Cyber Resilience – Need of the hour

As wave after wave of the Covid 19 pandemic resurges, it’s taught us that we can’t afford to be complacent about safety and security. This applies as much to IT infrastructure as it does to human health. That’s why we need a new way of thinking - especially when it comes to cybersecurity. As remote working proliferates and hackers test our perimeter defenses in more sophisticated ways, enterprise systems and data are more vulnerable than ever before. For CISOs, it’s time to stop reacting and start anticipating.

New thinking for a new world

As the Covid 19 pandemic surged and resurged, work from home - scratch that, work from anywhere - became a necessity in many parts of the world. The immediate response from enterprises? Increased investments in remote working infrastructure to support employees’ evolving needs for personal safety, flexibility, and technology-dependent collaboration. 

In the short term, this meant resource expansions such as increase of bandwidth, procurement of VPN licenses, allowing BYOD with baseline security controls, shipping of office desktops to user home location, transition to virtual desktop infrastructure for secure content management and setting up of digital channels for communication with multi-factor passwords and encryption. While this facilitated remote working, it also opened up new attack surfaces.

In order to expedite the return to business, most organizations had adopted baseline controls for secure remote working. The controls were minimal and couldn’t adequately secure endpoints and collaboration platforms. Security teams were also facing old threat vectors in a new way for which they weren’t prepared. employees were not ready and aware to tackle and react to cyber threats of phishing, ransomware and malicious code.

It’s no surprise that cybersecurity vendors reported a 600% spike in cybercrime due to the pandemic

Phishing topped the chart because social engineering and exploiting the weakest link of trust make it the easiest and most successful form of attack. It was also a particularly fruitful year for ransomware and malware distribution.

Despite the escalating threats, organizations with robust preventive and monitoring controls were able to detect and prevent most attacks with APT solutions, next generation firewalls, and endpoint detection and response services. Organizations without a clearly defined threat-response and weak controls ended up losing uptime, data, and money.

It’s pretty obvious that enterprises who want to stay ahead of disruption need to think long term. Just as public health discourse has shifted from Covid-reponse to vaccinations and immunity, CISOs need to shift focus from short-term defense to long-term resilience.

What is cyber resilience?

Resilience is the ability to defend against attacks while continuing to deliver the services and outcomes that business as usual demands. Being resilient means planning in advance how to minimize the damage when, not if, an attack is successful.

Resilience can’t happen by chance. It needs to be designed into the system. For this to happen, you need a long-term cyber strategy that is aligned with business objectives and technology choices. To drive resilience, you require holistic security controls, awareness among employees, and even change in architecture.

Remote working requires special protections to be put in place, especially in the context of building a resilient infrastructure. Some of the things you need to be mindful about are:

● Identity is the new perimeter – Leverage cloud-based solutions to quickly start on zero trust principles to protect critical applications and data via identity and multifactor authentication

● End to end data security via encryption, secure collaboration, and end point DLP

● Endpoint security controls - endpoint detection and response, minimum security baseline, laptop encryption, antimalware, file integrity monitoring for servers and host-based firewalls and IPS.

●  Content security - Internal users – access to all applications is via VPN and MFA and for few critical applications

●  Patch Management and Anti Malware Management for remote workers - Microsoft IBCM for patching users over the internet and alternatively leveraging NAC over VPN to force users to upgrade patches and antimalware signatures

●  Email security – Email security gateway with Threat Intelligence like mimecast

●  Advanced Monitoring – leveraging UEBA, cyber analytics, actionable threat intelligence and proactive hunting

From defense to resilience - the way forward

So, what steps can you take today to cultivate enterprise-wide cyber resilience? Here’s a cheat sheet to get you started:

 Human Firewall

Employees and system users are always the first line of defense -, but more so during remote working and crisis situations. There is a pressing need to do more - more awareness in novel ways of cyber-bytes, gamification, simulations and advanced security training and well, more accountability - so our teams are equipped and ready to put security front and center. 

