Blog Series: Charting Your Path to Cyber Resiliency

Part 1: What Is Cyber Resiliency and How Do I Get It?

Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when I asked the questions "What does cyber resiliency mean to you?” and “What specific aspects of cyber resilience are you interested in improving?", they struggled to answer.

If you're having difficulty with those questions yourself, don't worry, you're not alone. Cyber resiliency – being able to successfully continue business operations in the face of destructive cyberattacks - is having a Moment these days. It's The New Zero Trust, you might say. But what is cyber resilience really beyond an industry buzzword or a sales play? What does an organization need to do to become cyber resilient? To understand more, let's start with a look at the history of cyber resiliency and how it has evolved over the last 15 years.

MITRE (best known for their ATT&CK frameworks) was an early leader in the cyber resilience movement. MITRE's 2010 publication Building Secure, Resilient Architectures for Cyber Mission Assurance, explained the need for cyber resiliency by emphasizing the operational impact of cyberattacks and the financial cost of recovery, also noting that “the cyber adversary continues to have an asymmetric advantage as we fruitlessly play Whac-A-Mole in response to individual attacks.” (Sound familiar?) One year later, MITRE released the first publication of their Cyber Resiliency Engineering Framework (CREF). In subsequent years, MITRE followed up with revisions to CREF, along with additional papers on methods and metrics for effectively measuring cyber resiliency. They also developed the CREF Navigator, an online tool to help define and graphically represent cyber resiliency goals, objectives and techniques as defined by NIST (National Institute of Standards and Technology).

NIST's 2021 publication SP 800-160 Volume 2 (Rev 1): Developing Cyber-Resilient Systems is a comprehensive cyber resiliency framework that builds on CREF. It also gives us the most used definition of cyber resiliency which is: "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources." Like MITRE's early work, this publication is rooted in systems and software engineering principles and how engineers in national defense and critical infrastructure need to build resiliency into mission-critical systems. However, today we commonly apply this definition and this understanding of cyber resiliency to any organization concerned with minimizing the impact of cyberattacks on their business-critical systems.

The extension of cyber resiliency principles beyond government and critical infrastructure is also evident in The EU's Cybersecurity Strategy for the Digital Decade presented in December 2020. Although this strategy was chiefly concerned with "EU institutions bodies and agencies," it also emphasized the increasing dependency of both public and private sectors on digital systems and cybersecurity, noting that financial services, digital services, and manufacturing were among the hardest hit by cybercrime.

Microsoft echoed this idea in our 2022 Digital Defense Report which featured a special section on cyber resiliency, calling it “A crucial foundation of a connected society.” The report emphasized 3 key cyber resiliency themes:

• the critical link between cyber resiliency and business risk
• the importance of adapting security practices and technologies to keep up with a continuously evolving threat landscape
• the challenges of attaining cyber resiliency when using legacy technologies

Microsoft also maintains a list of 24 key issues impacting cyber resiliency, spanning everything from legacy on-premises resources to cloud technologies and frameworks. We’ll come back to this guidance in Part 2 of our series.

Figure 1: Microsoft's key issues impacting cyber resiliency

Conclusion

Cyber resiliency is more than the latest industry buzzword. In the first part of this series, we looked at the origins of the cyber resiliency movement with a focus on 2 common cyber resiliency frameworks developed by MITRE and NIST.  We also looked briefly at Microsoft’s approach and some resources we offer customers wanting to improve the resilience of critical business operations in the face of destructive cyberattacks.

In the 2nd part of this series, we'll take a closer look at Microsoft's approach to cyber resiliency, from its origins in the days of Trustworthy Compute to present-day guidance on designing security solutions to mitigate the effects of ransomware. Finally, in Part 3 of the series we’ll examine how we can use AI to help with some of the most challenging components of cyber resiliency.