Having spent the last few years focused on helping organizations build triage workflow processes in Security Operation Centers for networked based detection and response technologies. I saw a pattern emerge in the type of events that organizations were consistently more worried about or interested in.
It wasn’t opening suspicious email attachments or web browser drive-bys that they were most concerned about. There are strong technological controls and processes in place to deal with the vast majority of threats in those vectors.
Nearly all organizations have reached a risk appropriate cyber maturity level from these well-known patterns of attack and feel comparatively resilient, as they have invested in multiple security technologies spanning the entire MITRE ATT&CK chain and can even confidently identify late stage techniques and tools that are “living off the land."
Instead, the events that organizations were most interested in, were almost always directly related to uncovering, “the land.” These were the events that they feel less resilient to, as they represent a blind spot in the application of risk management. If you have a robust understanding of what the land looks like, you can mature a cyber capability to deal with threats that would attempt live off it.
In simple risk terms, if you don’t know the land, you can't manage what's in it.
Actually, the guidance transcends aviation and is appropriate to any industry sector and every type of organization.
The World Economic Forum's initiative poses 8 questions, that organizations should ask themselves to assess and advance their levels of cyber resilience.
World Economic Forum: Key questions to improve cyber resilience
- Does your organization’s approach to information, cyber and IT risk management take full consideration of the risks posed by emerging technologies such as IIoT?
- Does your organization understand the impact of emerging technologies on its attack surface – both outside and within the organizational and network perimeter?
- Does your organization’s cyber resilience strategy, risk scenarios and incident planning exercises take full account of system and data integrity risks, as well as confidentiality and availability?
- With ongoing changes in connectivity, technology and business practices how do your organization’s cyber and safety risks interconnect?
- Does your organization have a clear understanding of the risk posed by its supply chain and partners across the aviation ecosystem, including manufacturers, support partners and infrastructure operators?
- How can your organization develop and maintain effective baselines of cyber capability?
- How can your organization continuously monitor cyber risks?
- How can your organization build an industry database that enables minimum standards to be set, and industry-wide leveraging of best practice?
The second pillar of resilience is maturity and is tested in the next three questions (3-5). Do you truly have a 360-degree view of risk, how it might manifest, from all of your digital surfaces, including 3rd parties.
The 3rd pillar of resilience is, Capability. How rich is your ability to measure, detect, respond and learn, questions of capability are challenged in questions (6-8)?
It's not just the World Economic Forum taking a lead, measuring cyber resilience is becoming a critical requirement in most other sectors, the Pentagon have recently released the (CMMC) Cybersecurity Maturity Model Certification, which requires defense industrial base contractors to achieve a minimum level of maturity, those who achieve higher levels of certification are rewarded by including cyber as an “allowable cost” in certain RFP´s.
The World Economic Forum's cyber resilience initiative lays down guidance for best practice baselining and measurement of cyber resilience as a continuous and always improving process via all three of the pillars.