03 Mar Cyber Resilience: Prepare, Prepare, Prepare
An Industry Think Tank Collaborates on Cyber Resilience
A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES
Mimecast hosted a cyber resilience ‘Think Tank’ at the San Francisco NASDAQ Center during RSA Conference 2017. Led by Mimecast’s CTO, Neil Murray, and moderated by Venable’s Managing Director of Cybersecurity Services, Ari Schwartz, security thought leaders from various industries joined in one room to network and share the challenges enterprises face today with cyber resilience. As organizations work to adopt a more cyber resilient strategy, there was consensus among the peers in the room that the diversity of the attack must equal the diversity of the defense. This report intends to speak as a unified voice for the group who participated in the first Think Tank of its kind.
– Steve Morgan, Editor-in-Chief, and Marina Krakovsky, Guest Contributor
Menlo Park, Calif. – Apr. 25, 2017
Organizations of all sizes are increasingly relying on networked devices to manage information and provide essential services. At the same time, major computing trends, particularly the rise of cloud computing, pose new threats. In response to the shifting landscape, many cybersecurity professionals have called for “cyber resilience,” a new way of thinking about managing cyber threats. “Cyber resilience is broader than security,” explains Ari Schwartz, former director of cybersecurity for the White House and currently the managing director of cybersecurity services for Venable LLC. “Cyber resilience has to cover things that aren’t security threats but are threats to availability—like rats eating through cables,” he says.
At the recent RSA Conference in San Francisco, a coalition of cybersecurity professionals took an early step toward cyber resilience by meeting to hash out a definition of the term, and to discuss challenges and possible solutions to the problem. Organized by Mimecast, the cloud-based email management provider, the meeting was moderated by Schwartz.
Cyber Resilience: An organization’s capacity to adapt to adverse cyber events—whether the events are external or internal, malicious or unintentional—in ways that maintain the confidentiality, integrity, and availability of whatever data and service are important to the organization.
This definition combines five key elements:
- The psychological definition of resilience, or the notion of bouncing back from adverse events. As Malcolm Harkins, Chief Security and Trust Officer of Cylance Inc, put it in the meeting, “You’ll have adverse events”—that part is inevitable—“but you’re able to bounce back” says Harkins, who was previously the first Chief Security and Privacy Officer at Intel, where he spent 23 years. That capacity to adapt encompasses all the resources the organization has prepared to respond appropriately.
- The CIA triad — confidentiality, integrity, and availability — prized by cybersecurity experts, is a model designed to guide policies for information security within an organization. The model is also sometimes referred to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central Intelligence Agency.
- The recognition that adverse cyber events events–sudden events threatening the organization’s computing resources–don’t always come from the outside and aren’t necessarily malevolent. They might stem from human error on the part of an IT employee or from a city-wide power failure.
- The idea that confidentiality, integrity, and availability mean different things to different organizations—and may include services that are not digital. For a hotel, for example, availability of an essential service is guests’ continuing ability to check in to their rooms even if keycards fail, said Helen Rabe, Head of Information Security for UK-based Costa Coffee.
- The embodiment of preparedness. Not only do organizations need to plan and be prepared, they need to thoroughly test their plans. It is only through testing that the learning becomes more real and adjustments can be made for stronger resilience when an actual incident occurs.
The definition is broad enough to encompass many types of organizations and threats—and concrete enough to suggest specific strategies and tactics. It comes down to protecting the organization from cyber-attacks, having data available if systems are down for whatever reason, and keeping the operation running.
“Here in San Diego, all our city departments now rely on computer networks,” says Gary Hayslip, Chief Information Security Officer for the City of San Diego, the eighth largest city in the United States. “Some, like fire and police, must be up 24/7, and of course residents expect them to continue to provide services even if a system is down. So if a fire breaks out in the middle of the night, the fire department has to be able to quickly send out emergency crews even if there’s been a malware attack or a network outage or whatever. That ability to continue to provide services is the bottom line in cyber resilience, and it’s something every city should be thinking about,” adds Hayslip, who is co-author of the popular book CISO Desk Reference Guide, a practical guide for CISOs.
