DATA PROTECTION
Your Ultimate Guide to Cyber Resilience
If someone knocks you down, how quickly can you get back up? If you’re resilient, you can be on your feet in no time. Computer systems and networks have their own version of this quality. It’s called cyber resilience, a term that refers to the ability to recover quickly from disruptions caused by cyberattacks and other outages. This article explores the nature of cyber resilience and how you can apply the concept to your organization.
Understanding Cyber Resilience
Cyber resilience is a term with a wide array of applications and its definitions might change depending on the context. It’s worth taking the time to define cyber resilience, discuss how it’s different from cyber security, and think about why it matters today.
What is Cyber Resilience?
There are two key ways to define cyber resilience. The official definition, per the Obama administration’s Presidential Policy Directive PPD-21, is “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.” The US Federal Government’s Cybersecurity & Infrastructure Security Agency (CISA) published the Cyber Resilience Review (CRR) framework, which enables an organization to “develop an understanding of its ability to manage cyber risk during normal operations and times of operational stress and crisis.”
The framework advertises benefits that include “an improved organization-wide awareness of the need for effective cybersecurity management; a review of capabilities most important to ensuring the continuity of critical services during times of operational stress and crisis.”
Symantec has a cyber resilience framework with five pillars: Prepare/Identify, Protect, Detect, Respond, and Recover. And, the National Institute of Standards and Technology (NIST) has its Special Publication 800-160, which offers a framework for the engineering of systems that are secure and reliable.
Practically, cyber resilience comprises the disparate things organizations do to make sure our networks, applications, and data rebound from outages as quickly as possible. It combines business continuity, cybersecurity, and organizational factors like cross-department cooperation and executive sponsorship. The goal is to maintain the ability to function and deliver desired business outcomes despite disruptive events. Specifically, it means little if any downtime between the incident and resumption of normal business operations. This involves preparation, detection, and prevention, too, as sometimes the best resiliency is the kind you never have to use.
Three elements of cyber resilience stand out for attention:
Defense in depth—Resilience comes partly from a strong cyber defense. A defense in depth strategy creates layers of protection around critical systems and data. For example, with defense in depth, you might combine strict access control rules with multi-factor authentication (MFA), as well as network segmentation and a “least privilege” policy to reduce the risk of unauthorized access and lateral movement. From a cyber resilience perspective, the goal of defense in depth is twofold: reduce the risk of an attack from occurring and, if there is an attack, reduce the impact by limiting exposure.
Secure backups—Backups are essential for resilience. Indeed, you could argue that without backups, there is no such thing as resiliency. However, those backups themselves must be well secured. Targeting of backup files is a known tactic in ransomware attacks, for example. If your backups are vulnerable to threats, they may be rendered useless when you need them most.
Affordable protection—Cyber resilience has to be affordable. Chances are, some of it is already included in your existing budget, such as backup software. The goal should be to make the workload economical so it doesn’t become a target for budget cuts.
Cyber Resilience vs. Cybersecurity
How is cyber resilience different from cybersecurity? The two are related and overlap to some extent, but they are distinct from one another. Cybersecurity is about protecting digital assets from threats. It involves a range of processes, policies, and technologies that have the collective goal of reducing cyber risk exposure.
Cyber resilience is about recovering from a cyberattack. It may incorporate aspects of business continuity and disaster recovery (DR). In certain contexts, like the NIST Cyber Security Framework (NIST CSF), resilience connects directly to cybersecurity functions. In NIST CSF, resilience comes under the “Recover” function.
The Importance of Cyber Resilience in Today's Digital Age
Two intersecting trends make cyber resilience more important than ever. From one direction, companies—indeed society itself—is growing increasingly digital. Consumers have expectations of constant, uninterrupted connectivity to their data, devices, and services. Lapses in service can be costly in reputational terms, as well as financially.
At the same time, the threat environment grows ever more severe. Ransomware attacks have increased in frequency and potency. Advanced persistent threats (APTs), some launched by nation state actors, expose businesses to risks of data breach and disruption. Successful attacks seem inevitable, given the asymmetrical nature of the conflict between attackers and defenders. When an attack comes, reputation and business outcomes depend on fast, precise recovery.
global webinar
Unified Secure Data Protection for M365 and Beyond: Wasabi + Veritas Backup Exec
The Building Blocks of Cyber Resilience
With all of this in mind, what does it take to establish cyber resilience? NIST offers some suggestions. Beyond that, it’s important to note that cyber resilience is a capability that arises from a choreography between people, policies, processes, and technologies. It’s not a push-button solution. Rather, it takes focus on the issue to develop an approach that will work for your organization based on your unique cyber resilience needs and IT estate.
