2020-023-James Nelson from Illumio, cyber resilence, business continuity

James Nelson, VP of Infosec, Illumio

How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?

The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.

Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.

Cyber-Resilence-

https://en.wikipedia.org/wiki/Cyber_resilience

https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience

https://www.darkreading.com/cloud/cyber-resiliency-cloud-and-the-evolving-role-of-the-firewall/a/d-id/1337206

Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth

part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3

Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3

https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/

Key concepts:

Visibility into your environment

Controls necessary to repel attackers

Architecture of the network to create chokepoints (east/west, north/south isolation)

Threat modeling and regular threat assessment

Mechanisms to allow for rapid response

How long will current security controls hold a determined attacker at bay?

Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.

Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)

What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?

Which cyber resiliency objectives are most important to a given stakeholder?

To what degree can each cyber resiliency objective be achieved?

How quickly and cost-effectively can each cyber resiliency objective be achieved?

With what degree of confidence or trust can each cyber resiliency objective be achieved?

(What do we as security people do to ensure that all of these are properly answered? --brbr)

Architecture of systems:

Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten.

We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)

Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:

• Comparison of security to the human immune system.
• Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice?
• How do you define “most valuable assets”? Value vs. obligations vs. ...?
• Does a compliance mindset help or hinder resilience, and vice versa?
• Referring back to a prior show, how does the human element contribute to resilience?
• NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilienc...