This post is authored by Ann Johnson, Vice President, Enterprise Cybersecurity Group.
In the wake of recent ransomware outbreaks, I wanted to understand how impacted firms have evolved their thinking on cyber resilience planning and implementation. I asked the Detection and Response Team at Microsoft, who help our customers proactively and in real time to respond and recover from cyberattacks, to share their experiences. I’ve included below a few anonymized customer scenarios the team shared with me, which point to the acute need for a cyber resilience plan.
What follows is a reference framework of Microsoft capabilities which can help our customers become more agile in the face of modern attacks. In other words, this post is about mapping the road to cyber resilience.
Why cyber resilience matters
Organizations globally are highly dependent on technology to conduct personal and business-related tasks. As of the end of Q1CY2017, there were over 3.7B Internet users worldwide and this population is growing. As Internet adoption is growing, the attack surface is growing. The current cybersecurity threat landscape creates a real risk to people and assets. Therefore, organizations should maintain a balance between allowing access and managing risk. Commonly, enterprise organizations approach cybersecurity by implementing tools and technologies and personnel for “protection” and “incident response”. While this is important, the root purpose of implementing cybersecurity tools and technologies is business continuity. Enterprise organizations should also be thinking at a strategic level about the “big picture” of how to fortify their critical systems, IT infrastructure, and data centers to stay resilient in the face of human errors and cyberthreats that cause downtime. This is where a cyber resilience strategy comes into play. Organizations need to build a cyber resilience strategy and execute a cyber resilience program specifically tailored to their business needs to ensure business continuity in the event of a security incident.
According to Accenture’s “State of Cybersecurity and Digital Trust”, while 75% of all survey takers say they have high cybersecurity confidence levels, only 37% claim they have confidence in their organization’s ability to monitor for breaches and 36% claim confidence in their ability to minimize disruptions. According to Gartner, the average cost of downtime is USD $5,600 per minute—over USD $300,000 per hour. Human error is the most common contributor to downtime. Some studies conclude that human error accounts for 75% of downtime.
With organizations more reliant on IT than ever before, it is important to acknowledge business continuity and disaster response (BCDR) as a vital component to the entire organization, instead of as an issue that has implications for IT teams only. Every enterprise organization needs to be prepared to handle outages caused by unforeseen events. Downtime of critical applications and services could lead to a stop in productivity and operations, lost revenues, and lower customer confidence in the organization. A strong cyber resilience plan effectively executed can help organizations’ computer systems, IT infrastructure and data centers withstand impact from cyberthreats and human error.
Cyber resilience scenarios
There are many news stories about organizations who have suffered from cyberattacks and/or data breaches. Developing a strategy and taking actions in support of cyber resilience may help reduce the extent and cost of recovery from damage due to such incidents.
Example #1 – Ransomware infecting multiple organizations globally:
Recent ransomware attacks in the first half of 2017 have highlighted the need to be able to access critical IP, systems, and infrastructure even when it’s locked down by ransomware. WannaCry ransomware impacted multiple industries and companies worldwide, including automobile manufacturing plants that had to halt production for some time. Regardless of the motivation of the attack, clearly it resulted in unplanned downtime and recovery costs to impacted companies.
A key takeaway is ransomware can impact any type of organization. Keeping computer systems patched and up-to-date, backing up data regularly, having fully tested disaster recovery plans in place, and providing education on cyberthreats (e.g. phishing and ransomware) to direct employees and contractors can help to at least reduce the extent of damage from such an incident.
Example #2 – Data breaches continue to impact US healthcare industry:
Cyberattacks continue to measurably impact the healthcare industry since cybercriminals who successfully gain access to medical data could use it for conducting fraud or identity theft for lucrative purposes. Also, the personal data often includes information on a patient’s medical history, which may be used in targeted spear-phishing attacks. As of August 9, 2017, the US Department of Health and Human Services’ HIPAA Breach Reporting Tool website – often called the “wall of shame” – showed a total of 2,018 breaches since 2009. The number of individuals affected by health data breaches also has surged in recent years, from 31.5 million as of May 30, 2014, to about 175 million as of August 9, 2017.