Many of the challenges to achieving cyber resilience stem from organizations’ increasing use of cloud computing. Instead of having data and software on the premises, which gave cybersecurity officers direct control over securing their organizations’ data and software, organizations of all sizes have increasingly turned to software-as-a-service (SaaS) providers, particularly giants like Microsoft, NetSuite, and Salesforce. They’re also using Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers, such as Amazon Web Services (AWS) and Microsoft Windows Azure. Centralization of computing through these de facto monopolies create what security professionals call a “monoculture” of service, with all the vulnerabilities that term implies. A ubiquitous service like Microsoft Office 365, for example, is not only an attractive target for infection (as Microsoft products long have been)—it also constitutes a single point of failure in any organization that relies on it to the exclusion of alternatives. Quite simply, when organizations make exclusive use of one provider for a given service, they’re putting all their eggs in one basket. Even if the probability of a cyber attack on a SaaS provider is low, the material impact on customers and on the organization as a whole could be quite high.
In theory, powerful cloud computing providers care about security more than anyone. What’s more, their use of proprietary security mechanisms means that hackers can’t get their hands on the tools to learn their weaknesses, as Chris Wysopal, the CTO and co-founder of application security provider Veracode pointed out. Unfortunately, the security of cloud software remains opaque to benign users, as well. As a result, cybersecurity professionals cannot test and benchmark how secure these systems really are. For example, cybersecurity professionals can only assume that the providers’ data practices are solid enough to back up and properly recover lost data. But without an independent backup source, there’s no way to verify the integrity of any data that’s been recovered. “In SaaS environments, we’re in a trusting phase,” says Neil Murray, the Chief Technology Officer of Mimecast. “If you’re just checking the data against itself, you’re in a fool’s paradise.”
A fool’s paradise is an apt description of the current state of affairs more generally: although cloud-based providers typically use at best a shared responsibility model, it is all too easy for organizations to abdicate full responsibility to those providers.
Additional challenges to building cyber resilience include:
- Cyber attacks going deeper and deeper, through viruses that infect firmware, not just software
- A monoculture of hardware, with a high percentage of organizations using Intel processors
- Lack of a standards body for security
As always, the diversity of cybersecurity threats calls for a diversity of defense. In addition, the notion of cyber resilience recognizes that some cyber events (such as internal and non-malicious threats to availability of service) aren’t security threats in the conventional sense. Therefore, achieving cyber resilience requires a broader set of solutions than traditional cybersecurity approaches offer. In particular, cyber resilience will require some combination of the following:
- Revised risk models that take into account the changes brought about by recent changes to the computing ecosystem, particularly the move from on-premises computing to the cloud
- Risk models that incorporate risk of non-malicious threats (from power outages to rats eating through cables)
- CISOs reaching agreement with their organization’s executive team on the risks and outcomes relevant to the organization, thereby maintaining trust even in the face of adverse events
- Technological solutions, such as a better set of shared APIs
- Incident response planning and exercising
- Employee and user education, such as training employees to recognize and safely respond to suspicious emails
- Distributing risk and ensuring continuity of service by having secondary vendors to call upon when services provided by primary vendors are down
- Thinking through what confidentiality, integrity, and availability mean for your particular organization, so that you can continue to provide essential services even when digital services aren’t working
- A discussion about whether SaaS providers should constitute a critical infrastructure sector in the eyes of the Department of Homeland Security, a classification that would subject them to heightened regulatory oversight
- Deeper involvement by multiple players beyond the CISO office
A recurring theme at the Think Tank was that organizations are not as prepared as they should be for hacks, data breaches, and other cyber threats.
“When I asked the Think Tank participants “How many have incident response plans”, most, if not every hand in the room, went up” says Schwartz. “When I followed up by asking them “How many of you test your plan regularly and update it accordingly?” the majority of hands went down. This is consistent with anecdotal evidence that I have seen in the field that many companies draft a plan and do not exercise it and, many of those who do regular exercises, do not update their incident response plan based on what they learn. The Think Tank participants, even those that have not updated their plans recently, agreed that planning is essential to improve resilience. It is important to regularly exercise the plans and update them based on lessons learned from that exercise.”
An industry expert with vast incident response experience corroborates Schwartz’s assertion. “Despite the importance that our civilization generally assigns to proper preparation – the Boy Scout and Girl Scout motto taught to our children from a young age is even “Be Prepared!” – most modern organizations do not adequately prepare for cybersecurity incidents, and thereby put themselves at serious risk” says Joseph Steinberg, a cybersecurity columnist for Inc. Magazine.
“Somehow, lessons from the physical world have not carried over to the cyber-realm” adds Steinberg, who is one of only 28 people worldwide to hold the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep.
