Improving resiliency helps organizations prepare and anticipate potential attacks, such as data breaches and other business disruptions, to ensure that systems, processes, and infrastructure are robust and adaptable. It also includes recovery efforts to mitigate adverse outcomes, such as downtime, reputational damage, and financial losses.
You may be asking yourself, isn’t this just describing an organization’s cybersecurity efforts? Yes and no. When it comes to cybersecurity, the terms we use are increasingly important. Often, they provide a shortcut for explaining complex problems.
Two terms that are often used interchangeably are cyber security and cyber resilience. However, the distinction will become increasingly important during 2024 and beyond.
Forbes1
Now, there are certain words and phrases I try to avoid using anymore, like “threat hunting” or “Zero Trust.” If I need to use them, I always start by talking about what the word means to the other party to avoid confusion.
It occurred to me that “cyber resilience” is becoming one of those phrases that needs defining. In this post, I’ll explain cyber resilience, its key components, and its importance. I’ll also outline how organizations can help improve their cyber resiliency by asking themselves five basic questions. Then, I’ll conclude the post by highlighting how leveraging real-time endpoint data centralized in one platform is essential in aligning teams using a single source of truth.
- Cyber resilience defined
- Key components of cyber resilience planning
- Why is cyber resiliency important?
- How can an organization improve its cyber resilience?
- Why resilient organizations need real-time endpoint visibility
- How Tanium supports improving cyber resilience
Cyber resilience defined
When I refer to cyber resilience, I’m referring to an organization’s ability to continue meeting its objectives despite a debilitating cyberattack. Frankly, cyber resilience has more in common with disaster recovery strategy than incident detection.Cyber resilience means understanding your critical business processes and the machines that support them. This includes knowing what machines exist in your environment and the tools necessary for both business processes and your cybersecurity stack, such as where they are and where pieces of your cybersecurity stack don’t exist.
Resilience measures are designed to ensure continuity of operations even in the wake of a successful breach. Developing the capability to recover in an agile manner while minimizing data loss and downtime will be a strategic priority in 2024.
Forbes1
Back to table of contents
Key components of cyber resilience planning
In my mind, several necessary components of a cyber resilience plan don’t create a resilient system if leveraged separately.- Incident response plan: Every organization should have a plan for remediating when they are breached. For example, who needs to be contacted and when. If the primary contact is a person, who is their designated backup if they are unavailable? If an external party is brought in for remediation, who contacts them and how? What reporting requirements exist in the case of a breach, and who is responsible for determining if the reporting requirement threshold is met, and who does the actual reporting? If the incident does not reach the status of a breach, what needs to happen, and who needs to be informed?
- Defense in depth: Having multiple layers of security is critical to your resiliency. Only looking at one endpoint’s data means you are not seeing things related to your network data or account usage anomalies. Having capability overlap ensures that when one type of detection fails or is disabled, an adversary is not free to move through your computing environment.
- Critical asset lists: Understanding the criticality of assets in your environment is key knowledge for everyone involved in their defense. If there are systems that will need failover before being quarantined, this information is needed by anyone who can impact the machine. Defenders can accidentally damage the business in everyday activity if that isn’t known beforehand.
- Continuous monitoring and detection: Monitoring your environment for malicious activity is critical. This is not just monitoring via your EDR, although that is part of it. Understanding what is normal for your environment and looking for changes to that baseline can be a critical method. For example, looking at autostarts and service state can reveal malicious activity not seen by your EDR. Additionally, it’s important to understand where your critical data is and where it should be. More and more threats can be avoided by having data protection plans and ensuring you understand who has access to it and what they are doing with your data.
- Risk management: Understanding your risk is critical. This includes not just what your risk is but also how you choose to address it. Some risks will be mitigated, but others must be accepted or compensated for. This is where compliance checks, patch management, and vulnerability scans are critical to understanding your risk.
- Backup and recovery plan: Backing up your data is crucial. However, having a backup isn’t sufficient; a recovery plan is equally important. This plan should cover how you intend to restore the data and ensure the systems that rely on this data are operational and secured.
- Positioning of security stack: Not every tool will exist in every portion of your enterprise. OT systems may exist where your security tools cannot be deployed. Tools may not be deployed to appliances. Lightweight, “short-lived” containers and IoT devices may not be able to include the security stack. Understanding where pieces of your security stack are missing is critical for your security team, as they must compensate for the lack of tooling on those devices.
- Testing: Of course, developing processes and procedures is not enough. These procedures must be tested and validated periodically to ensure they work during a crisis and support an organization’s cyber resilience.
While designing a truly cyber-resilient system many times feels like an almost impossible task, thinking through what’s needed for a cyber resilience strategy and the steps to increase resiliency is still valuable for improving overall security posture and defense against cyber threats.