NIST’s Recommended Resilience Techniques
Highlights of cyber resilience techniques recommended in NIST 800-160 include:
Adaptive response—Optimizing your responsive capabilities to match the severity and response time requirements of a given disruption.
Analytic monitoring—Monitoring networks and systems to detect threats on a timely and actionable basis.
Non-persistence—Setting up and sustaining digital assets on as-needed basis and, for a limited time, reducing the likelihood that an asset will be discovered and breached by a malicious actor.
Deception—Hiding assets or setting up misleading, confusing places in your infrastructure that can trick and trap adversaries, e.g., creating a “honey pot” for attackers.
Realignment—Minimizing connections between critical and non-critical systems, with the goal of reducing the probability that a failure of a non-critical system will disrupt crucial systems.
Diversity—Using more than one type of system with the goal of being heterogeneous, minimizing the potential to be exploited by common vulnerabilities, e.g., not using the same operating system/database stack for every system.
Dynamic positioning—Distributing and diversifying digital assets so it becomes difficult for an attacker to compromise all of them, e.g., placing assets in different geographies through cloud deployments.
Key Components That Define a Resilient Cyber Ecosystem
Another way to think of cyber resilience is as a capability that comes from an ecosystem. This ecosystem will necessarily overlap with existing cybersecurity operations and capabilities. To work, each of its components must function well on its own, and in concert with the others.
Cyber risk prioritization and management—Cyber resilience should be based on risk. Not every asset can have the same level of resiliency. The highest priority should go to assets that would lead to the worst business impacts if disrupted. This involves risk assessment, prioritization, and management.
Security teams—People make resiliency happen. For the resilient cyber ecosystem to work optimally, security analysts and other stakeholders need to understand their responsibilities for resiliency, e.g., initiating data recovery and system failovers, communicating with others, and so forth.
Security operations, incident response and recovery—Cyber resilience needs to be baked into security operations. This means integrating the systemic elements of resilience, such as cloud backups, into the security orchestration, automation and response (SOAR) solutions. Resiliency has to factor into incident response workflows and “playbooks,” e.g., procedures for restoring data and applications from cloud backup volumes.
Service Level Agreements (SLA), RPOs, and RTOs—Resiliency is about time. Usually, the faster the better. Specific details matter, though. A resilient ecosystem is one where each system has an SLA. Stakeholders understand the expectations for recovery time objectives (RTOs) and recovery point objectives (RPOs).
Continuous monitoring—Being resilient depends on knowing when there’s a problem to be addressed, the earlier in the attack chain the better. Continuous monitoring is essential, coupled with alerting systems that reach the right people or automated responses, such as automated remediation of vulnerabilities or quarantining of systems.
Response and recovery testing—Incident and response workflows are meaningless without testing. You don’t want to find out that your recovery is flawed when you’re dealing with a real outage. It’s imperative that you set up regular testing of data recovery and related cyber resilience processes.
Continuous change/continuous improvement—The factors that determine success for cyber resilience are not static. As system configurations and priorities inevitably shift over time, a best practice is to engage in regular updating of resilience workflows and policies. It’s wise to pursue a policy of continuous improvement, which typically requires regular assessments and exploration of how things could go better, or faster, the next time.
Leveraging Cloud Storage for Enhanced Cyber Resilience
The cloud has had a big impact on cyber resilience. There are many reasons for this, including the cloud’s unique speed of deployment, geographic diversity, and scalability. Storage arrays that used to take months or even years to procure and stand up can be set up in the cloud in minutes. And, there’s no capital expense (CapEx), another roadblock to establishing a resilient ecosystem on-premises.
Cloud backup and recovery has become a go-to solution for cyber resilience. Cloud object storage, for example, enables you to back up unstructured data such as documents or emails. Cloud storage pricing can be a little hard to navigate in some cases, however. Some vendors charge for data egress, for example. Choose a vendor like Wasabi with consistent pricing and no fees for egress.
Cloud storage cannot protect your data adequately on its own. Effective data protection for cyber resilience requires, at a minimum, some form of encryption. However, even encrypted data can be rendered useless by ransomware. The best approach is to implement immutable backups. As exemplified by Wasabi’s S3 Object Lock, immutable storage involves the use of cryptographic hashes to create a “logical air gap” that make it impossible for anyone to modify or delete data in storage. With an immutable cloud backup, your data is available for restoration in the event of an attack.
A Beginner's Guide to Establishing Cyber Resilience
How do you get from where you are to a truly resilient state? The good news is that you probably already have some or even most of the tools you need to achieve the goal. Remember the difference between cybersecurity and cyber resilience. Security is about protecting your digital assets. That’s important, of course, but you can have all sorts of security solutions in place and still not be resilient.
