2. About me;
Shah H Sheikh
(CISSP, CISA, CISM, CRSIC, CCSK)
02
@shah_sheikh
https://www.linkedin.com/in/shahsheikh/
16+ Years in Cyber Security
CISO Architect Engineering
Founder of Multiple Cyber Security Companies
Consultant
4. @shah_sheikh
CYBER RESILIENCE
A PRACTICAL APPROACH TO MEASURING IN THE DIGITAL ERA
Therearekeydifferences,cyberresiliency
istoensurebusinesscontinuestofunction
evenafteranadversaryhaspenetratedand
breachedthenetworkandcompromised
systemassets(externalorinsider).
PREPARE SIMULATE
4
IDENTIFY
5. @shah_sheikh
RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST
target COMPROMISE BREACH
File Trajectory
DECEPTION
NGFW P+V
NIPS / NETWORK AI
NAC
DDOS MITIGATION
PACKET BROKER
WAF
EMAIL SECURITY
MFA / 2FA
APPLICATION CONTROL
WAF
EMAIL SECURITY
PATCH MANAGEMENT
PACKET BROKER
AUTOMATED SECURITY
ANALYST - AI
NGAV / ENDPOINT
VULNERABILITY MGMT
PAM
SESSION RECORDING
RASP
DAM
SIEM 2.0
NGAV / ENDPOINT
APPLICATION CONTROL
SIEM 2.0
APT
DNS SECURITY
SIEM 2.0
THREAT HUNTING
APT
DNS SECURITY
WEB FILTERING
AUTOMATED SECURITY
ANALYST - AI
THREAT INTELLIGENCE
ATTACKER INFRASTRUCTURE FILES / PAYLOADS
CYBER RESILIENCE
ANATOMY OF A CYBER-ATTACK KILL CHAIN
Cyber resilience
6. @shah_sheikh
“It takes 20 years to build a reputation
and few minutes of cyber-incident to ruin it.”
― Stephane Nappo
TRENDS
6
CYBER RESILIENCE
A PRACTICAL APPROACH TO MEASURING IN THE DIGITAL ERA
End Game is Cyber
Resilience not Cyber
Security
Change the mindset of
being BREACHED
Security is just an
ILLUSION
Collaborate and Share.
Cyber-criminals are
more organized that
enterprises
7. @shah_sheikh
ADAPT
Change in approach, adjust
response strategies towards
future threats; enabled through
previous events.
PREPARE
Predict, anticipate and plan
potential threats, identify and
monitor critical functions of the
systems at risk.
WITHSTAND
Maintain business operations
without performance
degradation or loss of
functionality under stressor
conditions.
RECOVER
Rebound or restore from an
adverse event to full business
operations, performance and
functionality.
STAGE2
7
CYBER RESILIENCE
A PRACTICAL APPROACH TO MEASURING IN THE DIGITAL ERA
Building a Cyber Resilience Maturity Model – THE GOALS
Definition “The emergent property of an organization that can continue to carry out its mission after
disruption that does not exceed its operational limit"
STAGE1
STAGE3
STAGE4
8. @shah_sheikh
JOHN MANTIS
CERT-RMM
CERT – RESILIENCE MATURITY
MODEL
ELICIA SU
MITRE-CREF
CERT – CYBER RESILIENCE ENGINEERING
FRAMEWORK
ARCO MANTIS
NIST
NIST – SP 800-160 VOL 2
CINTYA JONES
CREST
CREST (UK) – STAR – SIMULATED
TARGETED ATTACK AND RESPONSE
8
CYBER RESILIENCE
SOME OF THE DIFFERENT FRAMEWORKS
9. @shah_sheikh
Cyber Resilience strategic approach can potentially
cost less than Cyber Security. The notion here is
resilience is aimed at withstanding a cyber-attack whilst
in cyber security the aim is to detect and prevent.
We need to take into account the overall lifecycle-cost to
make that informed decision.
CYBER RESILIENCE
THE NOTION
10. @shah_sheikh
Scenario: Why spend on cyber security
controls to detect and prevent an attack when I
can spend less on backup and recovery
technologies and get back into an operational state
within minutes.
