Resilience by design

Stock Depot/Getty Images

COMMENTARY | How federal agencies can achieve cyber resilience via a data-centric security approach.

In today’s global economy, data is ubiquitous and the lifeblood of businesses and government – therefore protecting that data is a top priority. 

Cyber incidents and breaches often remain unnoticed for extended periods, highlighting the need for government agencies to integrate cyber resilience to swiftly identify and address threats. The government’s adoption of zero trust principles and architecture aims to safeguard technology-dependent mission objectives, which focus on strengthening identity, access management, and authentication, which are prime areas of concern for agencies.

Adversaries are primarily after two things: access and data. To that end, cyber resilience and data security should be the next major objective of zero trust. Determining the amount of sensitive data in a government agency environment is challenging. Few organizations of reasonable scale can confidently say how much data they have, where it all resides, and if they have appropriate access protocols. 

Navigating cybersecurity’s human factor

The human element is also a big challenge, especially when need-to-know concerns or other complicated factors exist. An example from my tenure in government illustrates why cyber resiliency and a data-centric approach to cybersecurity are vital.

During one incident response, the team began to assess and analyze a system suspected of having been compromised. The system had been in operation for five or six years—the database administrator had transitioned out, and no replacement had been appointed. Meanwhile, the person who built the system was no longer with the organization, and the IT team did not know what kind of information was housed within this system. The cybersecurity team determined the system was compromised, and luckily no data had yet been exfiltrated or stolen.

During the assessment process, the Incident Response team discovered that the IT department had reimaged the system into a vulnerable state. Unfortunately the IT team put it back online, remotely accessible via the Internet. When the security team took the system offline, they found information on government personnel, including social security numbers and health records, that no one seemed to have known was there, unfortunately an all-too-common scenario.

How do agencies protect what they can’t see?

If the team had known the system was holding sensitive data, more robust mechanisms would have been in place to protect the data. Moreover, when the IT team performed cyber resiliency and recovery activities, they didn’t recover the system to a known good or secure state. They had a false sense of security. They had some availability, but the system was vulnerable and exposed, potentially opening for more attacks.

A data-centric approach incorporating  capabilities such as data discovery, classification. and observability can provide continuous visibility into distributed data risks. Integrating backup data adds context to identify abnormal access attempts and insider threats. Automated response playbooks can isolate confirmed incidents, reducing dwell time and helping to contain any damage.

The role of backup

Ransomware attacks increasingly target backup or test systems, which are critical for disaster recovery. Yet, many IT teams still view backup capabilities as a disaster recovery tool instead of overall cyber resilience. Test systems are often not even included in cyber or recovery protocols. 

According to Rubrik Zero Labs State of Data Security report, Rubrik Telemetry estimates that 90% of ransomware attacks target backup stores first. To achieve cyber resilience as outlined by the National Institute of Standards and Technology  principles, agencies must implement advanced backup solutions with immutable, air-gapped copies in isolated recovery systems, allowing operations to stay online even with primary systems compromised.

The data-centric approach should allow agencies to instantiate certain types of systems in an isolated environment for analysis or triage.Assessments can be done to determine whether the system is secure and whether all attack vectors have been mitigated. Agencies can patch and change secure configurations before bringing the system back online into a trusted state. Otherwise, they risk making things worse.

Many federal cybersecurity efforts remain compliance-driven, yet threats rapidly outpace mandated controls. More robust data-centric security can close these gaps. Equally important, if not more, are the cultural changes that efforts must embrace. The most robust controls fail if users bypass them. Regular training and cultural changes supporting security are essential. It's a collective effort that can make a real difference. 

Systems must be resilient by design

With data ubiquity, resilient system design is paramount. Agencies must ensure this resilience before systems are deployed in the production environment. Default settings such as zero-trust access controls, micro-segmentation, and encryption are crucial for protecting data integrity. The urgency of these measures cannot be overstated.

With these controls and measures in place, agencies can incorporate cyber resiliency principles: anticipate, withstand, recover from, and adapt to adverse conditions. Cyber resilience is essential to ensure that mission objectives that depend on cyber resources can be achieved in a contested cyber environment.