Network Resilience vs. Cyber Resilience
Aren’t they the same thing?
There are certainly similarities between network resilience and cyber resilience. The foundation for both is the ability to maintain business or mission capabilities during an event, such as a backhoe cutting your fiber cables or a nation-state actively exploiting your network. But there are also significant differences.
Traditional network resilience requires redundancy in your network architecture. As a simple example, consider two locations that you want to connect. Instead of just one, you install two fiber optic cables between the locations. If one gets cut, the redundant fiber optic cable can continue to carry network traffic. But what if both cables are in the same fiber optic pipe? If that pipe gets cut, then you lose both cables and the ability to conduct business or complete the mission. The redundant resilient solution is to deploy those two fiber cables as far apart from each other as possible and to have them enter your locations at different points to further reduce the chance of an outage. Now you have a resilient connection; however, you’ve also increased the complexity of your network by having two of everything. You now have two firewalls, two routers, redundant network interface cards and so on. Redundancy introduces complexity, which increases your attack surface—and opportunity for human error.
Both Verizon’s Data Breach Investigations Report and Crowdstrike’s Global Threat Report agree that more than 90 percent of intrusions are due to failures in basic, continuous cyber fundamentals. These include patching and ensuring network devices are deployed securely. Also, firewall rules and access control lists enforce the network segmentation you intended.
These cybersecurity fundamentals can be tedious and repetitive, but they are the foundation of security and beyond that, cyber resilience.
Cyber resilience has three parts:
- Being hard to hit;
- Having the ability to detect immediately;
- Respond rapidly.
These three simple concepts align with the National Institute of Standards & Technology (NIST) Cyber Security Framework (CSF), which breaks cyber fundamentals into five categories: detect, protect, identify, respond and recover.
Hard to Hit
Being hard to hit requires that you understand your network, starting with a complete inventory, including your cloud environments. Then, make sure you know how it is all configured and connected, including the network ports and protocols one system might use to communicate with another.
For guidance, look to industry standards like the Center for Internet security Benchmarks or the Department of Defense (DOD) Defense Information Systems Agency’s Security Technical Implementation Guides.
Many organizations use some form of automated modeling solution to collect, analyze and assess their network risk. Automation is the key here because network understanding requires examining a lot of information. It’s easy for an important misconfiguration to get overlooked. Computers can analyze these fundamentals much more efficiently than we can.
An automated modeling solution can validate that your network enforces the segmentation you intended. It can validate choke points to ensure that your detection and response solutions have visibility of all network activity. This type of solution can also help you identify holes in your data. For instance, finding subnets without vulnerability scan data is a good indicator that your vulnerability scanners aren’t providing the network coverage you intend. It can determine if all your endpoints have required end point data protection solutions. Reviewing this data automatically and continuously will help you be—and remain—hard to hit.
Detect Intrusions Quickly
An intrusion is when the adversary gets in. A breach is when the adversary has accomplished what they came to do: exfiltrating data, manipulating data or establishing persistence. To be resilient, you want to detect intrusions immediately, before they become breaches. Once you have an excellent understanding of what’s on your network and how it’s configured you know all the paths system A can use to reach system B. The choke points and network segmentation you’ve set up will give your correctly deployed detection and response systems complete visibility of all network activity. Then, when attacks come, your responders can immediately detect them.
Once you’ve detected an indicator of compromise, your teams must respond rapidly. Our nation’s DOD incident response teams report the same response challenges:
- Identifying the device exhibiting an indicator of compromise;
- Finding where the device is located logically and physically within the network;
- Understanding all the places an adversary can reach.
Those three challenges can take hours to days to resolve, a far cry from the immediate response resilience requires.
But, if you’ve done a good job with your fundamentals, you’ll know how your network is configured, how everything connects, where everything is, and how information can move from one place to another. With that, you can resolve these challenges with a few basic queries of your continuously updated network data. You’ll even see containment options like logging into the switch that your endpoint is connected to and shutting down its port to remove that device from the network. Or the firewall rules or access control list that needs to be modified to block access to mission systems. Or, perhaps you want to keep the adversary in your network to monitor what they are doing so you can collect intelligence on tools, tactics and techniques. Then, you can determine where to place monitoring devices and move the adversary to a sandbox environment.
If you have cyber resilience and have your foundational basics down, you can recover much quicker and maintain mission or business while the attack occurs. Start soon. Because our attack surface and complexity are only expanding as all commercial, government and DOD networks modernize and move to the cloud and software-defined networks. The need to automate the basics so organizations and departments can be digitally resilient continuously in the face of an attack has never been more necessary.
Wayne Lloyd is the federal chief technology officer at RedSeal.