How to build a cyber-resilient infrastructure

Cyber threats, such as malware and denial of service attacks, are becoming more prevalent in today’s society. Cyber resilience is the ability to withstand the negative effects of an attack on an organisation or community. A cyber-resilient infrastructure protects against cyber threats and ensures continued operation in the face of attack, to minimise risk and keep service disruption to a minimum.

Here, we take a closer look at some of the things you need to bear in mind when it comes to improving your organisation’s cyber-resilience.

What is cyber resilience?

As the cybersecurity landscape continues to evolve, organisations are required to adopt a more resilient cyber strategy to withstand the onslaught of threats and attacks from around the world.

This resilience is a new security paradigm that promotes a proactive approach to security and empowers an organisation’s cyber response team with the ability to recover from a breach quickly without impacting day-to-day operations.

According to IBM, cyber resilience is made up of five key pillars:

➡Identify

The identify phase is all about developing a greater organisational understanding of the main cybersecurity vulnerabilities within your networks, systems, people and data, as well as your ICT capabilities. By understanding the business context of that risk, and the resources needed to support your core operational functions, you’ll be able to better focus and prioritise your cybersecurity efforts and align them with your risk management strategy and business needs.

Some of the things you need to consider here include:

  • What hardware and software assets currently exist within your organisation, and are there any gaps in provision? Understanding what the cyber security windows and doors are (public IP addresses and the services presented on them) is a good starting point.
  • What cybersecurity policies do you currently have in place, and do they help you meet your regulatory requirements?
  • Do you carry out regular risk assessments to identify asset vulnerabilities or threats to internal and external resources? If so, how do you respond?
  • Have you identified and documented your organisation’s appetite for – or tolerance to – risk in your corporate risk management strategy?

What measures, if any, have you put in place to manage and mitigate cybersecurity risks in your supply chain?

➡Protect

The protect function is all about rolling out the appropriate cybersecurity measures to ensure service delivery. These include the ‘first line of defence’ security applications to prevent, limit or contain the impact of potential threats. These might include:

  • Identity management and access control measures, including physical and remote access
  • Data security protection measures to protect the availability, integrity and confidentiality of sensitive information
  • Ongoing maintenance, updates and support for your devices and software
  • Regular staff training to ensure your people are aware of the latest threats and their responsibilities for managing them

➡Detect

The detect phase is all about enabling the timely discovery of cyber incidents and defining the activities needed to identify and respond to a cybersecurity event. Some of the key things to consider here include:

  • Ensuring events and anomalies are detected promptly and their potential impact is understood
  • Implementing continuous security monitoring to identify potential cybersecurity incidents and verify the effectiveness of protective measures to prevent them
  • Developing processes to monitor and provide awareness of anomalous events

This type of system – a security incident and event management (SIEM) system – takes event logs/live event streams as inputs, collates them, runs queries against them and produces actionable security incidents as outputs. Since security events can potentially run into 100s of millions of events per day, such a system needs to be specially designed to reduce the millions of events down to a mere handful that require investigation.

A good SIEM solution will not merely tell you about an event, but offer advice on how to mitigate that event. This means that a good SIEM solution also must be updated regularly against known vulnerabilities so as to be able to detect them from the event log.

➡Respond

The Respond function is all about taking the appropriate action to deal with a live cybersecurity event. It should support your organisation’s ability to respond to and contain the impact of a potential cyber incident.

Some of the things to be aware of here include:

  • Ensuring your cyber response processes are executed during and after a cybersecurity event
  • Managing communications with stakeholders, regulatory bodies (such as the ICO), staff and customers
  • Undertaking mitigation activities to resolve the incident
  • Carrying out a detailed analysis of a cyber incident to determine its impacts and identify any learning points
  • Implementing improvements or process changes identified from your response activities

The key point to bear in mind here is that trying to work out how to do this stuff when you’re in the middle of responding to a security incident is almost impossible. So, your organisation needs to consider these in advance and have documented procedures in place that staff are aware of, and have practised using.

➡Recover

Recover is the final stage and looks at identifying the appropriate activities to restore service or operations affected by a cybersecurity incident and reduce the impact. The restore function aims to enable your organisation to:

  • Implement its recovery planning procedures to restore any affected systems or assets
  • Roll out improvements based on lessons learned
  • Coordinate internal and external communications following a cybersecurity incident to fulfil your organisation’s reporting obligations and mitigate any reputational risks

In instances like this, the SIEM solution is what you would look to in order to identify what the attacker touched when they infiltrated the organisation, and also what remediation action you should to take.

Tips to improve your organisation’s cyber-resilience

When it comes to keeping your organisation cyber-safe, there are some simple steps to make your company more resilient in the event of a security breach:

✅Identify the risks

Per the cyber-resilience framework above, considering what would happen to your organisation in the event of a cyber incident, and identifying what information, data and systems are required to keep the organisation running, is vital.

✅Involve the whole organisation

While technology and solutions are essential, people lie at the core of every successful cybersecurity strategy, so make sure you involve them. This includes making cyber-resilience part of their day-to-day roles and ensuring they are trained appropriately and aware of what to do in the face of a security incident.

✅Test your plan

Working through each worst-case scenario, with practical run-throughs if necessary, will help to ensure your incident response is robust and effective. This makes testing your plan in a simulated environment essential, including investigating the cause and containing the impact.

✅Invest in a good SIEM system

As we said above, because of the growing cyber threat, investing in a good SIEM system is the cornerstone of effective cyber resilience. Examples of such solutions include Platform as a Service applications like Microsoft Sentinel, Software as a Service tools like Splunk, or  managed services such as Dell SecureWorks. Due to the volume of the data such a solution must handle a SIEM is ideally suited to be delivered from cloud due to the scalability available.

✅Have a backup plan

Having a plan to ensure your data is backed up and recovered in an emergency is crucial. A robust backup plan should aim to reduce the length of downtime and business disruption caused by a data breach or cyberattack, keep data loss to a minimum, and help ensure GDPR compliance.

This blog will be released on 28th December 2021 at around 8am. If you happen to be reading it between Christmas and New Year 2021 can I (Andrew) say that I hope you had a good Christmas and are looking forward to your New Year celebrations whatever they might be. Let’s have a chat in January – you can let me know what you thought of this blog.

 

If you enjoyed this blog and want to find out more about how we can help your organisation protect its data, bolster its cybersecurity and achieve improvement through technology, give us a call on 01332 322588 or book a free consultation.

Want to know more?

Why not contact us to arrange a FREE consultation to talk about your ICT needs and how they could best be met?