In the military, the art of strategy is key. It teaches how to win a war through a series of battles, campaigns and tactics. In the cybersecurity world, we have been on the defensive side for as long as we can remember. We focus on frameworks and tactics such as Defense in Depth, the onion or defensive layer theory, and perimeter security. And that’s why threat actors still have control of the battlefield today. Instead, in order to become more cyber resilient, we need to take a leap into the offensive side, always thinking about our enemies’ strategies.
In “The Art of War,” Sun Tzu says “Tactics without strategy is the noise before defeat.”
Thinking only about tactics will always put you in a reactive position. So, you will always make short-term decisions based on a previous ad-hoc solution.
These short-term tactics won’t work in the long run against the changing face of cyber threats. Instead, we need to look at the bigger picture. Let’s focus on strategies that will lead to winning the war, not just a battle.
Building a Strategy for a Cyber Resilient Enterprise
Security teams are always under persistent pressure, fighting multiple battles on different front lines. These front lines are only going to get larger and more rugged in the future, especially with an increasing number of devices. After all, it’s now normal for employees to control, manage and monitor the shift into containerization, 5G networks and the use of artificial intelligence.
IBM’s 2020 Cost of a Data Breach Report reveals that, even with today’s applied controls, the average time to identify and contain a breach is 280 days. And a breach costs an average total of $3.86 million. That is the red flag that we need to act on a strategic level. And that requires shifting our mindset to a top-to-bottom approach. Let’s take a look at the five steps required to do that.
Define Risk
We’ve written before about taking a risk-driven approach to security, which can contribute to being more cyber resilient. There are several ways to do this, including following an official framework like NIST, ISO 2700 and COBIT.
As we wrote before, “Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.”
The defining risk step is also a good time to work with professional security services. They can help you identify what parts of your business are most vulnerable and which should be the top priority to secure.
Define Crown Jewels
What exactly needs to be cyber resilient? Well, all of your assets, but even more so the most critical ones. It is common to refer to critical data and assets as ‘crown jewels.’ It would be great to protect the entire enterprise and every crown jewel. The challenge is finding them all and knowing which ones are the target. In “The Art of War” Sun Tzu says, “If he sends reinforcements everywhere, he will everywhere be weak.’’
So, we need to track high-value assets and information flow in the enterprise and evaluate risk posture over time to flag and remediate business impacts.
Know Your Enemy
Warriors win by studying the enemy’s strategy. When becoming more cyber resilient, that strategy includes the tactics that help attackers get in, stay hidden and steal stuff. Knowing their strategies leads to keeping your defensive strategy up-to-date on an ongoing basis. ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles,” says Sun Tzu.
The MITRE ATT&CK framework is a good tool at this stage. It provides you with the tactics you need and the strategy on top to link these tactics and threat vectors.
Practice, Practice and More Practice
Hard practice on the field is what will make sure you’re cyber resilient on boom day (an actual attack). This is where putting in the time and effort will pay off. Boom day is where the compromise happens, left of boom is what you could have done to prevent this, and right of boom is what you should do to recover. And one should always be ready for the pre-boom time, the boom and the aftermath.
How do you get ready? First, conduct blue/red team exercises on a regular basis. Even better, add purple team activities to align objectives. You can run test attacks to find gaps and find room for improvement. Last but not least, having skilled employees is your first line of defense. IBM’s Global Cyber Resilient Organization Report outlines that 61% of those surveyed attributed skilled employees as a top reason for becoming more resilient.
As Jerry Rice says, ‘’The enemy of the best is the good. If you’re always settling with what’s good, you’ll never be the best.”
Cyber Resilient Lessons for Today
How do you know you’re doing all of this right? Review outcomes as an iterative process, talk to your team and find out what worked and what didn’t. KPIs and metrics are key here so that you measure and improve.
One thought we should always keep in mind is that security is always integrated. Whatever tech you deploy needs to be built based on your strategy. Avoid the ‘big bang approach’ of deploying multiple tools to give yourself the illusion of safety. IBM’s Global Cyber Resilient Organization Report finds that those surveyed are using more than 45 different security tools on average, leading to less effective security, not more.
In the end, we must keep on adapting to each cyber threat. By knowing yourself, the enemy and the terrain, you can continuously evaluate your strategy so that you’re always one step ahead.
Cyber Security Intelligence & Operations Practice Leader, IBM