All Aboard! Next Stop The Future of Cyber Resilience | Ron Ross

Episode 49: All Aboard! Next Stop – The Future of Cyber Resilience | Reimagining Cyber | Don Ross

[00:00:00] Ron Ross: It's not just about one aspect or one safeguard or one strategy. This is a multi-dimensional strategy with lots of different moving parts that are discussed in our cyber resiliency guideline, and are actually executed in a good engineering process that gives consumers a lot better hope of being able to operate those systems under attack and. 

[00:00:25] Ron Ross: having a system that they have a confidence that they can recover and restore that system, even if it's in a degraded, debilitated state, they can get back to some sense of normal operations and not have the entire business or mission go under.  

[00:00:39] Rob Aragao: Welcome to the Remagining Cyber podcast, where we share short and to the point perspectives on the cyber landscape 

[00:00:45] Rob Aragao: It's all about engaging, yet casual conversations on what organizations are doing to reimagine their cyber programs while ensuring their business objectives are top priority. With my co-host, Stan Wisseman, head of security strategist, I'm Rob Aragao , chief security strategist, and this is Reimagining Cyber. 

[00:01:04] Rob Aragao: So Stan, who do we have joining us for this?  

[00:01:06] Stan Wisseman: Robert Guest today is Dr. Ron Ross, fellow at the National Institute of Standards and Technology. Dr. Ross's focus areas include cybersecurity, system security, engineering, and risk management. He currently leads the NIST System Security Engineering Project, and authors many NIST publications and contributions. 

[00:01:25] Stan Wisseman: Today we're going to focus our conversation on the special publication  SP801-60 volumes one 

and two,  which cover system security engineering and cyber resilience  

[00:01:35] Rob Aragao: Hey Ron. So we are extremely excited to have you. You know, Stan and I always love having conversations with you. It's been a little while since we had you on the podcast, our conversation then is going to be similar to today, but much more of like what's next and what have you been seeing around that topic of cyber resilience. 

[00:01:50] Rob Aragao: And just for the audience, a kind of quick reminder, or even for some people that are new, like this is, you know, kind of a key area, what we're seeing. Within that transition from cybersecurity principles to evolving to be more cyber resilient in approaches, organizations are needed to take. And there's really four core goals centered around cyber resiliency that you know, NIST has done a great job of putting out there for people to take a closer look at centered around anticipating. 

[00:02:12] Rob Aragao: so preparing for what type of events that security instance may be coming your way to your organization and putting the right mechanisms and controls in place to help obviously, hopefully prevent them from happening. But we all things will occur. So therefore, the next goal is focused around how do you withstand,  

[00:02:28] Rob Aragao: how do you minimize the impact from when those events do actually take place, which then takes us to the third goal, right? How quickly can you recover and restore the operations back into again, being as effective as possible for what the business or the particular agency, whatever your enterprise or again, federal agency may be looking to ensure that they're operating on. 

[00:02:47] Rob Aragao: And then the last piece of it is, again, always constantly learning. So taking those learnings, those findings and adapting and putting new control mechanisms in place, making changes where need be. And Ron, as we jump in, you know, today's conversation, we want to kind of go through each of those goals with you and discuss, you know, in almost two year’s time that evolution that you've seen in each of those areas. 

[00:03:07] Rob Aragao: Right? So let's start with the first one around anticipating and what have you seen there that's evolved in some effective areas specifically that are kind of examples you can call out?  

[00:03:15] Ron Ross: I think before we start on the specifics of anticipating I think it's really instructive to understand where we've come from in the last 20 or 30 years of, of the technology. 

[00:03:27] Ron Ross: I think the one thing that has been at the front of our minds at  NIST, as we kind of move into our second generation of standards and guidelines focused on engineering and cyber resilience is this whole notion of complexity. The technology keeps advancing at record breaking paces and the capabilities that we have today, just the, the sheer power and the, the affordability of that technology has driven us to really build, operate, and maintain extremely complex systems. 

[00:03:59] Ron Ross: We're talking literally about billions of devices, trillions of lines of code. The complexity is overwhelming, even for the best and the brightest. With that context, we're trying to understand a little bit better how do you deal in a world of hostile cyber threats, or not even just cyber threats, just threats in general to your systems that you depend on to carry out your critical missions and business operations. 

