It’s near the end of 2020 and amidst COVID-19 challenges, the need for cyber resiliency is top of mind. Our capacity to recover from physical and emotional health issues and economic fallout is being tested on a broad stage. In the Security space, we are extending our conversations about resiliency to include reclaiming control of an organization’s cyber presence. An onslaught of new hacks and attacks was injected during the scramble this year as companies retooled for more virtual business, and people switched to work from home, increase their online shopping, and shift every possible activity to virtual mode. The need to regroup and reassess cyber health is as important as re-establishing an organization’s core business. The NIST Special Publication 800-160 Volume 2, on Developing Cyber Resilient Systems, predated the COVID pandemic but could not have been more timely for security professionals. In the security space too, we need a new normal.
In Volume 2, NIST defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” It is more than cyber security, which generally intends to protect networks, devices, and data from attack or unauthorized access. It’s an admission that security measures will fault, and organizations need to continue to operate. Given the dependence of business on cyber resources, cyber resiliency is the merging of cyber security and business continuity planning.
Regardless of the system or business process in question, two baseline attributes are integral to cyber resiliency. First, cyber resilient systems are characterized by having built-in protective measures inherent in the solution, ensuring that mission essential functions carry on. That means to achieve cyber resilience, your systems and solutions must be ready for an attack before the attack happens. Secondly, cyber resilient systems must account for Advanced Persistent Threats (APT). That is, we need to assume that traditional security measures have or will be breached, and that bad actors have the patience and resources to wait for the opportune moment to attack. The fact that APTs remain so prevalent and dangerous twenty years after they emerged, and the industry needs a new framework to talk about them, defines the magnitude of their insidiousness. A new security normal is necessary indeed.
NIST compares cyber resilient systems to the human body that has self-repair systems to recover from illness and injury. Security is a person wearing a mask to reduce the risk of catching a virus…resiliency is the working of the human body’s immune system to recover from illness and return to a healthy, or at least functioning, state. In the same way that white blood cells might be considered the core element of the human body’s immune system as they travel through the bloodstream, encrypted data may be considered a key component for cyber resiliency as data traverses the enterprise.
When sensitive or regulated data is encrypted upon ingest, for example when clicking “submit” on an application form, and remains encrypted during transit to its intended destination, as well as when stored in its at-rest state, data security becomes inherent in that ecosystem. Regardless of where or when an attempt is made to inappropriately access that data, it is “ready for an attack” because it was never decrypted and thus not vulnerable. Format-preserving encryption is the technology that enables this characteristic of cyber resiliency since the data can be utilized by applications, and referenced by database queries and analytics, all the while remaining protected. Format-preserving encryption is also key to withstanding APTs, the second key characteristic of cyber resiliency. As an example, a bad actor trying to gain access to resources via previously stolen credentials, can strike and steal data from a variety of sources, but it is of no value and cannot be monetized since the data is protected in all those sources. The cyber resilient approach provided by format-preserving encryption enables an organization to withstand an attempted data breach and neutralize the impact of breach.
Many success metrics for cyber security are defined around how quickly a breach can be detected and a response mobilized. For cyber resiliency, success is defined by the cyber immunity established in the organization and the speed and capacity for business to rebound when issues occur. As the concept of cyber resiliency gains more attention and as best practices evolve, it seems clear that an emphasis on a comprehensive data security strategy that keeps business processes moving forward will remain a core tenet of a cyber resilient organization.