10
CYBER RESILIENCE – VALUE PROPOSITION
A PRACTICAL APPROACH TO MEASURING IN THE DIGITAL ERA
14. @shah_sheikh
Asset Types
Essential for Operational Resilience
TECHNOLOGY
INFORMATION
PEOPLE
FACILITIES
14
CYBER RESILIENCE
ASSET REQUIREMENT-DRIVEN CYBER RESILIENCE
15. @shah_sheikh
JOHN MANTIS
Putting Assets into Context
NETWORK AND SECURITY
INFRASTRUCTURE
INFORMATION
SECURITY
SYSTEMS / VIRTUALIZATION
INFRASTRUCTURE
APPLICATION
FRAMEWORK
PROCESS
AND PROCEDURE
INTER-LINK AND DEPENDENCIES
15
CYBER RESILIENCE
ASSET REQUIREMENT-DRIVEN CYBER RESILIENCE
Inter-linked relationships and dependencies ofassets playa key
role in resilience. Some assets are containers for others.
Information is themost embedded typeofasset
16. @shah_sheikh
Natural and Man Made
Accidental or Intentional
External or Internal
TECHNOLOGY
INFORMATION
PEOPLE
FACILITIES
16
CYBER RESILIENCE
STRESS TESTING YOUR RESILIENCE – YOUR ORGANIZATION IS ALWAYS UNDER STRESS WE JUST DON’T REALISE IT
OPERATIONAL STRESS CYBER SECURITY STRESS
Lack of Resources
Skill-set
Internal Politic
Financial constraints
Lack of visibility
TECHNOLOGY
INFORMATION
PEOPLE
FACILITIES
18. @shah_sheikh
METRIC BASED
MODEL BASED
50%
50%
• Individual Metrics
• Indices
• Dashboards
• Decision Analytics
METRIC BASED
CYBER RESILIENCE
MEASURING RESILIENCE
• Process
• Statistical
• Networks
• Gamification-Theory
• Simulations
MODEL BASED
19. @shah_sheikh
ASSETS
PROTECTION
&
SUSTAINABILITY
STRATEGIES
PROTECT
Keeping Assets from Exposure to Disruption
Security Technologies and Operations
Security Architecture
Keeping Assets and Services Productive
during Adversity
Adversary Threat Simulations
Breach Readiness and Business Continuity
Recovery Governance
19CYBER RESILIENCE
CYBER RESILIENCE STARTS AT THE ASSET LEVEL AND MOVES UP TO THE ENTEPRISE LEVEL AND VICE VERSA
SUSTAIN
Cyber Security Standards / Frameworks
23. @shah_sheikh
CYBER RESILIENCE
PRACTICE 3
Identify,ClassifyandLabelDataandIntroduce
DataGovernance
23
EstablishSoundDataGovernanceFramework
• Regulatory
• Compliance
• Corporate
• DataDiscovery
• DataFlowDiagrams
• DataSecurityLife-cycle
Database Security
Content Management
and Secure File Share
Secure Backup
Device Controls
Data and File
Encryption. eSigning
and Key Management
DLP Data Location
Classification, Access
Data Classification Data Discovery – Open
Share PII PCI Discovery
Data Tokenization /
Masking / Hashing
Data Privacy
Big Data Security
Digital Rights
Management
OCR Data Detection
DATA SECURITY
METRICS
34. @shah_sheikh
CYBER RESILIENCE
METRICS
34
ADAPT
Change in approach, adjust
response strategies towards
future threats; enabled through
previous events.
PREPARE
Predict, anticipate and plan
potential threats, identify and
monitor critical functions of the
systems at risk.
WITHSTAND
Maintain business operations
without performance
degradation or loss of
functionality under stressor
conditions.
RECOVER
Rebound or restore from an
adverse event to full business
operations, performance and
functionality.
STAGE2
STAGE1
STAGE3
STAGE4
METRICS METRICS METRICS METRICS
CYBER SECURITY PRACTICES
37. @shah_sheikh
CYBER RESILIENCE
WHERE DO YOU SIT IN THE MATURITY MODEL OF CYBER RESILIENCE
37
Level 0 - Unaware
Level 1 - Fragmented
Level 2 – Top Down
Level 3 - Pervasive
Level 4 - Networked
38. @shah_sheikh
Remember, both cyber resilience and cyber
security is a journey and not a destination.
38
CYBER RESILIENCE
A PRACTICAL APPROACH TO MEASURING IN THE DIGITAL ERA
39. @shah_sheikh
Understand, hacker economics and remember
they are more organized and
coordinated than many Information / IT
Security teams at organizations.
39
CYBER RESILIENCE
A PRACTICAL APPROACH TO MEASURING IN THE DIGITAL ERA