There are three key takeaways from these trends and statistics. The first is that healthcare personnel and patients need to be alert to and inform their IT organization of suspicious communications (fraud/phishing emails) and identity theft incidents as much as possible. Another takeaway is that personal health and identification information should not be exposed without an express requirement to share (e.g. for a patient to offer proof of identity for a medical examination or procedure). Further, the use of data classification and information protection solutions can help reduce the impact of exposure by protecting sensitive information across its lifecycle.
Example #3 – Human error led to client information exposure for financial services firm:
Financial services and banking industries, despite putting in place relatively tighter monitoring and controls over their infrastructure and data than other industries, continue to be impacted by data breaches. In early 2017, a financial services firm inadvertently left exposed to the public a database containing sensitive information on thousands of its clients. The company claimed that the incident was due to human error by a 3rd party vendor.
A key takeaway is that it is important for organizations to hold accountable all contractors with access to the organization’s network and data. For instance, this was a major issue that came to light even with the outbreak of the Petya ransomware, in that 3rd party contractors failed to follow organizational cybersecurity policies, which was a root cause of the crisis.
Considerations for a cyber resilience program
To enhance the ability for computer systems, IT infrastructure, and data centers to withstand damages from human error, cyberthreats, and cyberattacks, we suggest enterprise organizations consider a cyber resilience program that leverages the combination of people, processes, and cloud services.
Every person with corporate network access, including full-time employees, consultants, and contractors, should be regularly trained to develop a cyber resilient mindset. This includes not only adhering to IT security policies around identity-based access control, but also alerting IT to suspicious events and infections as soon as possible to help minimize time to remediation.
Organizations should consider implementing several processes for an effective cyber resilient posture. Some of these can be implemented as IT security policies. Suggested processes include the ones listed in the table below.
To maintain cyber resilience, the suggested processes should be performed on a regular basis based upon the threshold of the business to handle risk and its ability to operationally execute the processes through a combination of human efforts and technology products and services.
Fortunately, cloud service based architectures can be used to rapidly reconstitute on-premises infrastructure or fail over to a mirrored infrastructure. A key consideration when adopting cloud services is to look at how the provider conducts their assessments and look for 3rd party audits and certifications as examples of how they are performing.
Cloud services such as Microsoft Azure and Office 365 can serve at least as a first step towards helping customers with their cyber resilience needs.
|Early warning and alerting system||Organizations should receive early warning and alerts on suspicious or investigation-worthy electronic information.|
Azure Security Center automatically collects, analyzes, and integrates log data from your Azure resources, which can be used for eDiscovery.
eDiscovery in Office 365 can be used to search for content in Exchange Online mailboxes, Office 365 Groups, Microsoft Teams, SharePoint Online and sites, and Skype for Business conversations.
|Incorporate cyber incidents into disaster recovery and business continuity planning||Incorporate cyber incidents into your existing disaster recovery and business continuity planning, and characterize or assign a higher likelihood to these incidents than to traditional acts of nature.|
If you are looking to implement disaster recovery for all your major IT systems—without the expense of secondary infrastructure, Microsoft offers a variety of architectures available to help organizations design and implement secure, highly-available, performant, and resilient solutions on Azure.
Office 365 offerings are delivered by highly resilient systems that help to ensure high levels of service. Service continuity provisions are part of the Office 365 system design. These provisions enable Office 365 to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or an incident within a Microsoft data center that renders the entire data center inoperable).
|Platform hardening||Lock down platform against hacking attempts.|
From a platform hardening perspective, Microsoft performs our own internal assessments through penetration testing and red teams. Microsoft uses Red Teaming to simulate real-world breaches, conduct continuous security monitoring, and practice security incident response to validate and improve the security of Microsoft Azure and Office 365. We strive to provide a robust cloud platform that customers can depend on for accessing critical applications and data in a secure manner.
Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. We bring together best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.
|Protect against email cyberthreats||Implement security policies for detecting and protecting users from opening email based web links and attachments that are suspicious or malicious (e.g. phishing).|
Office 365 Advanced Threat Protection helps protect mailboxes against new, sophisticated attacks in real time. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
|Control access||Limit access to data and applications, to reduce risk.|
Azure Multi-Factor Authentication helps safeguard access to data and applications, and helps to meet customer demand for a simple sign-in process. Get strong authentication with a range of easy verification options—phone call, text message, or mobile app notification—and allow customers to choose the method they prefer.
