In part one of our discussion with Dr. Mike Lloyd of RedSeal, he shared the steps that form the basis of a cyber resilience plan so that agencies can take to limit – and recover from – the impact of a cyberattack. Continuing the discussion, Lloyd drills deeper into steps any organization can take to become more resilient.
Want to find out what Dr. Lloyd has to say, but don’t have time to read? You can listen to the podcast here.
GTI: For an organization to become resilient, what decisions do CIOs, CISOs and other leaders need to make?
ML: Let me try to offer an analogy that I found has helped people think through all the complex decision making. Imagine, if you will, a bunker during World War II in London. Britain is losing war, in the early stages of the war. They’re underprepared, they’re outgunned, they’re up against an adversary that has better weapons than they have, more automation, more troops and they’re really in a tough spot. And yet they expressed amazing resilience.
How did they achieve that resilience? Well, there’s an awful lot about national character and history and details of individuals that you can get into. But one of the things they did practically, that I think is a useful lesson for today, is they built a bunker, a war room. And in that war room they pulled in an awful lot of sensor data and then built up a map, so they could look at their defensive situation.
They were facing this very, very powerful adversary who could fly bombing raids over the country almost at will. They had to organize a small number of fighter aircraft to be able to deal with this overwhelming threat. And they did a remarkably good job. They were very efficient with how they used their limited resources.
Interestingly, they faced other challenges that we can find resonant today, for example, technology change. Radar had just been invented and they were trying to figure out how to use this amazing new radar technology, equivalent to some of the security technologies we deal with today. They had to take this highly technical, elaborate radio technology — very detail oriented — and make sense of this data.
And of course, a typical decision maker, a typical general in this context, doesn’t understand radar, they’re not technicians, they don’t know how all this data works. And so, you have to figure out how to translate highly complex sensor data into something that an executive or a general can understand.
In the war room, they took complex data feeds of intel, spying, human reports, news reports and radar, then mapped out on a map of England where their forces were and where the incoming bombing raids were coming from. And they used that to efficiently counter the threat.
So this analogy can be a great guide to people having to make decisions in this area. It breaks down into these three disciplines: you’ve got to deal with complex data coming in from the outside world that’s messy, that’s technical, that’s ‘gappy.’ You’ve got all sorts of problems with any incoming data. You need to synthesize it all and then take one more step, and that is to put it on a map.
If you think about any war room we’ve ever seen, it always has a big map in the center of the room where you try and gather information on what the enemy is doing, information on your own troops and information on the terrain. That’s what war room maps do. And this allows you to make better decisions.
GTI: To take that military analogy even further, there is the concept of survivability. Let’s say a naval ship — what kind of a hit can it take and still keep going to complete its mission, to protect the crew, to get back home safely? It sounds like you could be applying these same concepts to your network.
ML: That’s the resilience mindset right there, saying, “Look, I’ve got the shiny, new warship and it’s got all these amazing weapon systems, so it must be unbeatable, right?” Well, no, it isn’t.
Military historians are well aware of all the unbeatable warships that never sailed. So, if you have this amazing warship and you think, “OK, it’s got all these capabilities,” you can’t just assume those capabilities will all continue to function. You have to think through, “Now, if it takes a hit, then what happens?” So, how do you do that?
The first thing you have to do is map out your warship. You have to know what’s connected to what, how it all works together, and you need to understand mission criticality. You have to understand for any given system on your naval vessel, what’s it for, what’s its mission and how dependent is it on other things?
You might think of it as a ship with guns on it. But it’s really a complex network of dependency. This gun over here depends on that ammunition supply over there, that targeting system depends on this computer that depends on that radar dish someplace else on the boat.
Every complicated system, like a warship, is a complicated network of independent things. What you have to do is be able to map out what your network is made out of, then figure out what happens if somebody attacks it — what consequence would that be? You have to wargame that, in effect. And then you have to plan out how you’re going to respond, how you can continue to function if you are impaired in the following ways — if somebody steals or breaks into that.
That three part strategy of ‘map it out, wargame it and then plan for how you can respond,’ that’s exactly what you’d do if you just took delivery of a shiny new naval vessel. But it’s also what we need to do as defenders of modern I.T. networks.
