Assume Breach: Best Practices in Cyber Resilience
It is not a question of if but when an organization or an individual will be breached in cyberspace. If you believe that, you have taken the most important cognitive step – you are prepared to “assume breach” and build resilience to withstand a cyberattack.
But if you assume breach, what does it mean for how you think about security investments in people, processes, and technology? More importantly, what strategies should your organization employ to become secure beyond breach? On October 24, 2018, Illumio convened a group of cybersecurity strategy and technology leaders in Washington, D.C., to discuss the assumption of breach and identify best practices in Cyber Resilience.
Below is a summary of key findings from the day. For those interested in hearing all these smart people talk, stay tuned for the videos.
Top 3 takeaways
If you assume breach, you need to:
- Adopt an adversary mindset.
- Follow a Zero Trust strategy and micro-segment your networks.
- Exercise and prepare your organization for breach management.
Assume breach: Explained
To assume breach means taking on an adversary mindset. Today nation-state adversaries and criminal organizations have the money, personnel, and time required to patiently work on hitting you in cyberspace. To assume breach means being ready for an attack on the things you value most in ways that you cannot necessarily expect. This assumption is in our DNA in the post-September 11th physical world – if we see something we all know to say something – but the concept hasn’t translated into our cybersecurity practices (even as data and internet use expanded exponentially).
To assume breach means protecting your most valuable, mission-critical assets first. If a hostile actor seeks to gain an advantage, what will they try to steal, manipulate, or break in an organization? If you assume breach, you need to focus on protecting the data that powers your most important missions. In the case of the U.S. Office of Personnel Management (OPM), it was the database that held the records for 21.5 million U.S. government officials. In the 2018 case of Singapore’s health provider, SingHealth, it was the database within the public health cloud that stored the health data for 1.5 million Singaporeans. In the case of the U.S. military’s nuclear command and control enterprise, it could be the satellite communications’ systems that support the U.S. nuclear deterrent.
To assume breach means planning to lose part of what you value and preparing to operate with your data exposed or degraded. In the event of breach, bad things can happen to your mission effectiveness. That’s why the U.S. military builds redundancy for its logistics and operations. To defend a city against a combined ballistic missile and cyberattack, two Patriot Batteries may suffice, but the military may install four for resiliency. In the case of a disruption to a bank, either through a distributed denial of service attack or a malware attack, banks may want to invest in redundant networks to continue financial operations if one network goes down.
You'll be better off post-breach if you've accounted for these scenarios.
Making resilience investments is the logical conclusion of the assumption of breach. Still, these are uncomfortable premises. Analogous to buying life insurance after the birth of a child, you will be better off post-breach if you have accounted for the worst-case scenarios.
Zero Trust and microsegmentation
You cannot make investments randomly; you need a strategy to secure your assets. Dr. Chase Cunningham, one of the United States’ premier thinkers on security operations and cyber analytics, helps organizations with their plans to achieve resilience by implementing a Zero Trust strategy. Zero Trust hinges on the idea that users within a network are no more trustworthy than users outside a network. As he maintains, many of the major cyberattacks we’ve heard about over the last decade are underpinned by one simple problem: data centers are open and insecure.
The average dwell time for an intruder to remain inside a network undetected is over six months. In an insecure data center like that of the Office of Personnel Management in 2014/15, the Chinese intruder gained full freedom of access. If you “trust nothing, verifying everything” that comes into your network, you need to secure your data center from the inside to prevent unauthorized actions.
In the new cloud world, the tools of yesterday may not be sufficient. Like the cloud itself, your security investments need to evolve with the threat. Micro-segmentation sets policies and rules for how every part of the data center interacts. It’s a new layer – a final layer of resilience in the new security stack.
Preparing to become secure beyond breach
At the strategic level, organizations assume breach and plan for disruption through a variety of management and non-technological means. Training is key. Within the Defense Department, the U.S. military trains not just for breaches, but for full cyber-based disruptions to military operations; beyond redundancy investments, like an extra Patriot battery, pilots and captains prepare their teams daily to “fly blind” in the event of attack. That may mean flying an F-35 without communications or piloting a ship through the ocean without the Global Positioning System.
Similarly, companies need to go through the process of preparing for breach by identifying the emergency processes they may need for crisis management. One of the most important steps is to identify the facts; without them you cannot communicate well within your organization or externally. It helps to develop a playbook for breach management – and to conduct tabletop exercises to identify gaps and seams to see how your organization may respond to an event. The best tabletop is a live exercise that alters an organizations’ communications systems and forces teams to respond without access to data. Finally, organizations need to practice how they communicate with shareholders and others in the external world about the breach.
After a breach, blame and forensics are the easier part of the story. It's harder to nudge leaders in advance to invest. To change their mental maps and assume breach, to make the personnel and technology investments to withstand attacks, and to take the time to train for disruption. Yet with a small amount of advanced investments, countries and organizations can prevent the worst-case scenarios from occurring – and become secure beyond breach.