Business Continuity Management / Disaster Recovery , Governance & Risk Management , IT Risk Management
Principles of Sustainable CybersecurityDeepayan Chanda Discusses Reliability, Accuracy, Architecture and Resiliency
In the past few years, the annual rate of cybersecurity breaches has doubled and as a result, sometimes millions of records are exposed. In 2021, the average cost of a data breach was a staggering $4.24 million.
See Also: Webinar | How the SASE Architecture Enables Remote Work
What Does "Sustainable' Mean?
We can call something sustainable when it is used in a manner that does not reduce it in the short or the long term and maintains a certain level of its existence. Within the same context, cybersecurity is sustainable when security resources are implemented, used, managed and maintained in a way that does not degrade the level of security or deplete over a period of time due to anything that affects the security of a system, business or organization.
This blog post discusses the four major principles that can help achieve and maintain a more sustainable approach to cybersecurity. They are reliability, accuracy, architecture and resiliency. Let’s look into them one by one.
Reliability means something is able to execute the job that it is meant to perform and resist any disruptions - or attacks - against the information system assets or infrastructure. Reliability plays a crucial role in securing information assets, as security and reliability are interdependent. They cannot sustain independently in today's environment, because our systems and infrastructure are expanding rapidly and becoming more and more complex at the same time. These expansions provide a technological advantage, but they also create more room for errors and increase the potential exposure area in terms of security risks and threats.
A true fault-tolerant system cannot exist in today's scenario without being aligned with system security. For instance, if the integrity - or security - of the system is disturbed, it will affect the reliability of the system, and if the reliability - or correctness - of the system is disturbed, it will affect the system security.
It is a mistake to think that if we take care of reliability, then security is maintained as a by-product of it and vice versa. That is not entirely true. Both need to happen with a dependency on each other.
As a simple example, say a firewall that protects the network perimeter and thwarts network-based attacks fails to operate due to an unreliable hardware or software platform. The compromised firewall then compromises the security of the infrastructure it is supposed to be protecting.
On the other hand, if the hardware or software of the firewall has a security flaw and an attacker takes advantage of that flaw and brings down the hardware, then the reliability would be compromised due to the security failure.
We can hence say that a system failure has happened, and it may have happened due to low reliability or faulty security - or both, in some cases. Security and reliability must be part of the architecture, design and implementation considerations while building new systems or modernizing old ones. The key is that reliability and security need to co-exist - it’s not one or the other.
Cybersecurity involves ensuring that the information related to security is accurate, complete and relevant. If the information is not accurate, it will affect the quality of security for the organization. At the same time, the information has to be easily consumable by different systems and users.
It is challenging to protect if there is a gap in information. For example, if we have to protect our assets, then we need to accurately know about our inventories and all assets. This may include entire on-premises and cloud presence, self-managed or outsourced assets, applications, network infrastructure, mobile and endpoints or third-party vendor assets, including their physical or virtual geographic location - internal or external.
There could be more parameters to decide how accurate the information is about your organization. The more accurate the information, the better the security risk impact assessment, which will help define the business impact or criticality.
It does not end here: Highly accurate risk data will lead to proper prioritization of response and remediation activities. Threat intelligence is another crucial part of security operations and response. The process involves collection, evaluation and analysis to produce actionable intel, and the core of this is that the data being collected is accurate. If the data collection is flawed or not accurate, the intel could be misleading or useless.
Generating threat intel involves a meticulous process of finding out relations between various cyberthreats in an accurate manner. Otherwise, organizations might end up making critical security decisions based on threat intel that is inaccurate - or even irrelevant - and that will end up in a missed opportunity to detect threats in a timely manner.
Detection capabilities of intrusions are more effective when the attributes specific to attacks - past and present - are accurately identified and analyzed for all phases of an attack kill chain.
The purpose of security architecture is to ensure that foundational defenses against security threats are properly aligned and integrated at all times with the security standards, policies, functional and nonfunctional requirements, organizational strategies and road maps.
Every organization has different, unique business and operational requirements. Something that works for one organization certainly won’t work for another, so the architecture has to be built by keeping the individual needs of the business in mind, including the services required and how they are implemented and executed.
Architecture also needs to account for any future changes and disruptions. It is probably the only piece that brings people, process and technology together with all of the other three principles: accuracy, reliability and resiliency.
Any reasonable architecture must ensure that it considers threat modeling to assess risks and exposed attack surface. This will allow you to see a complete picture of the system to be built. For example, if you intend to bring up an application or platform, you may need to think about:
- What data the application or platform is going to process;
- How that data will be stored and secured;
- Who will have access to that data - and how and why;
- What resiliency and reliability factors must be considered if there is a data disruption - for example, a ransomware attack - that creates an inherent threat to data.
You should also follow Secure by Design principles and - once matured - move toward the principle of Secure by Default.
Cybersecurity architecture need to be assessed and updated at regular intervals, or whenever there are changes in the current posture, delivery mechanism, addition or removal of features, methods or technology. It also needs to be assessed and updated if there is an evolving threat situation. This will guarantee that the cybersecurity services, platforms and programs are producing the desired outcome and are perfectly aligned to the organization's architectural requirements.
Resiliency is the ability to adapt and be prepared for dynamically changing conditions so as to tolerate possible disruptions and recover from them as swiftly as possible. Achieving resiliency in cybersecurity is not a new concept, however it still is an evolving and critical subject.
A higher level of resiliency can assist in recovering from a known or unknown breach faster. Cybersecurity is the first layer. It ensures that you apply the available resources, tools, tech and processes to prevent any security breaches.
Resiliency is better achieved by combining various approaches - starting with having strong and dynamic management of the changing threat environment that can or will disrupt the business and operations. This will enable the organization to withstand those disruptions, in case they occur, with no or limited compromise in business functionality.
Withstanding any unforeseen disruption is possible if you have the capability to fully anticipate the threat situation in advance and stay one step ahead of the adversaries.
The most important part of resiliency is being able to recover fully, or get back to the best possible highest capacity after any disruption or adverse situation, as quickly as possible. That involves assessing the risk in advance, preventing the threat, responding to the disruption and recovering swiftly.
Achieving a higher level of resiliency happens over a period of time; it’s a long process. Enforcing and maintaining a baseline level of security is the very first step on the journey of being resilient. It is followed by:
- Implementing a strong security configuration management process;
- Leveling up the bar of identity and access management;
- Having stringent vulnerability management capabilities;
- Using a risk-based approach to prioritizing threats and remediating them.
One of the key elements in gaining resilience is to have redundancy. Resiliency and redundancy are deeply connected to each other. Redundancy by design allows you to have multiple systems, assets and resources with identical functions.
If a disruption occurs, these redundant systems must have the ability to replace each other as soon as the primary system fails. Security systems that are designed to failover to redundant systems as part of the standard mitigation strategy provide a more mature, resilient environment.
I am sure that there may be multiple ways to achieve sustainable cybersecurity other than the four principles that I have described, but I find that they cover most of the aspects of how we can continue to maintain the level of cybersecurity that we need to sustain attacks.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Deepayan Chanda, an enterprise security architect with a large financial institution, has over 25 years of industry experience. He is a security strategist and adviser who solves enterprise cybersecurity problems with a strong focus on balancing security and business goals. Chanda has worked with many enterprise cybersecurity and large financial organizations, been a mentor and adviser to cybersecurity startups and written many books on cybersecurity. He served in the Indian Air Force. Chanda's latest book is Penetration Testing With Kali Linux.