The cyber resilient organization part III: Cyber resiliency defense in a hybrid IT world

By: Kaustubh Vazalwar

With each new technological innovation, new vulnerabilities and attack surfaces emerge for hackers to exploit. Today’s IT infrastructures are increasingly hybrid ones, with multi-vendor enterprise models that deploy various types of hardware and software required for business continuity. Regardless of a cloud-based environment’s construction, however, these are environments where virtual and cloud deployments form a significant majority, and they need appropriate focus in order to achieve cyber resiliency.

What it means to be resilient differs when you compare a traditional on-premises setup with a hybrid cloud environment. Abstraction and virtualization come into focus when cloud applications or storage services are in use. Attack techniques such as virtual machine escape, hyperjacking (malicious control of the hypervisor or underlying hardware controlling virtual machines) and flawed device drivers can expose such environments to a range of data compromises. Exposures in Industrial Control Systems (ICS) or the Supervisory Control and Data Acquisition (SCADA) environments are even more harmful, as they can have a direct impact on human life and require strict controls.

Cyber resiliency for hybrid IT

When mitigating risks in a cloud environment, maintaining visibility into the flow of data and other information across all layers is critical, keeping in mind possible gaps like unnecessary services, vulnerable APIs and deficiencies in backup and disaster recovery (DR) solutions.

Some of the most important defense techniques include:

  • Evaluating, reducing and controlling your attack surfaces. Control and reduce your attack surface and overall exposure by applying principles of continuous review, defense in depth, controlling the number of trusted nodes in the system, multiple layers of countermeasures, reduction in the number of open ports and services and implementing least privilege.
  • Early application of resiliency principles in the life cycle. Resiliency considerations should be integral to the scoping, design, build and testing phases in the Systems Development Life Cycle (SDLC). Early review and application of security and resiliency principles makes the overall approach proactive in nature and reduces the effort of securing the system long term. Working reactively to close vulnerabilities later is almost always more expensive.
  • Key functional controls. Key functional controls — such as continuous behavior review of business applications, technical and functional segmentation within the infrastructure, management of persistent data, identity and access management and establishing a clear trust criteria as a base for effective privilege management — are key to ensuring data is not compromised, especially in hybrid environments.
  • Dependency analysis. Review and analyze configuration, as well as upstream and downstream data flow. This will help you determine potential single points of failure, vulnerable exploitation targets and possibilities of privilege escalation due to access so you can strengthen disaster recovery (DR) protocols, improve your backup environment and identify the critical human resources involved in the cyber event response chain.
  • Community intelligence. In an era when technology is continuously changing and advanced persistent threats are always findings new ways to evade technical and nontechnical controls, including user controls, it’s important to keep a watch out for inputs from the industry to see which new trends and countermeasures are being deployed.

Advancements in technology enable organizations to use automated and intelligent cross-platform tools that can significantly reduce the time and manual overhead of failover and failback. They can also help create golden images of data for efficient recovery after a cyber-attack and provide continuous monitoring of the data backup and disaster recovery (DR) environments.

Becoming and staying a cyber resilient organization is not just an abstract IT or management function in isolation. Rather, it starts with people and their grasp of the IT environment in which they find themselves. Speed of response and a proactive, risk-based approach are key. Weighing cost, time and effort against business impact will help organizations choose the right defense measures that fit their needs.

Every organization rightly has IT experts who are responsible for the day-to-day efforts of operating the hardware, software, facilities and devices that help drive an organization towards its business objectives. But to achieve cyber resiliency, everyone must have a stake in keeping their organization available, secure and productive. This is not a burden or distraction — I see it as a fantastic opportunity, and I hope all business leaders and teams will embrace it for the common good.

Learn more about IBM Business Resiliency Services, or talk to an IBM expert about your specific needs.

Read Part I and Part II of The Cyber Resilient Organization blog series.

Related topic: Cyber Resilience Services.

In depth: business continuity topics

Understand how to plan for and react when business disruptions are happening.

Adapt and respond to risks with a business continuity plan (BCP)

How to defend against cyber attacks

Do you have your disaster recovery plan (DRP)?

Defend against ransomware attacks?

What is data breach and how to defend against one?

What is a recovery time objective (RTO) and how does it affect disaster recovery for your enterprise?

What is an RPO (recovery point objectives)?

Topics: , , ,

About The Author

Kaustubh Vazalwar

Group Manager : Global Resiliency, IBM

Kaustubh is a seasoned & certified resiliency professional with experience in strategic as well as technological aspects of business. His experience spans in the area of Infrastructure & Information security implementation & consulting, Business Continuity as well as IT Disaster Recovery Planning (BCP/DRP) & management, Cyber security, Information Risk Management services, Operational risk management, IS... Read more