Cyber Resiliency Felicity March May 2018 1
Cyber Resiliency Cyber Resiliency is the ability of an organization to continue to function with the least amount of disruption in the face of cyber attacks. Cyber resiliency is broader in scope comprising of both cyber security and business continuity. Cyber security is designed to protect systems, networks and data from cyber crimes. Effective cyber security reduces the risk of a cyber attack and protects organisations from the deliberate exploitation of its assets. Business continuity provides the plans and systems to resume operations when a cyber attack leads to a cyber outage causing service disruption. Thus, Cyber resiliency is an end to end initiative that brings together and addresses three critical areas... information security, business continuity and network resilience of enterprises to ensure organizations continue to function against cyber attacks and cyber outages. 2
IBM Cyber Resiliency High-profile cyberattacks continue to dominate the business and technology news space at alarming frequency Newsworthy cyberattacks of 2016-2017 Aug 2016: Shadow Brokers Sep 2016-Feb 2017: Cloudbleed Oct 2016: Dyn DDOS attack Mar 2017: WikiLeaks CIA Vault 7 May 2017: Macron campaign hack May 2017: WannaCry June 2017: Petya, NotPetya, Nyetya, Goldeneye June 2017: 198 million US voter records exposed July 2017: Verizon Sep 2017: Deloitte Sep 2017: Equifax breach of 143 million records Jan 2018: Spectre and Meltdown vulnerabilities Our focus here are new, highly destructive cyberattacks 3
IBM Cyber Resiliency Some destructive cyberattacks will get through Ciaran Martin said the UK had been fortunate to avoid a so-called category one (C1) attack, broadly defined as an attack that might cripple infrastructure such as energy supplies and the financial services sector. The US, France and other parts of Europe have already faced such attacks. Martin said he anticipated such an attack in the next two years. He admitted total protection was impossible. Some attacks will get through. https://www.theguardian.com/technology/2018/jan/22/cyber-attack-on-uk-matter-of-when-not-if-says-security-chief-ciaranmartin Figures for cyber-attacks since the NCSC opened through to December last year underline the pressure building on the UK from hackers. The NCSC recorded 34 C2 attacks, with WannaCry the most disruptive of these, and 762 slightly less serious C3 ones. 4
IBM Cyber Resiliency NotPetya got through and it could have been much worse; it was not designed to spread externally 80% of infections were in Ukraine, followed by 9% in Germany Some large firms trading in Ukraine were collateral damage Biggest thing in IBM last summer (we supported just a few affected firms) Initial infection through a legitimate software update; extremely hard to prevent, if at all possible No successful prevention of initial infection where the malware payload was downloaded Where uncontained, the infection spread everywhere in minutes Typically, within the hour affected firms lost everything, everywhere, all at once; a shock and awe moment Organisations had not designed DR solutions to withstand or to recover from a cyber-attack, resulting in recovery taking weeks or months 5
As a result of these new attacks board leaders have ranked cyberattacks in the top 5 of Global Risks at the World Economic Forum in Davos, Switzerland, in 2018 Global Risks that have a macro- impact across sectors. Boards across the globe need to consider how key business parameters will be influenced by these risks in view of mitigations implemented. In terms of preparedness, Cyberattacks presents a significant opportunity to de-risk the business. However a coherent strategy and understanding of underlying issues is lacking, as the impact is not fully understood at the Board Level. Business Impact 4.8-15% * Stock Value Erosion post Cyberattack / Data Breach Source: World Economic Forum, 2018 Source: Cyber Value Connection Source:
Incident Timeline Phishing Email Credentials Stolen Database Stolen Encrypted Communication Law Enforcement Calls CEO Twitter Sentiment Falls Update C-Level Executives Insider? Victim? Validate Altered Financial Reports Response Website Legal Deposition BOOM Malware Deployed Remote Access to Network Additional Compromises First Public Indicator Stock Price Falls Press Conference Forensic Research Notify Customers & Partners Board of Directors Meeting Regulation Authority Investigation
Cyber resiliency is a team sport Combining Security, Business Continuity, DR and Networks Identify your risks Identify key assets, systems and data Assess your cyber resiliency readiness, process and posture Define a roadmap and action plan to build or improve your cyber resiliency plan Recover normal operations Orchestrate and automate your recovery workflow Rebuild mission-critical business applications Restore data from back up Prioritize network resources to speed recovery Recover Identify Protect Protect your assets against attacks by discovering vulnerabilities before they are exploited Awareness and Training Access Control Discover and patch systems Automatically fix vulnerabilities Zero Trust as a guiding principle of your network policy Respond with a Plan Response planning and orchestration Engage cyber incident responders leveraging threat intelligence to repel the attackers Remediate the attack damage by restoring systems and closing vulnerabilities Respond Detect Detect threat activity with advanced analytics See attacks across the enterprise Investigate active threats from inside and outside the enterprise Cognitive analysis and automation (*) National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity https://www.nist.gov/cyberframework