[00:04:24] Ron Ross: It's a question that's on the top of minds of federal agencies, the private sector, whether you're a Fortune 500 company or where you're a small mom and pop company. We live and die by information technology, whether that's, a classic IT system, whether it's an operational technology like power plant, SCADA system, part of the power grid, whether it's an IOT device. 

[00:04:46] Ron Ross:, the common denominator on all of these systems is they're driven by. Software and firmware, and a lot of that code is not as trustworthy as it needs to be. So given that that's the deck that we've been dealt, how do we deal with that on a day-to-day basis? And that was really the, the driving force behind the two volumes of 800-160. 

[00:05:07] Ron Ross: Your specific question on being able to anticipate, I think it starts with understanding the system that you own and operate, or that you have gone out to contract with, to the service provider, to the best of your ability. Anticipation means understanding what kind of climate are we operating today? 

[00:05:24] Ron Ross: What kind of threats are out there? Some of these threats are well defined. They  been categorized in many, many different open source publications. Understanding the threats that are out. Understanding the vulnerabilities that you have within your system. Some of those vulnerabilities are again, well defined. 

[00:05:42] Ron Ross: Other ones are unknown. You, may not know the vulnerabilities that you have because that's why zero days still work because the adversary finds something in your system that you didn't know was a vulnerability. That threat exploits the vulnerability to cause mission and business impact. 

[00:06:00] Ron Ross: Just understanding the threats, the vulnerabilities, and the most important thing is the criticality of your systems and the components of those systems. That talks to impact. If a threat exploits a vulnerability and, and really has no impact, then that risk is going to be fairly low to your mission operations. 

[00:06:20] Ron Ross: However, if that vulnerability is a critical vulnerability, then that one shot can take down the entire enterprise. We've seen that happen in many, many cases today. So the threat to vulnerability, the impact to your specific organization, if that threat is successful and exploits the vulnerability, and then again, there's, there's a likelihood component, which we is the fourth component of that risk assessment.. 

[00:06:46] Ron Ross: But likelihood is very, very difficult to determine because of the complexity. So we try to assume today that every threat out there is likely, and if you've got the vulnerability and it's a critical system, then you need to address that vulnerability. So that's kind of the anticipation part of this whole problem. 

[00:07:05] Stan Wisseman: So Ron, before I get into the next goal, just to follow up on that, do you see the  evolution of how threat intelligence information is consumed and acted on, as well as leveraging of tools such as minor attack as helping organizations better anticipate at least, and address some of those components of anticipate you spoke to a moment ago? 

[00:07:30] Ron Ross: The tools that are available today are light years better than they were a few years ago. The amount of data we have, the threat intelligence has gotten much better. I'm an all of the above solution kind of person. I believe that you need to get as much of that threat intelligence as you can. Use whatever tools you can afford and, and that 

[00:07:49] Ron Ross: drives information. The more information you have about the susceptibility of your system to these specific threats or vulnerabilities, and you can take those off the table, then that's always a good thing to do. Things like cyber-hygiene, I call it the basic blocking and tackling. And you know, if you can take 80% of the attacks off the table, you don't never stop the attacks. 

[00:08:11] Ron Ross: but if you can, if you can interrupt that attack sequence, then that's 80% of those things that are not going to be a problem to your organization. But that then still leaves the other 20%, and that's where cyber resiliency has to step up. But definitely with AI and machine learning our ability to understand threats and what they can do and how we can stop them is going to increase by orders of magnitude. 

[00:08:34] Ron Ross: but in complex systems, even that order of magnitude improvement's never going to be enough. And that leads us to the rest of our discussion today 

[00:08:41] Stan Wisseman: So the next goal is the ability to withstand attack. And in our previous podcast with you, you gave the wonderful analogy, and I know it's included in SP800-160  as well, of the human body's immune system. 

[00:08:55] Stan Wisseman: and the ability of the human body to withstand attacks and in the context of what we're talking about, resilient systems, you'd be able to withstand cyber-attacks or faults or failures. And then having that ability to continue to operate in a degraded or  debilitated state and carrying out essential mission functions for the organization. 

