Today's reality is that if the enterprise uses networked computers, they will get hit at some point. Not having and practicing a recovery plan could be the doom of any organization.
John Bruce, CEO and co-founder at IBM Resilient said, "Resiliency is the ability of an organization to maintain its core purpose and integrity in the face of cyber incidents."
Cyber resiliency is a critical element of the overall organizational resiliency, which includes the many things that organizations grapple with in the real world. Bruce said that in the digital world, the enterprise should also have disaster-recovery plans.
"The whole notion of resiliency is a new phenomenon. It’s tough to do in the cyber world," Bruce said.
The challenge is that resiliency is so much about the people, processes, and the technologies. When the disaster is one in the digital world, people often want to rely on technology as a fix.
It's not that easy. While it might have been cyber that created the disaster, the recovery and ability to return to productivity will need to focus on the people and processes as well.
"The overwhelming number of organizations do not feel they have a high degree of resiliency. We've seen that in many cases it’s taken a long time to respond to these things," Bruce said.
Resiliency takes a long time to plan, but that most organizations "Either don’t have a plan, or they don’t use it in the way they should, but they need to sit down and really grapple with this stuff before they need to."
"Recovery isn’t particularly sexy," said Alex McGeorge, senior penetration tester at Immunity. "It’s that thing that they have to prepare for and practice and do, but it only really comes to save the day in their darkest hour."
Whether it's through ransomware or some other attack, if they are an accounting firm, and one-fourth of their CPAs get affected, that’s huge. "Larger enterprises have personnel redundancy, so the impact isn't as significant, but the impact could even be a benign outage where everybody’s desktop is fried," said McGeorge.
People want to believe they can recover from a back up but if they aren’t practicing, the likelihood of recovery is minimized.
"You pay a vendor for a backup solution, but the actual process of trying to restore their accounting department from a backup today rarely happens," McGeorge said.
Security practitioners need to plan and preparr for disasters so that they know what their total time to return to productivity is, if all of the machines end up under water.
"They have faith in the promises from vendors, but putting it into practice and going through the process from start to finish once a quarter gives peace of mind," McGeorge said.
From a pen tester perspective, McGeorge said, "When I think of resiliency in companies, the ones that have impressed me the most have invested in virtualization."
With virtualized desktops, all PCs are created equal. "Nobody worked from the host operating," said McGeorge.
"They were virtualized desktops in the company cloud, so If I am able to detect Sam and Sally from sales have been compromised, I can nuke them, kick them off the VM, and create a new version and put them back on it so that everything is back."
The incident-response team can then look at what they can pull off of the compromised image and give back to the users. The down time is that of maybe an hour, which is ideal for any organization. The problem, though, is that it's very expensive to implement.
"They have to make a huge investment in virtualization. Another problem is that if Sam and Sally are compromised, and we are saving all of their stuff onto the servers, the attacker has access to all the things they did before I detected they were compromised," said McGeorge.
There is no perfect solution, but the goal is to make recovery as painless as possible.
"This is where monitoring gets into play," said McGeorge. "They can tell when one user is making multiple modifications, changing a lot of documents all of the sudden."
Versioning also lets the incident-response team identify when a user has been compromised, and they can minimize the impact of many people having access to one document.
"If Sam gets infected with ransomware, the document management will let me go back to the version before it was compromised," McGeorge said, "but this is very expensive and logistically complex."
The CSO or CISO has the authority to discriminate across the organization and determine which documents are critical and should be added to the document management. "Only those documents that are mission critical should go into the document library," McGeorge said.
Whether they use virtualization, monitoring, or versioning, "They need to practice their backup and recovery strategy for different parts of the enterprise, from the sales team to the desktops and mail server, all the stuff that can not fail," McGeorge said.
Ryan Manship, Red Team Security's security practice director, said that the ability to respond to and recover from an incident or an attack is great, "But we also need to think about identification, about detection and intrusion prevention. This is a big thing. It’s a big deal and it matters."
Security from a corporate perspective is a very complex situation, and Manship said it also includes the realities of business. "There are different types of businesses, business verticals, assets that need different protections as it retains to the value of those assets."
They need to first have the commensurate level of security in relation to the value of the assets that’s in line with the business risk appetite. "They should have options for protecting themselves against risks and adopt the procedures and controls to be in alignment with that understanding," Manship said.
The ability to be resilient after an attack begins with any organization knowing their vulnerabilities so that they can protect against those. "It starts with knowing what their attack surface consists of--the risks--to make prioritized risk-based decisions," Manship said.
Other key pieces to having a resilient organization include robust monitoring that gives them the capacity to identify threats as early as possible within the cyber kill chain so that they can react accordingly.
"It's difficult to accurately and appropriately tune these solutions so that they aren’t getting too much noise. Noise makes us desensitized. If the solutions aren’t well tuned, they just produce noise," Manship said.
Whichever approach they decide upon, they need to practice, just like anything else, said Manship. They should have processors and procedures that they test so that in the event that a disaster takes place, they have determined the people that they need to notify.
One piece of advice that Manship offered, "Mare sure they have the right people helping them who understand all of their risk holistically and are enabling them with the information they need to make those decisions."