Cyber Resiliency Blueprint Identify Protect Detect Respond Recover Definition of Goals and Requirement related to identified Risk Maturity Assessment on the dimensions of : IT-Security Network Security Business / IT-Continuity Awareness and Training Data Security, Account and Access Management End Point Management (patch and compliance management) SOC/SIEM Optimisation Vulnerability Management Endpoint Detection and Response Integration of Threat Intelligence and Cognitive analysis Activation of contingency plans with automated communication Cyber Threat Management Cyber Incident Orchestrated Response Management IT Recovery Orchestration Automated recovery including dependency management in hybrid IT environments Strategic Post-Cyber-Attack Analysis Gap Analysis and Definition of Roadmap and associated action plan Establishment of Business / IT-Continuity Organization Optimisation of Backup, Archive and Disaster Recovery Separation of the data and control layer in the network Zero Trust Internet Hub Micro-segmentation of the network Automatic reporting of network availability Monitoring of WAN links Construction and implementation of Software Defined WAN Policy based routing of network traffics Rapid deployment of new sites (MWS Emergency Kit) Global centralized control of network components (SD WAN) Outcomes Current level of maturity including action plan to enhance the maturity Technical restart concept incl. segmented network Crisis organization for detection and initiation of measures in case of a cyber attack Immediate actions to defend against the cyber attack Detailed Analysis and Prioritized Roadmap to define and implement the Blueprint for your company Fully and quickly recovered IT landscape after the cyberattack Implementation Quick Wins and Strategic Initiatives Run
Cyber Resiliency combines multiple IT disciplines Cyber Resiliency Organization Dimensions Technology Environment IT Risk Organisational Management Information Security Management Resiliency Data Security Information Protection IT Risk Management Threat & Vulnerability Management Business Continuity Management Network Security Business Continuity Management Policy & Governance IT Service Continuity Management Cyber Resiliency Program Asset Management Identity & Access Management Change & Config Management Event & Incident Response IT Service Continuity Management Collaboration & Communication Disaster Recovery Management Partner Eco System Training & Awareness
Detail Approach of Maturity Assessment Life Cycle Focus Areas Organization Dimensions Sub Dimensions Maturity Rating Cyber Resiliency Deliverables Policy & Governance Identify Cyber Resiliency Program Partner Eco System Cyber Resiliency Maturity IT Risk Management Training & Awareness Protect Data Security Asset Management Information Protection Change & Config Management Technology Environment Detect Threat & Vulnerability Management Identity & Access Management Respond Event & Incident Response IT Service Continuity Management IBM Recommendations Collaboration & Communication Recover Business Continuity Management Disaster Recovery Management
Cyber Resiliency Assessment 12
Resiliency Orchestration Recover Brief description Advantages Managing DR and resiliency at the business process and application level Reducing the recovery times and resources by using 400+ recovery automation library patterns Using technology to orchestrate automated test plans and failovers Dashboard for continual monitoring and predictions of RTO and RPO Help to reduce risk and increase visibility Help to simplify and accelerate DR process Help to reduce deployment time, recovery time and operating costs Help to simplify DR testing exercises Help to increase availability of business applications Use Cases Drill reliability Increased drill success rate from 60% to >95% Increased IT availability Over 85% reduction in downtime for DR Scale Up DR program Parallel recovery of multiple applications across data centres Cost savings Over 70% reduction in costs 3x more DR enabled applications
IBM Resiliency Approach for Rapid Recovery Against Cyber Outages Recovery automation, air-gapped protection and Immutable storage are essential to rapidly recover from cyber outages. Air-gapped Protection An air-gapped solution ensures backup data is not accessible through the same network as production data Immutable storage (WORM) Verifiable Data Immutable storage systems protect your data from changes by always writing a new version Validation ensures the data or configuration that is backed up matches production data and an audit trail proves veracity Orchestration / Automation Components to meet Regulations Application aware Recovery Orchestration / automation ensures systems can be recovered rapidly in parallel Regulatory bodies impose data storage locations, timelines, audit records, format, and media rules; For e.g. Sheltered Harbor needs customer data to be stored in a third party site 14 March 2018 / 2018 IBM Corporation
Cyber Resiliency solutions powered by IBM Resiliency Orchestration software for Cyber Incident Recovery Cyber Incident Recovery for Platform Configuration This solution provides recovery against cyber attacks that corrupt the configuration and alter the behavior of data center platforms including network devices, storage devices, virtual devices and servers. The solution replicates the configuration data of these devices and servers into IBM immutable storage located in IBM public cloud or IBM Resiliency Data Center, and alerts the user when there is a suspicious change in configuration data and rapidly restores the original configuration to the impacted devices(s) or servers based on policies. Cyber Incident Recovery for Applications/Data This solution provides recovery against cyber attacks that corrupt the data itself. The solution replicates the data from servers and storage using copy data management products, with an air-gap mechanism, into IBM immutable storage located in the DR site of the customer and maintains multiple read-only PIT copies. When there is a cyber outage, it presents options to user to select the right copies to be restored and rapidly restores them on to DR compute infrastructure and DR storage infrastructure. 15
Impacts of these attacks are so high because firms are unprepared for response and recovery from these cyberattacks, here are some lessons learned 1 Get yourselves Match Fit Build a response plan with the right workflow Partner with industry experts that can help in time of need to quickly analyze the situation, handle crisis communication and work with law enforcement. Also required are experts that can quickly recover of all of the technology & assets to restore business operations. Practice 3 4 DR vulnerabilities must be fixed The DR capability is also affected by the cyberattack Unarticulated DR planning assumptions, e.g. AD is available What is the backup for the backup? Meet the challenge of scale Unrealistic DR tests and not for cyberattack scenarios Very labour intensive and long recovery Need for DR Automation and Orchestration 2 Cyber resiliency is a team sport Organizational alignment required gap between Security and DR DR functions mitigating traditional BC/DR risks, not recovery from cyberattack 5 Look out for Industry 4.0 / OT Supply Chain NotPetya attacked via a trusted supplier WannaCry impact on NHS via imaging and analysis equipment Back versions in OT systems. Significant patching lag. IT departments not aware