A number of developments in the threat landscape have induced security leaders to pay more attention to cyber resilience, and is fueling several trends.
Organizations are much more concerned about cyber resiliency because of a shift in the kinds of attacks that are taking place. That's primarily because of ransomware, said Eric Hanselman, chief analyst at 451 Research.
"Security teams have fallen into the role of cyber janitors. If there was a malware infection, they could clean it up without significant repercussions. But ransomware has changed the game."
—Eric Hanselman
The quality of the tools and the sophistication of the attacks keep getting better and better, he noted. "It's getting harder to defend when attackers are starting to pull together an ever greater portfolio of tools that they can unleash on their victims," he observed.
Despite best practices and efforts, attackers only have to win once to cause a catastrophic outage or disable critical infrastructure and data, said Melody J. Kaufmann, a cybersecurity specialist at Saviynt.
"That's making organizations increasingly aware of the need for resiliency."
—Melody J. Kaufmann
The global spread of the coronavirus has also had an impact on how organizations view resiliency. With more workers forced to work from home, the attack surface for threat actors expanded dramatically, a development many enterprises weren't equipped to handle.
The shift to remote work has illustrated the shortcomings of many traditional security tools, said Hanselman. "The expectation was that the office provided a perimeter and a boundary for what the possibilities were for an attack, even though that perimeter crumbled years ago. Yet there was still the idea that that was still possible."
There has also been an expectation that all the efforts around recovery from an attack could be done hands-on, Hanselman said. "But when everyone started working from home, the idea that you could walk over and reimage a machine or install software broke down."
Remote work and the threat landscape are juicing a number of trends around cyber resilience. Here are four that SecOps team leaders should be tracking.
1. Cyber resilience integrated into cloud strategy
The cloud has always been a great source for response and recovery, two important aspects of resiliency. The ability to scale on demand and have the equivalent of warm sites in different availability zones has been an enormous step forward for IT operations, said Kaufmann.
"When done correctly, the cloud can provide recovery time objectives and recovery point objectives that are far better than could be achieved in on-ground data centers for a fraction of the price."
—Melody J. Kaufmann
The prospect of a server going down and crashing a website can be more easily averted today, said Gavin Matthews, technical product manager for Red Canary, a cloud-based security services provider.
"Today, companies can automatically scale up in response to an event like a DDoS attack or fall back in response to a threat by deploying more instances from a clean image or moving to a backed up, cloned deployment," said Matthews.
But the cloud is being considered for more than just response and recovery, said Jeff Pollard, vice president and a principal analyst at Forrester Research.
"Security leaders are no longer looking at the cloud as something different but integrating the cloud into the security stack so the organization is not dependent on on-premises infrastructure."
—Jeff Pollard
Using the cloud to offer "as-a-service" security allows controls to be applied consistently regardless of location, said Sameer Malhotra, CEO and founder of TrueFort, an application and cloud workload protection company.
"The massive push to the cloud by enterprises is changing their resiliency profile. Whether the user is in the office or at home, the same security controls are in place because the service is accessible everywhere."
—Sameer Malhotra
2. Zero trust becomes key to resiliency strategies
One of the goals of resiliency is to limit the damage an attacker can do once they invade a system. Zero trust can do that by limiting access and privileges of users. Zero trust moves organizations away from implicitly trusting someone on their networks to using context, identity, and data to dictate what permissions an identity has in an environment, Pollard said.
"Concerns about resilience and remote work forces have brought a much stronger focus on zero trust. When you've got everybody on-prem, there are a whole set of shortcuts you can take. When you start doing remote work, you are fundamentally in an environment where trust becomes much more critical."
—Eric Hanselman
That requires substantially greater levels of sophistication in your identity infrastructure, Hanselman said.
Zero trust is not just about people. James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider, said. Implementing zero trust is a positive step toward implementing cyber resiliency, since organizations can reduce open access to systems coming into the environment without being authenticated.
"It provides the ability to verify all devices before trusting them. By isolating devices it increases efficiency and resiliency because it can confine threats to one part of the network, reduce the opportunity for the threat to access the main network, and reduce the risk of an attack."
—James McQuiggan
3. Resiliency stoked by managed detection and response
Detecting threats and responding to them before they get worse is an important part of any resiliency plan. With shortages in skilled security personnel, however, organizations may find it difficult to meet the goals in that area of their plans.
"With the continuing escalation of the technology that's involved in a lot of these attacks and the need to be completely up to date on their capabilities and techniques, managed environments are becoming much more attractive because it's becoming harder and harder to keep your teams up to speed," Hanselman said.
"Managed detection and response gives you an extra set of hands to manage the detection and response process."
—Eric Hanselman
Jeff Pollard said managed detection and response is booming.
"It enables you to partner with a company that has more investigative expertise, more analytic expertise, can do proactive threat hunting, and can help your team focus on other aspects of security."
—Jeff Pollard
4. Resilience lands in security products
The increased interest of organizations in resiliency hasn't been lost on vendors. They're adding features such as secure remote access, the ability to manage remote working environments, and on-premises security capabilities for remote environments.
"It's led to a reasonable amount of new capability, but more than anything else, it's created a shift in how vendors are stressing value. A lot of reframing of capabilities is being done in a resilient form."
—Eric Hanselman
For example, DNS management is pretty standard stuff for an organization. However, by recasting the tool to include intelligence about what's happening on a network, it can contribute to resiliency by acting as an early-warning system. "Some of the first indications we get of an attack is 'phone home' activities. The place to detect that is at DNS," Hanselman explained.
Some vendors have taken a "cloud-first" initiative to build resiliency into their products.
"By going cloud-first, they are creating awareness into their product to handle existing across availability zones and leveraging cloud autoscaling to auto-rebuild from configured images should existing instances become unstable due to attack."
—Melody J. Kaufmann
File integrity monitoring is another resiliency feature appearing in products. It looks for unauthorized or unexpected changes in files. "These alterations trigger administrator alerts to look into the cause, as they indicate an attack," Kaufmann explained.
Watch this tools space
Vendor attention to a problem can be both a blessing and a curse, however. "What's happened, as resiliency has become more of a goal and a concern, vendors have begun saying the word all the time, but it means something different to each of them," Pollard explained.
"That becomes a real challenge when you're looking at what kinds of products and solutions you might use to accomplish resilience."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.