How do you Measure Cyber Resilience?

How do you Measure Cyber Resilience?

At its most basic level, cyber resilience can be described as not ending up in the media as a victim of some sort of cyberattack or breach.

Cyber Resilience snapshot

Cyber resilience means not losing operational capability in its varying forms, ranging from a cash shortage due to a fraudulent transaction resulting from a Business Email Compromise (BEC) attack, or the shutting down of the assembly line in a factory following a ransomware attack. It means not losing protected data, whether it is a sensitive customer, employee, or supplier information, and it means ensuring intellectual property is not stolen in order to maintain a competitive advantage.

Cyber resilience is the desired outcome of managing operational risk resulting from cyberthreats. More specifically cyber resilience is the ability to prevent negative impact to the organisation across three principle risks:

  1. Loss of intellectual property
  2. Loss of regulatory controlled data
  3. Loss of operational capability

Organisations continually strive for higher levels of certainty in managing this risk. Being cyber resilient is the capability to detect and counter a sequence of events before the threat can impact the organisation. The sequence of events leading to increased levels of risk can be called intrusions. Intrusions have various pronounced phases that are documented in several security frameworks. Lastline’s chosen framework is the Mitre Att&ck Matrix.

Mitre Att&ck Matrix

There is a significant benefit to organisations in cost savings from stopping intrusions as early as possible in the attack chain. Not just from the potential for harm directly from an attack but also the burden it places upon scarce internal resources to ascertain the gravitas of the situation from latter stage att&ck chain detections.

The Internet is a War Zone

Unfortunately, the internet is not simply an untrusted network, it is a war zone. If it was physically a place, foreign policy advice would be “make a will” before entering it. Tactically it makes sense to prevent as many malicious encounters as possible, but strategically, detecting those attacks that evade controls will ultimately determine your level of cyber resilience. Having the capability to counter intrusions at all stages of the att&ck matrix as well as a tested incident response plan will go a long way to improve confidence and certainty levels.

Cyber Resilience
The battlefield of the Internet is a war on two fronts. The first battle, our ability to completely detect the array of attacks we face. And secondly, to ensure our response resources are not overwhelmed in dealing with them. Operational risk occurs when you don’t see all the relevant attacks, or you cannot or do not respond appropriately to the attacks.

Measuring cyber resilience is becoming a vital indicator for the survivability and competitive longevity of organisations and is increasingly being used during M&A discussions.

In a cyberwar zone, we need to decide what military-grade cyber resilience looks like. There are many best practice frameworks available, from NIST to ISO for example. They all talk about putting the risk in context as the appropriate method to achieve cyber resilience. We need to ask the question: In this context, when your organisation is connected to a cyber war zone, how does that change what is appropriate for cyber defenses. Do you manage security as if you were in a war zone?

In Summary: The challenge of Cyber Resilience can be expressed as a simple question:

“When security controls fail, can you detect unusual or irregular behaviour with sufficient context to mitigate the risk to the organisation?”

Unfortunately, the answer for far too many organisations is “no.” And the daily list of casualties continues to climb.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton