Operational Resilience: What It Is and Why It's Important
Frankly stated, operational resilience is your ability to climb the mountain, no matter the weather. Businesses now need more than a good security structure to weather the storms of AI-driven threats, APTs, cloud-based risks, and hyper-distributed environments.
And more importantly, operational resilience in 2024 requires a paradigm shift. Attackers aren’t out there doing the bare minimum. As the numbers suggest, they’re getting the job done. And so must we, even if it means doing more than is required on paper.
Start with Compliance
The first and most basic step to attaining operational resilience is doing the simple things that are required by law. Compliance regulations and frameworks like GDPR, SOX, NIST, HIPAA, NERC CIP, NIS2, and the Digital Operational Resilience Act (DORA) are great places to start.
However, there’s so much alphabet soup now surrounding compliance that it’s easy to focus on only the letters you like – or the ones with the seemingly biggest import. Bear in mind these (like GDPR) are made to be mass-applied, and one size doesn’t fit all perfectly. It’s those gaps where attackers will weasel their way through.
GDPR is an excellent start. It tells you what needs to be done and what you’re responsible for. But it doesn’t tell you how to do it. For example, GDPR tells us that data must be “[protected] against … accidental loss, destruction or damage.” DORA and NIS2, on the other hand, explicitly call out sets of controls you should apply, such as threat-led penetration testing, and specify different schedules based on the size of the organization.
Find out which framework(s) you are beholden to. Remember that not all are created completely, much less equally and that the endpoint is to be safe, not to “get an A.” Go beyond GDPR and state requirements and dig into the standards that have been created for your industry.
Secure Your Supply Chain
If you had talked to organizations 2 years ago about how they handled their supply chain security, they would have talked about supplier checklists, risk audits, and the like. However, third parties are just as dynamic as the organization itself. They each bring with them their own code, possibly gleaned from Open-Source libraries, possibly still with bugs. They have their own external partners, introducing fourth-party risk, and they may or may not do vulnerability management like you do.
Plus, big companies today are doing a standout job of securing their enterprise, and it’s working – attackers are often retreating to lower-level companies without as much security investment. That means third parties that once felt safe in the shadow are now sought-after targets of attack.
And that risk needs to be entertained. Supplier checklists are great, but they only go so far as to tell you how the organization will stand up against real-world threats, and the answer is sometimes “not great.” Do you have a plan if your third party goes down? What about incident response? And have you put all your eggs in the Amazon Web Services (AWS) basket, for instance, or did you back up in Azure? Cloud Service Providers (CSPs) are not the same as Cloud Security Service Providers (CSSPs) and taking the initiative for your own half of the shared security model in the cloud is key for avoiding surprises.
Operational resilience today depends on security being three-dimensional. Unfortunately, typical vendor security questionnaires don’t always reflect that. Some of the best advice I’ve gotten in this area comes from those on the other end of these assessments. Their basic feedback is that the security questions – intended to vet a company’s security liability – are often too generic. They don’t cover risks germane to the organization’s particular industry and, therefore, fail to identify risks and leave security holes.
This is why it’s so important that any company working with third parties still ultimately considers operational resilience their responsibility – and not anybody else’s.
Take 100% Ownership for Third Parties
That’s why organizations need to go beyond the letter of the law and really catch the vision. Nowhere is this more relevant than in supply chain security.
Attackers will go for the weakest link — that’s not news to anyone. But large corporations spend so much time covering their assets that they don’t realize what’s still under their umbrella (and getting wet). Let’s look at finance, for example. Newer online banks, cryptocurrency providers, FinTech startups, and others in the financial sector that aren’t major players are still, well, connected. Because large companies are now doing such a knockout job of securing their systems, attackers have no choice but to attack the little guys. These “minor” players often think, “Oh, we’re a startup. We’ll worry about cybersecurity in a few years.” Meanwhile, threat actors are looking to breach your systems now while you’re unprepared. Sinking these small ships could have a significant ripple effect on the industry as they sit in the background, sticking all these larger financial organizations together. After all, it only took one infected computer (infected by a NotPetya-compromised version of little-known accounting software M.E.Doc) to bring down shipping giant Maersk in the summer of 2017. It could happen to anybody and to downstream third parties, especially.
That’s why upstream organizations need to take 100% responsibility for their security stance and whatever else can influence it in any way. And therein lies the paradigm shift.
Lynn G. Robbins, co-founder of time-management seminar company Franklin Quest, noted in a university address the value of this principle. The company was about to lose a lucrative multi-million-dollar corporate account due to supply chain issues. Supplies would arrive at the seminars incomplete, incorrect, or not at all. Getting to the root of the issue, he incentivized the two warehouse workers at the tip of the spear with bonuses for every perfectly shipped shipment and reneged those bonuses for any errors – even ones made by others down the chain. This led to double and triple checking, complete ownership of anything that left the warehouse in their name, and ultimately, zero errors.
This is the kind of ownership organizations need to adopt in a hyper-distributed workplace and when dealing with hyper-distributed supply chains. If it touches you or your organization in any way, it’s your responsibility to secure it. Because when the breach comes, you’ll be the one left holding the bag. And at that point, your customers won’t care who originally caused the issue, only that their data was breached when they trusted it to your brand.
