. My thoughts on this from a presentation at ISC2 are summarized here https://www.computerweekly.com/news/4500256057/Security-needs-to-shift-to-resilience-says-consultant. Therefore a recent article on the 6 steps to reach cyber resilience caught my interest. It looks at the topic in the scope of modernization efforts for federal agencies.
While I think it’s an interesting read in general I don’t quite agree with all the points the author makes:
Be brilliant at the basics That includes routine maintenance tasks, such as patches, updates, and access permissions.
Of course this is very important but at the same time this is a very hard problem that almost no company gets right completely, Patching and updating is very difficult to do in a larger organsiation where inevitably some systems are not really known, have no clear responsibles or are so old and brittle that nobody dares to touch them. Hence I don’t agree that this is the first step when moving to a resilient stance. On the contrary I think you need to base your strategy on admitting that you can’t be brilliant enough to protect everything.
Embrace the cloud for security /With the cloud, agencies can take advantage of elastic workloads, multizone computing, and multicloud strategies that make it exponentially more difficult for adversaries to find and harm them/
Embracing the cloud is in general the way to go. If multicloud provides additional security, I’m not so sure.
Implement data-centric security /Techniques such as encryption, tokenization, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions help ensure data security is embedded in day-to-day operations./
This is a very important aspect in particular if combined with a move to cloud. In the cloud traditional network security becomes less and less important whereas identity and access management help a lot.
Demand application security by design /Adopt DevSecOps practices and use automated scanning and testing to continually identify potential vulnerabilities. Consider applying polymorphic coding techniques to constantly shape-shift the application attack surface to frustrate and raise the cost for the adversary./
Automation and Infrastructure as code go a long way to reduce confguration drift or manual configuration mistakes, They also help rebuilding systems after an attack and make it easier to identify attacker’s changes to a system. In itself this does not provide application security by design. This demands that security people understand enough of the programming languages and application frameworks in use to help the DevOps teams buld secure software. Then again; the move to resiliency includes the assumption of failure and successful attack.
Leverage software-defined networking /Adversaries can’t attack what they can’t find. Software-defined networking enables agencies to constantly shape-shift their networks, sending adversaries on wild goose chases./
This sounds too much like security by obscurity.
Engage in proactive defense. Apply artificial intelligence and security automation and orchestration tools to detect and act at machine speed. Constantly probe and pressure test the IT environment to find vulnerabilities before attackers do. Fully leverage threat intelligence to better know the adversary and focus on the most important threats.
A lot of this can and should be done even without buzzwords like artificial intelligence. Regular testing of your processes is crucial to survive serious attacks and that’s what cyber resilience is all about in my opinion.
Most of these topics are good advise but I think they miss some crucial points:
- you can’t secure everything: where do you start? I’d recommend to figure out where the most sensitive data resides and start improving their protection.
- invest in detective controls: what do you need to spot an ongoing attack? This is a broad topic ranging from security monitoring tools to security incident processes.
- incidents happ: does everyone know how to react? Test processes regularly