? Organizational security policy and guidelines should be revised and enforced to ensure that robust remote working procedures are implemented

? Refresher training, gamification, simulations and periodic cyber bytes should be provided on most common cyber threats such as social engineering attacks, phishing, secure usage of collaboration tools, safe Wi-Fi etc.

? Ensure user segmentation is in place, so employees only access data and systems directly related to their roles. This can be enforced with digital identities and least privileged access controls. All users with privilege access need to be on the internal network (VPN or come via “monitoring and management segment” and have two factor authentications enabled.

? Enable advanced use cases in SIEM to detect identity misuse/ theft/ compromise

Secure Architecture

Remote working environment introduces many attack vectors and hence demands revisiting secure architecture framework to support WFH and enabling hybrid environments for both employees and third parties. IT infrastructure can be complemented with implementations of Secure architectures such as Secure Access Secure Edge (SASE), Software Defined Perimeter and Zero Trust architecture.

? Secure Access Secure Edge (SASE): Transition to SASE, an identity driven architecture which evaluates risk at real-time depending on context, enterprise security policy and continuous assessment of risk/trust throughout the user session. SASE lets you assign digital identity to people, groups of people, devices, applications, services, IoT systems or even edge computing locations.

? Software Defined Network (SDN): provides a secure way for users to access organization’s IT resources remotely. SDN not only protects infrastructure from cyber-attacks such as DoS / DDoS, it also allows users to seamlessly connect to the company network remotely.

? Zero Trust Architecture: framework brings device and people factors together to allow access to IT resources.

Automation of Security Controls

It’s of utmost importance to ensure that security controls are updated to meet the requirements of remote working use cases. This can be achieved through baseline definitions, reviews, and continuous testing. Automation of security testing can assist with challenges of remotely located personnel and last-minute findings. Some of the practices which can help with the process:

? Review, maintain and enforce minimum baseline security and ensure compliance via bots

? Continuous agent-based vulnerability management and virtual patching

? Secure DevOps practice with automated SAST integration

? RPA to automate manual test scripts and configuration checks and

? Bots based continuous control monitoring

Monitoring and Detection

Security Monitoring and its use cases that work in a traditional office setting may not work efficiently in hybrid and remote working situations. With more adoption of cloud, software as a service, access to third parties and partners, you will need differential use cases for monitoring security alerts. It is fundamental to have a complete visibility of network components, data traffic, flow of information along with communication channels and protocols. Number of steps can be taken to monitor and detect risks to your information:

? Advanced Monitoring: With technologies to complement SIEM, a Full Packet Capture for data visibility, actionable threat intelligence to act proactively on threats and efficient use cases to address cloud, application and third-party risks will aid in holistic security monitoring.

? User and Entity Behavior Analytics: UEBA solutions are great additions to provide identity analytics for compromised identities and also aid in threat hunting and cyber analytics.

? Threat Hunting: Active threat hunting activities such as red teaming, hypothesis-based threat hunting can help find possible vulnerabilities or threat actors in the system.

Incident Response and Crisis Management Plan

With most of the workforce working remotely, the response plan should reflect strategy and protocols to ensure seamless coordination between teams. Organizations should analyze, review and update their response playbooks for the current remote working environment.

? Update Response Playbook to address remote working environment

? Review & Test efficiency of response plan on regular basis

? Review, update and test Business Continuity Strategy/IT Disaster Recovery Plans

Cyber Insurance

With preparedness one can raise the security bar for risk materialization but cannot eliminate the risk and hence a good strategy is to transfer some of the risk exposure to a cyber risk insurance policy. Cyber insurance can keep your business on stable financial footing should a significant security event occur by covering the cost of investigation, fines and penalties, productivity loss and third-party claims.

Conclusion

An organization is only as resilient as all its components. Cybersecurity across sectors will remain critical long after the damage from coronavirus has been mitigated and the world has made peace with the new normal. Early warning systems with a holistic approach for the far-reaching automated controls, attack detection and prevention of data theft are the cornerstone of this new resilient enterprise.