GTI: Realistically, how do you know you’ve achieved resilience and are you ever really there?
ML: It’s definitely one of those things that’s more of a journey than an outcome. The whole point to the resilience mindset is to realize that no matter how hard you try; the adversary isn’t going away and their ability to hurt you isn’t going to go away. This is one of the things we found with the rise of the Internet.
The online world that we now live in is clearly very, very fragile. It’s as complex and interdependent as a modern city and, therefore, it’s impossible to defend perfectly. You can’t defend any modern city perfectly. All you can do is make it a hard target by trying to control as much as you can and then planning to respond and recover: have your first responders trained. Know what you’re going to do, know where you are going to go and how you’re going to respond to disasters as they come up.
You need to map things out, you need to wargame, you need to run simulations of what’s actually going to happen. Then you need to come up with plans. And this means that yes, you’ll never be done, but then the people responsible at DHS thinking through defending cities, they don’t ever expect to be done either; it’s definitely not an end state.
What you can do though is measure how well you’re doing. We’re not the only ones, at RedSeal, who do this kind of work. But certainly, we are part of an industry that is working on how to measure resilience and so we generate a digital resilience score. It looks just like a credit rating.
A credit rating, of course, is rating you as a consumer to say, “Should I loan you money or should I not? Are you a good bet or a bad bet?” Anybody who loans money knows that, in a sense, they’re gambling on that other person. And they don’t expect guarantees, but what they expect is a credit rating of 800, that person is a better bet than somebody with the credit rating of 500. We want to measure infrastructure exactly the same way.
There’s an industry that’s maturing now, getting better and better at measuring the practices we use to see how resilient we are. Essentially what those measures do is break down exactly the things we just talked about: whether or not you’ve mapped out your existing infrastructure; do you actually understand what your existing infrastructure looks like; have you planned out for an attack; have you simulated attacks against it to see how well those attacks would work. And do you have plans in place for what you will do — how you will recover — if a breach does occur? What this enables your team to do is to gauge how we’ll your defenses will perform and get the comparative scores.
But, you never achieve perfection. The whole point of the resilience mindset is to plan that there will still be incidents in the future.
GTI: And, of course, as technology evolves, as you implement new technology the bad guys will evolve too. So, it’s a constant back and forth.
ML: Absolutely. It’s an arms race, there’s no question about that. Unfortunately, it’s an arms race that we’re tending to lose over time. I take some encouragement from that World War II – Battle of Britain analogy, because it is possible to win, even when outgunned if you have enough resilience.
Recent history says the attackers are getting clever and creative and they’re quite economically sophisticated. They build markets where they trade in exploits, in digital weapons effectively, and they trade in the spoils that they get. So, there’s a quite sophisticated market out there and that just goes to the fact that it’s economically beneficial for some bad guys to do this.
The good news, I suppose, is that most these attackers are economically quite sensitive — at least the criminals as opposed to the nation-state actors. The criminals, at least, who are a major part of the threats these days, they do go for the easy buck and so that’s why it’s still useful to harden your defenses. If you can make it economically disadvantageous to them to come after you and they will not do that. They will find some other, easier, cheaper way to make their money.
But you can’t guarantee perfect protection. We tried that, and we find that organizations still suffer breaches. You shouldn’t bet everything on, “I will just make a perfect wall around my network.” We know that doesn’t work at this point.
GTI: What else should I.T. leadership be thinking about?
ML: I think we’ve mapped out a real discipline that people can think through about the three parts of resilience: being hard to hit, that there is still a role for that, but don’t bet everything on just the wall around your castle. Detect as quickly as you can — figure out how you can detect with sensor technologies that something has happened. But, then also to recover rapidly.
It’s really that ‘recover rapidly’ where people struggle because they haven’t done enough to map out what ‘normal’ looks like for their organization. If a net quake happens, to many corporations and many government agencies, if they lost a major part of their I.T. infrastructure, they wouldn’t know how to build it back because they haven’t really mapped it out.
So I suppose for anybody listening to this and thinking, “I don’t even know how to start into that,” I would recommend the first important thing to do is map out how your IT environment works, because it plays into all three parts of: being hard to hit, how are you going to detect and how are you going to recover. You have to understand your current infrastructure and how it works as your first step.