So, how can organizations take 100% responsibility for operational resilience? By taking matters into their own hands and trusting that old proverb: Trust but verify. Going forward, companies need to treat third-party security like it is their own. If you run vulnerability scans on your network, run them on theirs. If you pen test and hit your blue team with red team engagements, do the same to them. Treat their security posture, even if good on paper, as unproven.
And lean into the three principles of operational security to help both you and your supply chain stay safe.
Top 3 Operational Resilience Principles
- Configuration Management in the Cloud and Beyond | As we all hurriedly “rushed to the cloud,” it was difficult not to adopt at least some magical thinking. Here was a panacea. There was a super secure lock box floating somewhere beyond the realm of prying malicious hackers. There was a “set it and forget it” model that stored your stuff and secured it, too. Well, not quite. As was mentioned previously, Cloud Service Providers are not, by default, Cloud Security Service Providers, and the distinction makes a difference. Default security measures need to be supplemented with proactive, customer-driven cloud security measures of their own.
Secondly, even if you were to somehow have the best defenses in the world, they could all come to naught due to misconfiguration. You need someone, or something, to come behind them and check for errors. Your Infosec team might know best how to configure security settings in AWS, but your in-house development team may not. And what they don’t know can hurt them. It’s easy to say, “Okay, we’ll use AWS for our testing environments, and we need an extract from the customer database of 300,000 records to test against,” but it’s a lot harder to grasp the best practices when it comes to putting security in place.
It’s important to get these things right. Fortra’s Tripwire configuration Management solution allows you to pick your framework, then scan your environment for risk and automate compliance evidence, keeping your infrastructure safe and free from needless configuration errors.
- Know Your Risk Across Infrastructure, Software, and Applications | This second part is well-covered by DORA, which leans heavily into pen testing to discover what’s at risk. Going in, companies should ask who is responsible for their sensitive data, the level of their risk appetite, and what elements introduce that risk – in their enterprise and those beyond. That means asking third parties questions relevant to compliance standards, configuration specifics, and the specific security needs of their industry when it comes time for the traditional questionnaire. And it means moving beyond the questions. Now comes the “verify” part of that proverb. Dynamic software analysis tools can determine whether free, Open-Source software has vulnerabilities – whether in your environment or your third party’s. No matter what the answers on a vendor intake form may say, there’s no better way of knowing your all-around risk than by assuming responsibility for your operational resilience and treating a third party’s security initiatives as an extension of your own.
- Data Discovery – Where Does Your Sensitive Data Live? | Perhaps counter-intuitively, pen testing can be used for data discovery before a single policy is laid down. Companies need to know where their sensitive information resides, especially as it gets hyper-distributed in the cloud.
So, companies are here: “We understand that with the on-premises infrastructure, the cloud infrastructure, the web applications, and the third-party software we’ve bought that there are potential risks there that could be exploited by an attacker.”
They then go to: “Where do we have the information that needs to be protected? Where do we have critical systems? Where are the potential vulnerabilities around that?
Then finally: “Let’s use the pen testing and red teaming to prioritize the risks that we need to mitigate first there because that’s where we’ve got sensitive data.” For instance, a Core Impact pen test could reveal that one could get to critical systems remarkably easily, or a Cobalt Strike red team engagement could show just how quickly attackers could steal sensitive data – even with all the guardrails in place.
At this point, teams are coming to terms with the areas of risk that warrant top security. And a two-dimensional questionnaire could never identify all the real-world weak spots like a robust proactive security battery could.
Now, savvy teams will cross-check these results with insight gleaned from Data Discovery tools. Solutions like Titus and Digital Guardian can provide organizations with additional context, identifying what sensitive data they have and where it is stored, shared, and accessed.
By marrying that information with the results of their pen testing and red team, teams can gain a more complete picture of the risk their valuable information is exposed to. And it is in the combination of both of these datasets that accurate prioritization is best established.
Operational Resilience depends on layering defense and going the extra mile to verify – not assume – supply chain partners are safe. It also includes taking the same precaution to ensure your most salient vulnerabilities are under control. Leveraging vulnerability management, pen testing, and red teaming earlier in the cycle is a “security hack” that can help teams chart the best course and get the best outcomes.
Tools and Remediation
It’s important that organizations skillfully protect both sides of the security spectrum: infrastructure and data. They need both pen testing and red teaming to vet the environment and security controls for phishing, data loss, and the like.
Once aware of their weaknesses (and their vendors’), they can implement the following measures to plug security gaps:
If organizations want to stay in the game, they need to outsmart attackers. Generic injunctions will not do; they need specific framework guidelines to follow in order to avoid letting key security principles fall through the cracks. Companies need to secure their supply chain, even if it means doing it themselves. They need to eliminate configuration errors and leverage proactive techniques to get the best, most accurate scope of the real threats their enterprise is facing.
Going into 2024, operational resilience will be largely a test of who understands their environment better. Fortra’s portfolio of solutions can help simplify yours. Gain visibility over your hyper-distributed environments today and build the security programs that will let your company last for years to come – no matter what storms come your way.