[00:09:18] Stan Wisseman: How are you seeing the industry and capability shifting? And which techniques and approaches are, turning out to be more effective. Are you seeing an example of that human body's immune system being carried out somewhere that that gives you that kind of level of resilience? 

[00:09:38] Ron Ross: Yes there're definitely examples of that. I think the evolution I've seen, we had the the dream early in the early years of cyber that we could use our penetration resistance philosophy. In other words, you build, that wall around your system as high as you can build it, and you put it in the best safeguards you can. 

[00:09:59] Ron Ross: And the expectation was, if I did it right, I would keep the adversaries out. Well that today with the complexity of our systems, the very first thing I think we've done now is we've got a more realistic expectation of what's possible. Complexity theory will only take us so far in protecting these systems, and there's never going to be a perfect cybersecurity program that's going to stop all cyber attacks  or stop their effectiveness. 

[00:10:26] Ron Ross: So it's become more realization, and this is where the human body analogy comes in rather nicely is that you've got to get up every day and go out in the environment and you're going to come in contact with viruses and bacteria, and you do rely on the human body. The other analogy I use often is your house. 

[00:10:44] Ron Ross: You know, you have a lock on your front door, and you try to keep the bad guys out, but most of those locks on the front doors are not going to stop professionals. So once they get into your house, if they can, you know, ransack through every room, and steal all your valuables, well that's not a good outcome. You can make an analogy with the system. 

[00:11:05] Ron Ross: We've kind of come to the conclusion that sophisticated adversaries, I'm not talking about the ones that we can stop with cyber hygiene 80%, but I'm talking about the 10-20% on the upper end. What happens when they get through your initial lines of defences, which are characterized by penetration resistance? 

[00:11:24] Ron Ross: Well now the bad guys are inside the house. Well, what if they came in the front door, the bad guys, and then every room in your house there was a vault or a safe? that would be analogous to a security domain for each room in your house.. And if you have the ability to add whatever safeguards and countermeasures you think are needed for that particular domain, assuming some of your valuables are more important than others, then you can tailor those controls and those safeguards to the specific criticality of the data or the valuables that you would like to. 

[00:11:59] Ron Ross: and we're seeing those kinds of approaches now. It's more of a realistic view of the system. Once they get in, we try to slow down the progress of moving laterally across the system. And then we also try to reduce the time that they're on target. They have to be in the system, and the more time they're there, the greater opportunity they have to carry out that entire attack sequence. 

[00:12:21] Ron Ross: So it's kind of a vertical and a horizontal strategy. So these different security domains, and you'll see a lot of that with zero trust architectures, where we're collapsing that large perimeter, which is largely porous nowadays, and we're bringing those perimeters into tighter and tighter shot groups. 

[00:12:40] Ron Ross: The security domains. And we're applying the same controls, but to smaller and smaller resources. So access controls, identification, authentication, authorization, all of those types of safeguards that we had at the perimeter now are being applied to those smaller and smaller domains. Now. Segmentation is one of those techniques within the 800- 160 segmenting networks, segmenting your system into those smaller and more defensible domains where you can adjust the level of protection is right in line with the zero-trust architecture philosophy. 

[00:13:15] Stan Wisseman: II guess one of the areas that I personally have been frustrated on just following up on this, is that, you know, we haven't seen. One of the techniques that is, is commonly used the commercial sector, really applied broadly in Federal, which is encryption and tokenization of data within that perimeter, you know? 

[00:13:34] Stan Wisseman: So yes, you can apply those access controls, you can do network segmentations, prevent lateral movement, and again, help isolate some of those like, but it doesn't seem like a lot of the public sector agencies have really embraced, the use of encryption even for data that, and again in the commercial space with PII and privacy requirements organizations have been. 

[00:13:59] Stan Wisseman: carrying out and following through on encrypting their data. 

[00:14:02] Ron Ross: Well, we have a lot of controls and 800-53 our, our controlled catalog. And of course we spend a lot of time on encryption. Encryption can be applied in lots of different ways. We, we talk a lot about encrypting data at rest. This is a huge issue. 

[00:14:17] Ron Ross: And near to your point encryption can be applied in all those different domains. It's especially important to encrypt data at rest because once the adversary's in the house, unless they can get your credentials and we've seen that attack as well, where even though you're using encryption, if your credentials are compromised, then, then encryption becomes basically worthless. 