Back to table of contents
Why is cyber resiliency important?
Even if you cannot keep critical systems up during an incident, you can still reduce their downtime by knowing what goes into the process and what’s needed to complete it. Then, you can prioritize your defenses and identify where gaps may exist.
Increasing the resilience of your system can be done in many ways; some examples include decreasing your vulnerability to attack, attack surface, the ability of an attacker to move laterally, time to detect an intrusion, and time to respond to an intrusion.
[Read also: Why cyber resilience can benefit from a left-of-bang strategy]
For a cyber resiliency plan to be effective, you need a solid understanding of your environment, how it impacts your processes, and the organization’s ability to ensure business continuity.
Back to table of contents
How can an organization improve its cyber resilience?
With these goals in mind, where do you start? You can begin by asking and addressing these five basic questions to improve your cyber resilience strategy:- What are your critical business processes? In general, these are the processes that bring in revenue, and being down for even a brief period will disrupt business operations and result in financial loss. What critical infrastructure and systems support running these processes? What critical business processes will be impacted if we bring these systems down?
- Do you leverage external services that provide critical functionality, such as authentication or an Identity Access Management (IAM) system? For example, if your IAM is part of an externally hosted service, what happens if it becomes unreachable? While your processes might be able to continue running without an IAM system or jump server, your access to those systems and reporting on them may require it.
- What systems are inherently not resilient? It is not resilient if you have critical processes running on 40-year-old hardware that you cannot replace.
- Who are your critical users? If a critical user or service account needs to be disabled, what is the impact?
- If a business process needs to be migrated to a new environment, what needs to be done to achieve this? This includes understanding what processes, software, and accounts are needed and determining how success is measured.
80% of companies feel moderately to very confident in their ability to stay resilient amidst this evolving cybersecurity landscape. While this number is down from last year, it does underline a gap that suggests companies may have misplaced confidence in their ability to navigate the threat landscape and are not properly assessing the true scale of the challenges they face.
Cisco’s 2024 Cybersecurity Readiness Index
Back to table of contents
Why resilient organizations need real-time endpoint visibility
Like most efforts in information security, improving your cyber resilience starts with a better understanding of your entire ecosystem. Why? Taking measures to increase your system understanding and then thinking through your organization’s cyber resilience framework before an incident can allow you to implement mitigation and recovery plans to decrease the downtime, uncertainty, and panic often felt during an incident.By gaining a more comprehensive and deeper level of visibility into all your endpoints in real time, organizations can quickly determine:
- What tools are deployed on your endpoints, and what purpose do they serve?
- What pieces of your security stack are on each device, and where are they in your environment?
- Do you have any portions of the environment where you lack visibility and control that could interfere with your ability to update and secure endpoints?
You can’t make something resilient or prioritize its recovery from a cyber incident if you lack visibility into it. Without visibility, you cannot control or affect change. Therefore, it is essential to know where your visibility is strong and where it is lacking.
Back to table of contents
How Tanium supports improving cyber resilience
Resilience isn’t all or nothing. I’ve never seen a fully cyber-resilient system that can maintain complete functionality while under attack. Instead, it’s helpful to think of cyber resilience as an aspirational goal, and its value is found when organizations take steps to try and achieve it.The Tanium platform provides the capabilities needed to execute at almost every level of a cyber resilience strategy. Understanding your environment is the starting point for any cyber resilience strategy. Answering questions such as how many endpoints have a particular piece of software installed today can be returned in seconds. Equally easy is changing the state of your environment. For example, setting a registry key value on every machine with the software installed becomes a simple task. Also, identifying machines that do not have your security stack, including Tanium, becomes much easier.
There are capabilities to rapidly decrease the time to remediate an incident and then use what has been found during the investigation to develop and deploy new detections to prevent the issue from recurring. This takes advantage of Tanium’s capabilities to quickly collect data to allow analysis of live system data to understand what is in your environment and distribution of both Tanium-specific and standard threat intel formats, such as YARA rules and IOCs. Also, changing the state of your endpoints supports rapid isolation and remediation of impacted endpoints.
Other critical capabilities improve your risk status, including patching and software deployment capabilities to ensure your software is as up-to-date as possible. Vulnerability and compliance checking capabilities are also key for understanding the greatest risk to your environment. This data is aggregated with other data available to Tanium to provide critical risk scores for endpoints, allowing prioritization of issues based on the current state of the environment and comparisons to benchmarks for your industry to see how your environment compares.
Perhaps most critically, this can all be automated and integrated with your other tools, including building automation directly within Tanium and calling both those and other capabilities through robust APIs. Additionally, you can export data from Tanium to your SIEM, such as Microsoft Sentinel or Splunk, and systems of record like ServiceNow to ensure that your data is not locked in Tanium but available where it will be most useful.
Back to table of contents