From a resiliency perspective, your cybersecurity team and solutions may be like an orchestra without a conductor or a musical score. The instruments and players are there, but they lack a coherent plan and direction. This section offers a guide to getting the various elements of your security environment to contribute to resiliency. You may need to get some new tools and develop new policies in the process.
What You Need to Get Started: Essential Resources and Tools
Before you can get started with cyber resilience, you have to have the right resources and tools available to get the job done. The specifics will vary from organization to organization but in general, you’ll want to make sure you’re outfitted with the following:
Threat intelligence (ThreatIntel) capabilities—Being resilient means being able to respond quickly and effectively to cyber threats. Or, better, being able to prevent incidents by mitigating those threats before they affect your operations. Threat intelligence is the process of analyzing threat data from different sources to get a full view of the threat landscape. This may involve scanning your IT estate, both on premises and in the cloud, for evidence of potential threats. You may utilize security information and event management (SIEM) systems, intrusion detection systems (IDS), or firewalls in the process. Additionally, ThreatIntel may mean reviewing threat data from external sources like information sharing and analysis centers (ISACs), which collect and disseminate threat information.
Endpoint security—Your endpoints are the front line of your cyber defense. This attack surface has expanded dramatically in this era of hybrid work and bring-your-own-device (BYOD) policies. Resiliency in the form of incident prevention requires strong endpoint security. You probably already have some resources in this area, such as endpoint detection and response (EDR) solutions and some form of behavior-based analysis of endpoints to detect attacks early in their early stages. These solutions may have the ability to quarantine infected endpoints and reduce the spread of an attack.
Incident response capabilities—You likely already have incident response processes in place. The question to ask is whether they are geared to cybersecurity outcomes or resilience outcomes. Many incident response processes are designed to limit the “blast radius” of an attack and determine the cause of the attack, forensically. This is valuable and necessary, but these process steps may not have a specific objective of returning a system to functioning in a defined timeframe. In some cases, a targeted system might be offline for days or weeks. Resiliency requires failover and the proven availability of backup systems.
Backup and DR capabilities—Thorough backup and DR capabilities are a core requirement for cyber resilience. Best practices in this regard include policies like the “3-2-1” backup strategy, which places three copies of data on two different types of media, e.g., solid state drive and tape, one of which is stored offsite. DR strategies may involve processes like the creation of mirror sites that provide instant failover. Testing of such systems and processes should be mandatory and occur regularly. On a related note, it’s a good practice to check on your vendors’ cyber resilience. You may be dependent on a third party’s reliable systemic function, and it’s not smart to assume that they have the level of resilience you need to run your business.
Step 1: Assessing Your Current Cyber Resilience Posture
With all of these tools under consideration, the question then becomes “How well are we doing with cyber resilience now?” To answer, you need to conduct a cyber resilience assessment. This involves identifying risk exposure and vulnerabilities that you have in your IT estate. Implicit in this process is the identification of critical assets, which is covered in Step 2 below. In practice, these two steps may overlap and be performed simultaneously.
For each critical system, it is necessary to determine its risk exposure and vulnerabilities, the impact of an outage, and the existing capabilities for recovery. How quickly can your critical systems be restored? If the restoration time frame is too long, that indicates that your cyber resilience posture is not strong. Your next task is to identify the security and resilience gaps that are preventing you from having good cyber resilience posture—and coming up with a plan to remediate them.
Step 2: Identifying Critical Assets and Data for Priority Cyber Resilience Measures
Not every system, data repository, and network asset requires the same level of cyber resilience attention. For instance, if your intranet goes down, does it matter if it takes half a day to restore it? It’s not ideal, but your operations will survive. In contrast, if you run an e-commerce business, an outage for your shopping platform will be disastrous for business, in both income and brand reputation terms. The e-commerce system should get higher priority for cyber resilience. The process of identifying critical assets and data for cyber resilience measures should render a prioritized list, with the most critical assets flagged for attention first.
Step 3: Implementing a Layered Security Strategy
As best practices have evolved, it is apparent that a “layered security strategy” is optimal for achieving cyber resilience. It’s impossible to implement the same level of resilience for every digital asset. Rather, the most critical systems deserve the highest degree of resilience. Operationalizing this idea is about establishing cyber resilience policies that affect incident response protocols.
For example, if System A, deemed critical, is taken down by an attack, the protocol should be for the security team to activate a backup instance, or take steps to restore its functionality and data. The execution of this process may be automated. The design of systems factors into resilience, as well. For example, a critical system may have an architecture that includes failover mechanisms and “hot” backup instances.
Redundancy and segmentation also contribute to a cyber resilient organization. Critical systems should ideally run on multiple protected instances, each in a separate geography. The cloud makes achieving this goal relatively easy. Segmentation involves separating system elements based on criticality, so the breach of one system element does not lead to a breach of any connected parts.
