optimal risk: why resilience fails. abbreviated for circulation

Be Prepared. For Anything

Why Resilience Fails Presented by Dan Solomon, Director

Common Challenges

Exercising Your Response – Building Your Resilience © Optimal Risk 2015. All rights reserved

Resilience

Detection

ResponseRecovery

Preparedness

Technology

MethodsProcedures

Vulnerabilities

IT

PhysicalHuman

Awareness

Threat

SelfRisk

Planning

Doctrinal

Operational

Tactical


How Resilience Fails


Resilience

Detection

ResponseRecovery

Preparedness

Technology

MethodsProcedures

Vulnerabilities

IT

PhysicalHuman

Awareness

Threat

SelfRisk

Planning

Doctrinal

Operational

Tactical

Modes of Failure

Points of Failure

Characteristics of Failure

Human

Technology Failure

Recognition

Process Failure

ManagementFailure

IT

Interpretation

Taking Decisions

Taking Action

Inappropriate Response

Inappropriate

Planning

Physical

Complacency

Dealing with the

Unexpected


Why Resilience Fails

© Optimal Risk 2015. All rights reservedExercising Your Response – Building Your Resilience

Symptoms of Delusion

Insurance

Compliance

Silver Bullets

Cultural MyopiaAccepting Mediocrity

Analytical Bias

Perspectives on ‘Cold War’

Ignorance

Information Assurance

LeadershipRisk-Informed

Intelligence

Reactive approach Vulnerability Scanning

Analytical Failure

Formalised Policy & PlanningBoard-level Consensus

Outdated methodsBudgets

Forewarning

Tackling Uncertainty

Ineffective Capability

Misaligned StrategyConverged Threat Awareness

Complacency

Competing Priorities

Inertia

Silos

Cost

Assessing Probabilities

Risk

Outdated Assumptions

Dealing with Complexity


Why is it so difficult?

Exercising Your Response – Building Your Resilience

• Attackers will create and exploit complexity and fault linesComplexity:Multiple teams, Complex management & Planning

• Attacker Perspective: The disjoint offers open doorsIntegration: Technologies with Methodologies with Procedures

• Attackers will seek to exploit a lack of ‘depth’Escalation: Scenario understanding, Familiarity, Agility

• Attackers have the upper-hand and retain the initiativeAnticipation: Insight – Foresight - Awareness

• Attackers are quicker – and will exploit your ‘bias’Interpretation: Intelligence, Analysis, Learning, and its Application

© Optimal Risk 2015. All rights reserved


Resilience Organisation


Identification

Defence

Response

Recovery

CISO and Security

Leadership

Crisis Management

Team

Cyber Defence

Operations Centre

Forensic Team

Cyber Incident

Response Centre

Risk Team

Maintain the ability to resist, react, and manage attacks

Resolve weaknesses in awareness, decision making, communication, and working practices

Remediate problems through technology, processes and people

Develop knowledge, capabilities, understanding, and awareness

Sustain focus and consensus around security priorities



Assessing Maturity

‘See in the dark’, improvise and win

Proactive analysis and think like a hacker

Risk aware, and handle the basics ‘by the book’

Pre-scripted processes, compliance tools, reliant on external experts

Ad hoc, unguided, reliant on external expertsReactive

Compliant

Risk Focused

Anticipatory

Innovative

• Monitor• Recognize• Assess• Triage• 1stResponse

• Intentions• Intelligence• Scenarios• Interdependencies• Business Impact• Escalation

• Risk Analysis• Threat

Assessment• Organisation &

Management• Security Controls

Framework• Testing &

Readiness

• Deployment• Playbooks• Containment• Eradication• Logging• Recovery Respond

and Recover

Plan and Prepare

Identify and

Recognize

Interpret and Analyze

Adapt and

Learn

Upgrade

Assimilate

Investigate

Review


War Games

A cyber war game simulates a ‘real world’ cyber attack

The attack escalates over a number of phases to test technology, methods, procedures and decision- making

The process will exercise the organization's ability to resolve incidents and manage crises

The aim: Learn from experience.


Red Team simulates:4 scenarios over 2 days

Goal-based to simulate:different types of threat-actor

White Team oversightfeeds the process

Observers and Monitors in all locations record performance and assess processes

Real-time mentoring and feedback = on-the-job learning


The more common?

Exercising Your Response – Building Your Resilience

Concerns

• Skills and Experience

• Lack of ‘Maturity’

• Security Testing Only?

• Desk-top ‘exercise’

• Proper ‘expert’ scrutiny?

• Lack of Familiarity!

• Lack of Options!

© Optimal Risk 2015. All rights reserved

• Lack of Intelligence

• Too many signals or noise

• Early Warning?

• Pinning Hopes on Technology

• Coping with the familiar

• Analytical Bias

• Obsession with ‘The Probable’

• Lack of Options


Be Prepared


Service-led Security Process

• Cyber Resilience Assessment

• Business Impact Analysis

• Information Security Strategy

• Cloud Security Strategy

• A Security Control Framework

• Business Continuity Planning

• Incident Response Maturity

• SOC or CDOC Evaluation

uncertainty is the essence of war, surprise its rule

Embrace the attackers view

Accelerate your Maturity

Practice makes Perfect

Develop a Preoccupation with Causes of Failure

A Commitment to Proactive Defence



Dan SolomonDirector, Cyber Risk & Security Services

Email: [email protected]

Advanced Cyber Defence Services

Ask us about a Pre-ActiveTM Approach to Cyber Defense on stand B5