Cyber security is very important, but to be sufficient alone it would have to be permanently unbreakable. No protection is flawless, and there must be measures in place for what happens when a breach occurs. Cyber security takes care of the before, but where it fails, cyber resilience takes care of the after.
Sanvada spoke to Doron Pinhas, an expert in the field and CTO of Continuity Software, to find out more.
Sanvada: Could you explain the difference between cyber security and cyber resilience?
DP: It’s all a matter of perspective and hype cycle. Historically, resilience was considered an aspect of cyber security as a whole (although coverage of the term in literature was rather limited). However, in recent years the trend has been reversed – as discussed below.
For decades, the working assumptions of most organizations has been that with sufficient attention, preparation, tools and funds, they could stay ahead of hackers and prevent any and all intrusion attempts. This concept has completely shifted in the last few years, given the new emerging attack profiles, along with the rise in both the number of attacks, and their success rate.
It is now expected that many attacks will succeed, potentially damaging corporate data, and corrupting compute, application and network configuration. Therefore more and more attention and focus has been diverted to developing new capabilities to guarantee that data, application and configuration are well protected, archived and isolated, and that quick recovery mechanisms are put in place.
This has led to coining the term ‘cyber resilience’ which is starting to gain wider and wider acceptance as a subset of ‘traditional’ cyber security – [cyber resilience is being acknowledged] in online publications, security forums and industry standard institutes (e.g., NIST).
Sanvada: How can businesses continue to operate following a cyber attack or IT Outage?
DP: New security frameworks should be put in place to anticipate, withstand, isolate (once attacked) and recover. While some of these concepts have always been on the agenda of IT security officers, a new focus should be assigned toward building an effective recovery strategy by:
- Clearly mapping data assets, application assets, IT configuration and their dependencies
- Vaulting data and configuration, implementing tight control over access to archived data and, as much as possible, creating an “air gap” that prevents attackers from tampering with the data
- Identifying and assigning dedicated, isolated recovery infrastructure. For some enterprises this could take the form of revamping their Disaster Recovery infrastructure, and for others, leveraging the Public Cloud offering
- Implementing and automating rapid recovery processes, to meet expected recovery time objectives (RTOs)
- Putting in place mechanisms to continually audit and track the completeness and readiness of the above components, to minimize the risk of evolving “blind spots” and to allow for clear measurement, visibility and compliance reporting.
Sanvada: What new regulations could be implemented to help organizations ensure they can be back online quickly after an attack?
DP: With the public interest in mind and the realization that proper safeguards always come with a cost that some enterprises might over-optimize, regulation has always been a tool of choice for governments and international institutions.
Indeed, in order to protect the national and international economy and emergency infrastructure, there has been an increase in the activity regulators take to improve controls and predictability.
An example is the Advanced Notice of Proposed Rulemaking (ANPR) that the US OCC published earlier this year around Enhanced Cyber Risk Management Standards.