Steinberg, author of the official study textbook for the CISSP-ISSMP exam used to certify CISOs, says “It is common knowledge, for example, that militaries and law enforcement personnel plan and train extensively so that they are properly prepared when facing physical attackers, yet, in the cyber world, so many organizations that think that they are cyber-resilient don’t recognize the critical need for establishing proper incident-response plans and practicing their execution, instead relying on their various team members to somehow “wing it” when a security incident occurs. We know how that often turns out – and it isn’t pretty.”
Steinberg concurs with the Think Tank participants: Preparation is an essential element of cyber resilience, and one that is all too often left out.
The world’s most famous hacker shares the potentially catastrophic consequences of not planning and testing, and of not involving all of an organization’s employees in their so-called cyber resilience strategy.
“Can your business be hacked by a 14-year-old with a lot of time?” asks Kevin Mitnick, Chief Hacking Officer at KnowBe4, a leading security awareness training provider. “One sure way to find out is to actually test your security controls, but not limiting the test to only your technology. In my experience, people have always been the weak link when it comes to security. A simple spearing phishing attack can compromise your assets, or worse, lead to watching your company’s security incident on the headline news. It’s a no brainer to build a resilient security program, your people need up-to-date security training and most importantly, to be inoculated by experiencing the types of tricks the bad guys use first hand. That’s why it’s important to test your employees by hacking them.”
Mitnick isn’t jesting about teenage hackers. The Breach Diary and Hack Blotter, published quarterly by Cybersecurity Ventures, are dotted with teenagers — amongst others — who are continuously committing cyber crimes against unprepared organizations globally.
Cybercrime damages are predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Weak cyber resilience due to widespread lack of planning, testing, and employee training, contributes greatly to the cost damages.
In an era of ubiquitous computing networks, organizations need to address cyber-related risks beyond traditional cybersecurity threats. Cloud computing solves some security problems but introduces new ones, making cyber resilience more challenging — yet more important — than ever.
The quest for cyber resilience is aptly summed up by a CISO at one of the world’s largest banking and financial services corporations, echoing the Think Tank’s sentiment.
“Cybersecurity touches every facet of an organization today; consequently, cyber resilience can no longer be something that is done as a secondary feature of an organization’s strategy” says Rich Baich, CISO, Wells Fargo. “With customer expectations of constant online access only rising, resiliency considerations are transforming the traditional cybersecurity defensive mindset into one focused on business enablement as it becomes part of an organization’s DNA” adds Baich, who has held several executive security positions within the public and private sectors, including Deloitte and Touche LLP, Pricewaterhouse Coopers LLP, ChoicePoint, and the FBI, and previously served in the United States Navy for 20 years as an Information Warfare Officer, Cryptology Officer, and Surface Warfare Officer.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
– Marina Krakovsky is a Silicon Valley-based social science and business journalist with a degree from Stanford University. Her articles and essays have appeared in Discover, the New York Times Magazine, Scientific American and Scientific American Mind, O, The Oprah Magazine, Psychology Today, Slate, FastCompany, Stanford Magazine, the Washington Post, Wired, and more.
RSA Conference 2017 Cyber Resilience Think Tank Members:
- Matt Crouse, Director, Information Security & Compliance, Lucky Brand, LLC
- Joe Gajdosik, Director of IT Security, Curtiss-Wright Corporation
- Jason Gunnoe, Chief Information Security Officer, Bridgestone Tires
- Cathy Hammond, Chief Security Architect, Teleflex
- Jim Hansen, COO, PhishMe
- Gary Hayslip, Chief Information Security Officer, City of San Diego
- Ed Jennings, COO, Mimecast
- Joel Lowe, Head of Information Security, Sonic Automotive
- Neil Murray, Chief Technology Officer, Mimecast
- Phil Owen, Global Head of Information Security, IHS Markit
- Helen Rabe, Head of Information Security, Costa Coffee
- Brian Reed, Chief Product Officer, ZeroFox
- John Sapp Jr., Director, IT Security & Controls, Information Security Officer, Orthofix, Inc.
- Ari Schwartz, Managing Director of Cybersecurity Services, Think Tank Moderator, Venable, LLC
- Maurice Stebila, IT Security, Compliance & Privacy Office, Harman International Industries
- Chris Wysopal, CTO & Co-Founder, Veracode
The cyber resilience ‘Think Tank’ was held at the San Francisco NASDAQ Center during RSA Conference 2017.