Tuesday, Apr 11, 2023
Hybrid Cyber Resiliency: Combining the Best of Proactive and Reactive Security Strategies
Steve AkersChief Information Security Officer and Chief Technology Officer for Managed Security Services, Clearwater
“Which one do I pick?”
This is a common question from leaders across the healthcare ecosystem trying to determine which cybersecurity strategy—proactive or reactive—is the best for their organizations.
The answer, really, is both. You need a hybrid approach.
Historically, there has always been a balance between reactive and proactive cyber strategies. Traditionally, that was a perimeter-based approach grounded in physical security like firewalls. But, over time, the modern attack surface has expanded, and that approach is no longer effective alone.
With today’s evolving attack surface, the best approach combines proactive and reactive measures to ward off potential attacks and respond when one occurs.
Reactive vs. Proactive Security
Reactive security takes place in response to a cyber event. It’s what happens after you’ve incurred a cyberattack or breach.
With reactive security, you have an idea about what’s happened, so you instantly move into incident response, for example, forcing password resets. This is where your teams look closely at your events and logs to analyze what happened and how to stop it.
Reactive serves a purpose in helping to manage the threat and damage focus and helps you prevent similar attacks from taking hold organizationally.
But reactive security shouldn’t be a standalone strategy.
The modern threat landscape is too large for one approach. If your organization constantly operates in reactive mode, your teams will get bogged down in one area while new issues constantly appear elsewhere. Ultimately, your team will never get enough strategic thinking and planning time.
Proactive security takes steps to pre-emptively predict and identify potential cyber issues before they happen. For example, penetration testing, threat hunting, awareness training, anomaly detection, and machine learning.
A proactive security strategy should reduce event impact and attacker dwell times and is where most organizations make the largest technical investments. This approach helps reduce responder burnout, improve compliance, detect potential breaches, and find security gaps before attackers can exploit them. This includes the human factor.
Threat actors are currently trying to exploit your workforce’s weaknesses, asking, “How do I start my attack? How can I use phishing and social engineering to take advantage of how you conduct your business to drop that malware or have someone open that link and have me start that attack?”
The Evolution: A Hybrid Approach
Modern threats require a modern approach to cybersecurity, so you must implement proactive and reactive measures.
Just like the evolution of cybersecurity, this process will take time. You don’t have to do everything in one day. In healthcare, reasonable and appropriate progress is the measuring stick for long-term resiliency.
The TAVE approach can help you mature cyber strategies to include both reactive and proactive measures, but in a consumable way, not all at once.
Traceability: Ability to track from any event back to the point of origin and know who did what/when
Accountability: Ability to impart trust and measure that people, processes, and technologies are executing proper safeguards
Visibility: Ability to see actively what is happening at the moment and adopt controls to address that
Enforceability: Ability to control or apply rules to achieve desired outcomes
Here’s an example of how this might work:
First, outline all of your organization’s threat factors. Ask: What are our attack pathways? For example, people, your network, endpoints, software, etc.
From there, across your organization’s threat vectors, think about the greatest risks to your organization. Ask:
- Do we have controls in place to address them?
- Where are they?
- Do they function as intended?
- What would we do if they fail? ,
- Do we have controls in place that enable traceability, for example, logging?
- Do the logs have what we need?
This is the proactive approach to cybersecurity. Now let’s consider a reactive perspective.
For example, you have logs for traceability. When there is an anomaly, your system sends alerts. Those alerts enable you to move forward with reactive measures.
For each attack pathway, look at each area and your control set criteria, and think in terms of TAVE. You don’t have to have an answer for every area, but if you do, that’s likely a good indication that you’ve got a solid security framework in place. TAVE can also help you identify where you have security gaps, so you make plans to address them.
It’s important to note that there is no such thing as protecting “what’s important.” Threat actors don’t care how they enter your systems and network. If an attack pathway exists, you should make sure you’re addressing it, regardless of asset value.
From a reactive perspective, understand in detail how your organization would respond to a breach. Ask:
- Who will do what and when?
- If the appropriate response protocol is not used, what will happen?
- What do we do next?
And, maybe most importantly, routinely practice your response protocols. The last thing you want is for your team to make decisions under duress. With practice, your team should know exactly what to do before you experience a real-world cyber event.
Your organization has likely made sizable investments in controls, so you want to ensure they work as designed. This won’t eliminate your risk, but done well, it should minimize an event’s impact.
Put It Into Action
Identify a baseline of network operations and understand how your network, people, and processes function. Once you understand the depth of your visibility, consider how environmental changes can impact your ability to detect and respond to a cyber event.
From there, implement detection processes into your change management procedures. Ask: How will this affect our baselines of operations?
Then, validate the effectiveness of your implemented controls.
Focus on high-risk and high-impact areas and look for steps to minimize threat impact. And, of course, stay on top of the evolving threat landscape to understand how it influences and determines risk.