Implementing a layered security strategy for cyber resilience is also very much an organizational challenge. Success comes from aligning the organization with the strategy. This might mean, for example, establishing executive leadership to support the cyber resilience objective. An executive sponsor can emphasize how important resilience is to the business and use his or her authority to get agreement from various teams on realizing the resilience policies.
Step 4: Developing a Response and Recovery Plan
The cyber resilience strategy comes together in the form of a well thought-through response and recovery plan. This plan may vary by system, based on criticality, but in most cases, the plan will tie into security operations, security systems, and teams. The security operations center (SOC) is the central command post for any response and recovery processes. Testing the plan is also highly recommended, with real life tests, e.g., the CIO actually picking up the phone and calling the emergency contact name shown on the plan. You’d be surprised how many gaps and errors can be revealed through a live test.
Overcoming Challenges in Cyber Resilience
Making cyber resilience a success is not easy. Challenges abound, though most can be overcome. Cyber resilience is an area of IT that’s seldom perfect. There is always room for improvement, so it’s best to celebrate successes while assessing what could go better next time and planning accordingly. Thorough and regular testing should reveal any gaps in your plan, so keep at it until the whole process runs smoothly.
Evolving Cyber Threat Landscape
One challenge for resiliency is the evolving nature of the threat landscape. Our adversaries do not rest. They are always working on new modes of attack designed to take us down. In some cases, that means invading our systems from the inside, such as with “supply chain” attacks that implant malware into software code in the development process. These attacks are difficult to detect and require rapid response.
Phishing attacks also work from the inside. They rely on internal organization members mistaking malicious communications for benign ones. For this reason, it's crucial to include cybersecurity training for the entire organization in your cyber resilience plan.
Resource Constraints and Complexity of IT Systems
A further challenge is the simple and inevitable limit of resources. There is not endless budget for cyber resilience. Whatever you do in the name of cyber resilience, it has to be economical and focused on protecting the most critical digital assets. The complexity of those assets can also work against you. Setting up mirror sites, for instance, grows difficult as the system’s complexity increases.
Future Trends in Cyber Resilience for Cloud Storage
The future is looking interesting for cyber resilience. The pace of innovation provides security teams with new tools and paradigms they can leverage to improve resilience. The use of artificial intelligence (AI), already a staple of cybersecurity, promises improvements in resiliency processes. For example, with generative AI (GenAI), an incident response system can automatically write notifications to stakeholders, saving human analysts time.
Zero Trust Architecture
The advent of the zero-trust architecture (ZTA) also holds promise for cyber resiliency, in preventative terms. This security framework distrusts all users by default. Every grant of access is based on a verification of the user’s identity. And, access is as narrow as possible, an extreme version of the principle of “least privilege.” With ZTA, the likelihood of an incident occurring goes down.
Conclusion
Cyber resilience, whether you approach the concept through official frameworks or practical planning and execution, is an essential goal for a business in the digital age. The stakes are too high to remain vulnerable to attacks that would take your operations offline for too long a time. Cyber resilience comprises the strategies, policies, and technological tools you need to be able to recover your systems in the event of an outage.
Many elements contribute to cyber resilience success, from encryption and deception to ZTA, and more. Robust backup and recovery are among the most important, especially the immutable backups and logical air gaps made possible by vendors like Wasabi. They enable you to protect your most critical data assets from attack and restore them quickly in the event of a disruption.
More to discover
Knowledge is the best defense against the event of a cyber attack. Arm yourself with strategies and guides from storage experts.
Frequently Asked Questions
The first step is to assess your level of cyber resilience posture. Once you understand the tools and resources you have on hand, it is necessary to figure out where the gaps are and fill them, e.g., deploying a security orchestration automation and response (SOAR) solution if you don’t have one.
Cloud storage helps with cyber resilience by providing fast and easy-to-implement offsite storage that’s highly scalable. When combined with immutable backup technology, the cloud contributes to very effective cyber resiliency.
Yes — using predictably priced cloud storage from Wasabi can eliminate egress fees, which drive up the cost of a cyber resilience solution for many small businesses.
Your cyber resilience plan should be consistently tested and improved, but a yearly audit is an acceptable minimum threshold.
If you have a thorough cyber resilience plan in place, the immediate actions following an attack may occur automatically. Otherwise, isolating any infected systems and starting up backup or mirror systems should be your immediate first steps.
Related article
Most Recent
Let’s dive into three key results from the white paper that illustrate the real-world value we deliver to our customers.
Wasabi enables our MSP partners to deliver greater value, bring in higher margins, and create more personalized offerings for clients.
Simplify your business processes and drive revenue growth with the combined solution of Wasabi, Veeam, and Probax.
SUBSCRIBE
Storage Insights from the Storage Experts
Storage insights sent direct to your inbox every other week.