Multi-Factor Authentication for Office 365 helps secure access to Office 365. It increases the security of user logins for cloud services above and beyond just a password. Users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.
|Detect and defend against rogue systems||Apply conditional access-based security defenses to systems that have gone rogue|
Conditional access in Azure Active Directory enables you to enforce controls on the access to apps in your environment based on specific conditions. With controls, you can either tie additional requirements to the access or you can block it. The implementation of conditional access is based on policies. A policy-based approach simplifies your configuration experience because it follows the way you think about your access requirements.
Device Health Attestation (DHA) for Office 365 enables enterprises to raise the security bar of their organization to hardware monitored and attested security, with minimal or no impact on operation cost. You can use DHA to assess device health for:
|Vulnerability assessment||Learn about vulnerabilities in order of severity to be able to focus mitigation efforts on those presenting the most risk to the organization|
The vulnerability assessment in Azure Security Center is part of the Security Center virtual machine (VM) recommendations. If Security Center doesn’t find a vulnerability assessment solution installed on your VM, it recommends that you install one.
|Software updates and patching||Continuously patch vendor software as new updates become available to help reduce probability of attack or at least mitigate damage incurred.|
Hosting applications in Microsoft Azure not only alleviates management of systems for companies. It also helps with system updates and keeping servers up to date. As new security vulnerabilities are identified, Microsoft will automatically apply updates to Microsoft Azure roles (if configured to do so). Admins can choose to have Microsoft keep their roles (instances) up to date and apply these updates when they are available, thereby eliminating a tremendous administrative effort for the company.
Microsoft Office 365 ProPlus software can receive updates automatically from the Internet or from an on-premises location (based on organization’s preference).
|Identification-based access control||Protect access to applications and resources end-to-end: across the corporate datacenter and into the cloud.|
Microsoft identity and management solutions enable you to centrally manage identities across your datacenter and the cloud:
Office 365 uses Azure Active Directory cloud based user authentication service to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:
|Regular data backups||Back up data in case your organization is impacted by ransomware or other cyberthreats.|
Azure Backup enables protection for hybrid backups via prevention, alerting, and recovery features.
OneDrive for Business is an integral part of Office 365, and provides place in the cloud where you can store, share, and sync work files. It also allows for incremental restoration of files.
|Protection of administrative credentials||Secure administrative credentials from compromise and misuse.|
How Microsoft partners with the ecosystem
Cyber resiliency is not a problem we can address alone. Our commitment is to make sure our products work with technology our customers already use. Microsoft is fostering a vibrant ecosystem of partners who help us raise the bar across the industry. Through our technology partner network, we can offer proactive vulnerability tools as well as more feature rich solutions like application firewall and threat detection to customers. We also collaborate extensively with customers and industry standards bodies to help us meet specific customer cyber resiliency needs and industry regulations. Microsoft has been working with the Center for Internet Security (CIS) to demonstrate that our operating systems and most recently, our cloud platform, Azure, have been hardened against cyberthreats. We are working towards getting Azure to pass the CIS Benchmark requirements. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. Also, Microsoft is actively working to align our offerings with the SANS Critical Security Controls set of recommendations, which organizations use to prepare for the most important actual threats that exist in today’s Internet world.
Developing and executing a cyber resilience program is not trivial – it is a journey, not a destination. It requires organizational focus, commitment, and effort. For additional, detailed guidance on this topic, stay tuned for a white paper to be published later this year.
Ann Johnson, Vice President
Enterprise & Cybersecurity
Ann Johnson leads Enterprise & Cybersecurity at Microsoft. Her organization empowers global enterprises to confidently move to the cloud by modernizing their architectures for maximum business agility and security. Ann is a recognized industry leader with a proven track record for building and leading high-performing global enterprise software go-to-market teams. Ann has a background in cybersecurity, infrastructure and storage and is a frequent speaker on topics of online banking fraud, information security, healthcare security, mobile security, workforce diversity, privacy and compliance. She currently serves on the board of the Security Advisor Alliance and as Board Advisor to the biometric security firm HYPR.