[00:14:37] Ron Ross: So encrypting data at rest is important, especially when you're doing backups,  when you're doing backups having that data stored offsite encrypted in protected locations is really, really important today, especially with ransomware attacks where the system gets compromised and you've got to ensure that you can get that initial system configuration and all that data back in a known secure state the way that you intended it to be. 

[00:15:04] Ron Ross: So yes, I believe there's need to do more and more encryption. We have seen an attacks where you know, even once they get inside the system, even with encryption, really sophisticated adversaries to take and get your credentials, that's the keys to the kingdom, and then everything is possible from there. 

[00:15:19] Rob Aragao: Yeah, I think that's a, that's a very good point and actually takes us right down to that third goal, which is around recovery and restoration. In essence, it's been, as I said, almost two years since we actually discussed this topic with you, specifically on cyber resiliency. And so as you look at it again, in, in all of the 

[00:15:34] Rob Aragao: amounts of ransomware, types of attacks that we've seen in that time. This area of how you'd recover historically has kind of been around, you know, the IT functions of the core principles of backup and recovery. Now there's a major kind of put the cyber umbrella over the top of it. And again, because of ransomware being kind of a core element of that, I guess, are you seeing more of the cyber aspect being plugged into this from that recovery capability because of ransomware, because of all these other things that are occurring? 

[00:16:03] Rob Aragao: Like, is, is that really come to fruition at this point in time? And some, again, even examples that you, you've come across where Yeah, it's, it's really made a change over the past, you know, couple years if you will  

[00:16:13] Ron Ross: Doing data backups and, and system recovery has always been part of our core security controls in our, our contingency planning family. 

[00:16:20] Ron Ross: that goes back to the very initial days of 800-53. I think what has changed is the adversary sophistication over the years has kind of made that even put a brighter spotlight on that because, one of the things we we've seen is that you have to be sure that when you're backing up your data, before you even bring it to the recovery stage, that 

[00:16:43] Ron Ross: that backup itself doesn't include malicious code because a lot of times when the adversary is resident in your system for a month or two or three or seven months or a year, we've seen all those different scenarios. There's a lot of time for that malicious code to do a lot of destructive things, and if they're there long enough to corrupt your backups, then that kind of destroys the whole principle 

[00:17:06] Ron Ross: of having the backup information. So that's where we always stress. It's very important to start with a known secure state. I just wanted to circle back on one thing in our, in our last question ,we talked about making it difficult for the adversary to move laterally, but this also the time on target is a central issue. 

[00:17:23] Ron Ross: And it does tie into this question about backup recovery, because if you give the adversary a lot of time to do damage in your system, they're going to be able to do a lot more things. And one of the great things we're seeing today, and this goes back to the concept of virtualization and being able to micro virtualize. 

[00:17:42] Ron Ross: We're able to virtualize smaller and smaller pieces of the system and software. The idea there is that if you can flush out malicious code quickly as part of a bringing, a new virtual machine online, or micro virtualizing the parts of the systems where that malicious code may end up 

[00:18:01] Ron Ross: if we can get that cycle down to through tools and things that we can employ to a very rapid cycle, then even if the adversary is able to breach our initial perimeter and drop a payload in there, if we were refreshing those critical pieces of the system at a fast enough rate, it won't make any difference because by the time that malware could go to that next sequence in the attack chain, that system has been restored to a known state. 

[00:18:29] Ron Ross: So I think the message here is, it's not just about one aspect or one safeguard or one strategy. This is a multi-dimensional strategy with lots of different moving parts that are discussed in our cyber resiliency guideline, and are actually executed in a good engineering process that gives consumers a lot better hope of being able to operate those systems under attack and, and having a system that they, they have a, confidence that they can recover and restore  

[00:19:01] Ron Ross: that system, even if it's in a greater debilitated state, they can get back to some sense of normal operations and not have the entire business or mission go under.  

[00:19:11] Stan Wisseman: So we've  been attacked. We've hopefully recovered and restored, and now hopefully we'll learn and adapt. Now this takes us to our fourth goal of resilience, but let's face it, many teams are overwhelmed by the number and volume of attacks that they have to deal with. 

