In cybersecurity as in most jobs, problems don’t happen one at a time, you’re bound to have a few at once. Speakers at the RSA Conference 2021 talked about this in terms of maintaining cyber resilience in chaos. So, what does the buzzword ‘cyber resilience’ really mean? And why is it important to be able to embrace chaos in your day-to-day work?
Cyber attacks are on the rise. Between June 2019 and June 2020, the Ponemon Institute observed a 64% rise in the severity of digital attacks targeting businesses and agencies. It witnessed an even greater increase in the volume of digital attacks during the same period, at 67%.
Even so, none of that prevented defenders from achieving cyber resilience. According to the Ponemon Institute, the proportion of organizations that achieved a high level of cyber resilience increased by more than half from 35% in 2015 to 53% in 2020. The proportion with cybersecurity incident response plans also grew 44% over those five years.
What Is Cyber Resilience?
Cyber resilience means you’re capable of preventing, detecting, containing and responding to a variety of digital threats — at least to some degree. It isn’t binary, after all. It’s a spectrum not only of degree but of aptitude.
Rohit Ghai, CEO of RSA, put it this way in his keynote for RSA Conference 2021:
Being resilient is not good enough. We must be good at resilience. Resilience isn’t just about getting up when you fall. To be good at it, we must fall less often, withstand the fall better and rise up every time.
Ghai’s first point, falling less often, is challenging in light of changing network setups. Just take what’s happened with the cloud as an example. According to IDC, more than a third of organizations purchased over 30 different types of cloud services from 16+ vendors in 2019 alone. (That’s before the events of 2020.)
Such a distributed deployment landscape contributes to a sense of chaos regarding security ownership over different cloud apps and services. It could also explain why organizations don’t always take certain security processes into their own hands. Indeed, two-thirds of respondents in another survey said they relied on their cloud providers to ensure their baseline security, a position which puts themselves at even greater risk of data exfiltration and other attacks. Cyber resilience is a balance between too many tools and too few; too much attention paid to attacks or too little.
A Three-Pronged Approach to Security in Chaos
The chaos referenced above isn’t limited to the cloud. Machine and human actors are learning and working together across multiple environments, both cloud-based and on-premises. In the process, they’re using Internet of Things (IoT) products, containers and an expanding number of devices.
All this makes keeping your data safe more complex. In doing so, it raises an important question: how can you secure chaos?
Ghai gave the answer in his keynote:
You can’t. You don’t. You focus on resilience by embracing chaos. How? One, expect the unexpected. Two, trust no one. And three, compartmentalize failure zones.
How to Cut Down on Chaos
Here’s what cyber resilience looks like in practice. First, you need to have visibility of all your hardware and software, as well as network traffic. Knowing that, you can implement security controls to protect your most critical data and assets. You can then use penetration testing to see how those measures stand up against an actual attack.
As for the second point, some might say those who trust no one have zero trust. In this regard, organizations can use encryption, multi-factor authentication, principle of least privilege and other security controls. Those help build the architecture needed for validating connection attempts on an ongoing basis. It’s important that they also focus on compartmentalizing failure zones as part of their zero-trust efforts. There’s no need for every asset to have access to the entire network, after all. With that in mind, use network segmentation to ensure that a potential device or account compromise doesn’t spread across their entire digital infrastructure.
Chaos isn’t something that defenders can control. It’s a state of nature, and as such, they can choose to fight against it or flow with it. Knowing where you stand with cyber resilience helps. By accepting the latter and embracing chaos, organizations can put themselves into a stable security position where they’re less inclined to fall going forward.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...