Security and Compliance Shift Left? Shift Right? Modern security can seem like the Cha Cha Slide Exploring modern security strategies and the importance of balancing prevention and recovery within the NIST Cyber Security Framework. By Sam Curcuruto | July 11, 2024 Organizations worldwide have aligned their security strategies with the NIST Cyber Security Framework (CSF) because it offers a good way of breaking down the tactical needs of modern cybersecurity teams. The latest version, CSF 2.0, introduced an overarching category that had been sorely overlooked – Governance. The key point to note is that the CSF is not necessarily meant to be a “start here, finish there” type of application. The goal is for organizations to invest in people, processes, and technology across the entire framework in a balanced way that reflects business risk. The areas of focus for the CSF Fig. 1: A diagram of the NIST Cyber Security Framework “Identify” is a critical element because you can’t protect it or prioritize your efforts if you don’t know what you have. What’s critical? What’s regulated? What’s necessary for our business to function and generate revenue? Most teams struggle with this element, especially with the prevalence of decentralized and shadow IT. Aside from the CSF, most other cyber frameworks and regulatory guidance require identifying and inventorying systems and data as a foundational step. “Protect” is all about technologies deployed to prevent attackers from gaining access to data in the first place. This spans the gamut of tech from vulnerability scanners to identity and access management to antivirus and anti-malware. These tools need to be configured properly and, most importantly, deployed across every device and system across the organization. This isn’t always the case. Sometimes, things are purchased on corporate P cards, not through IT. Sometimes, systems simply don’t update properly and thus are running out-of-date, vulnerable software. “Detect” is about setting traps and ensuring alarms function when actions indicate something out of the ordinary. Unfortunately, many organizations have dozens of tools that generate millions of alerts to detect threat actors infiltrating their systems. This massive influx of alerts that may or may not be truly something awry can cause alert fatigue – spending immense amounts of time chasing down possible anomalies only to learn they were a false-positive. This also diverts attention away from other alerts, which may be real threats. Then we have the two Rs of the framework, “Respond” and “Recover.” These two cybersecurity areas are where your mettle is tested. Organizations will be breached. It’s not a matter of “if” but “when and how bad?” To be good at “Respond,” teams need alignment on many fronts. Good leadership, solid strategy and tactics, great documentation and planning, and the most critical thing of all – practice. For incident response, you will not rise to the occasion but rather fall to the level of preparation. Without practice and testing the processes you’ve built, you’re being set up for potential failure, or at least more stress than needed when an actual incident occurs. “Recover” is where the rubber hits the road. Following the inevitable breach, it’s the job of everyone on the security and IT teams to get the systems and environments back to good. But to do so requires you to step back and think about how to do this safely, effectively, and without recovering the bad guys and everything they’ve poisoned. Each element must be given the same level of rigor and attention to be effective. Unfortunately, that’s not always the case. Historically, organizations have focused most efforts and investments on preventing cyber incidents rather than establishing technology, processes, and strict workflows to abide by when a cyber incident occurs. With data spread across hybrid environments, prevention is no longer adequate. Enterprises of all sizes seek peace of mind in a chaotic hybrid world. Security leaders and CISOs must adapt their strategies to address frictionless recovery and cyber resilience, and implement practices, processes, and technology around data cleanliness and recoverability. Ransomware has changed the face of recovery. Due to increased cyber threats, security leaders are evaluating isolated recovery environments (IRE) to serve as clean and uninfected locations to recover to. However, with the nuanced type of attacks that occur, that IRE needs to be more than just a secure space. It is a part of the recovery process, but not all. Commvault® Cloud Cleanroom™ Recovery is a comprehensive testing and failover offering, providing a safe, new IRE that promotes (1) testing cyber recovery plans, (2) conducting forensic analysis, and (3) business continuity in the event of a breach. Pivot from preventive measures and invest in response and recovery Whether you look at the CSF as a list, organizations have, for better or worse, started at the top or the right. The problem lies in the sequential nature of the work. Most organizations don’t get to Respond or Recover because they’ve spent all their time and money on Protect and Detect. The fact that organizations have not spread their budget and resources over all sections of the CSF has meant that attackers still have the upper hand. When they get through your defenses and evade your detection, the typical cyber security team’s incident response can do an excellent job of investigating the breach but not much in the way of recovering from it. You can’t always rely on the IT team’s backups With the average dwell time of attackers in organizations standing at 204 days, chances are that the attackers have likely found, infiltrated, and possibly poisoned your backups. This is something we’ll cover in a future blog, but it’s absolutely worth noting here. When dealing with breaches, not only will your production data likely be tampered with, but more threat actors are actively seeking also to take down and compromise some of the efforts you’ve made to ensure that you can restore good copies of data. You can’t count on just blocking an IP address Many tools respond to breaches by blocking IP addresses to kick attackers out of the network. This doesn’t work with the cloud anymore. They’ve found or bought legitimate credentials and/or infiltrated your identity and access management systems. So now they’ve become legitimate users. In a word, you can’t trust anything In a world where the phrase zero trust is thrown around quite a bit following a breach, there truly is and shouldn’t be any trust. Data needs to be scrutinized and checked for infection. Infrastructure needs to be rebuilt to ensure that only authorized folks are inside. If you’re looking for ways to improve your organization’s cyber resilience, reach out to our sales team at Commvault for a consultation. We’ll discuss all elements that make up a good cyber recovery strategy to tailor to your business. More related posts Data Protection How to build a Zero Trust Recovery Solution with Commvault and Metallic Mar 2, 2022 View How to build a Zero Trust Recovery Solution with Commvault and Metallic