[00:19:30] Stan Wisseman: What are you seeing as far as this area and what has been an effective way of teams being able to take these lessons and apply them to their controls to be able to evolve and adapt appropriately? 

[00:19:42] Ron Ross: I have such respect for all of my colleagues out there who are cyber defenders, no matter what, what they're doing, if they're on the technical side, policy side, they're all working 

[00:19:53] Ron Ross: literally 24-7 in a near impossible task. And I think the tools that we talked about today and the techniques are going to help a lot. But learning from what's already happened, and again, it kind of takes us back to that anticipation. When we first started the cycle of anticipation, we had a certain things to run our radar 

[00:20:15] Ron Ross: that we know have happened in the past or could happen in the future. One of the things that security engineers do is they anticipate the kinds of things that could happen that haven't happened as yet. And  that's a, that's kind of that whole engineering process that we've tried to characterize in SP801-60, but I think in order to effectively move forward 

[00:20:37] Ron Ross: and learning from our mistakes we also have to be cognizant of the fact that that complexity has to be managed and reduced in order for us to be successful, even learning all the lessons, because it could turn out that there are so many new lessons to learn that it overwhelms even the best and the brightest out there 

[00:20:58] Ron Ross:  who are doing this stuff for a living, right? Right. And so I don't think we can ever get away from the basic tenant that if you really want to have a shot at reducing your susceptibility to cyber-attacks, managing risk to an appropriate level, understanding there's no perfect security, is you've got to go back to those core principles of least privileged, least functionality. 

[00:21:18] Ron Ross: Make the system only as large and capable as you need to have it  to accomplish your critical missions and being able to understand within your organization what systems and functions are critical in separating those from those that are not. We can't air gap everything anymore, but we certainly can reduce that complexity and maybe. 

[00:21:41] Ron Ross: have those, those systems small enough to be defensible.  

[00:21:46] Rob Aragao: That’s a great way to really kind of wrap things up, Ron, is, is that advice. Keep it simple, right? It's, it's, these are the specific, you know, requirements that this should be delivering back with these outcomes that we're expecting of it. Focus on that, get that out and secure it in that manner as well. 

[00:21:59] Rob Aragao: So thank you for sharing some new updates and kind of the evolution that we see in cyber resiliency. Again, in that time, if you think about it, we're seeing so much more out there around that whole topic of cyber resiliency. We're seeing the security community really kind of rally around that, so it's a great thing and we enjoy always speaking with you, Ron. 

[00:22:18] Rob Aragao: Well, thanks  

[00:22:18] Ron Ross: again for having me here. It was my pleasure, Ron. It was great for the update. Thank you. Thank you  

[00:22:22] Rob Aragao: listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. 

[00:22:34] Ben, Producer: Hello, I'm Ben, producer of the show. I do hope you enjoyed feasting on the latest episode of Reimagining Cyber. And if you really want to indulge yourself, then why not check out some of the other great episodes we've got in this series. The guest you've just heard, Ron Ross also appeared in episode five in an addition called The Evolution from Cybersecurity to Cyber Resilience. 

[00:22:59] Then an episode later, number six, our guest was Nadya Bartol. She's managing director at BCG Plantinion where her focus is helping clients improve their cybersecurity strategies and cybersecurity programs. And again, it was cyber resilience on the menu.  

Nadya Bartol: “There is so much people have to know, there's so much they have to learn and they have to be shifting their perspectives. 

[00:23:22] So the topic of this podcast is cyber resilience. And we do need to think differently, not about how to secure the thing, but how to make sure that, the thing is secure and even if it's an attack going to keep functioning and the way that it's supposed to be functioning, and maybe eventually it'll even fix itself. 

[00:23:41] And then everything will be back to normal. And what I find fascinating again is that we've been having this conversation for at least 10 years. Right. But this is still new. This is still new. It's still exciting and still, and, and you have to explain it. No, but not everybody gets it.’  

Ben, Producer: That's episode six, measuring Cyber Resilience. 

[00:24:01] Do take a listen and why not rummage around in the back catalog whilst you're there and see if there's anything else you fancy. If you listen via Apple Podcasts, let us know what you think by leaving a rating and a comment.