Beyond Prevention: The Critical Role Of Cyber Resilience In Modern Security Strategies - Adi Dibra

time the charm so today I'm going to talk about um the critical role that cber resilience has in uh today's strategies because we have talked so far with a lot of preventions and a lot of ransomware um but then we always say he got hacked we got run somewere and then it stops like that uh and we say back up back up back up but then how we restore that backup there's process there's the flow and everything so a disclaimer uh I'm going to provide more like some best practices what I might think might be some of the pillars that every company should have in place but please don't take them as a silver bullet cyber

security is a very Dynamic field so please uh follow the standards follow the basics follow everything that you might think that might be applicable something about me um yeah my name is albra recently join Palo Alto as an Incident Commander um I like a lot cyber security I have cyber security at part more focus on uh breaking stuff uh and emulating and simulating adversaries uh I love my bike recently I have a KTM 890 and then um my passion for football is um is reflected in me being part of team in Amsterdam Arsenal SV and uh yeah we won last weekend so yay today no boo Bo so today as agenda um so we will talk

about the limitations the tradition prevention uh measures we have doesn't mean that we need to go away from prevention please prevention prevention prevention but definitely there might be some situation where prevention fail and I will go through uh the parts or the components of the Cyber resiliency what might be some of the key components some real war examples where um the lack of cyber resilience LED companies to bankrupt bankrupt bankrupt sorry bankruptcy and then some of the best practices to integrate cyber resiliency in uh our today uh Frameworks and business uh as usual so um I'm going to close with some of U most effective implementations of uh incident response plans uh with yours truly being an

Incident Commander uh and that will be more of the touching point being a very C crucial um role for an efficient and effective incident response and then close remarks so why uh cyber resilience so um being in Europe um we have access to many many uh Frameworks and many many uh publications of posts but we have an European U agenc cyber security agency Ana uh it was mentioned throughout our presentations from previous speakers and they publish every day a threat assessment and in landscape every year sorry every year a report and if you see there are a lot of information not sure if you see but uh um the horizontal ones are months and you can see how many

incidents per month are reported within the European countries you see there's a trend everything is uh increasing and also there's a statement stating from ANA that uh we anticipate more incidents in the future um same research has been done by checkpoint uh that those incidents are increasing but many many more say that in 2007 2027 those numbers will get staggering and me this should not discourage us because these are only the one incidents that went through but I can assure you that for each one that was successful they might have been 10 or 20 successful that was prevented but us as a Defender this number should be a bit threatening because we need to be 100%

right redeemers or malicious actors have to be successful only once and these are the numbers and the numbers are not very satisfactory I would say so um let's try to understand what might be some of the limitations that how come all these incidents are being successful and how come we as a company uh we as a a community are more focusing on preventing and leading to uh to this preventive controls failing successfully unfortunately so I see businesses more like this fancy y Cruise how do you want to call it uh and this is how I let's say Envision uh companies being big uh Crews expensive uh having some budget and then sailing throughout their own um

Journey but there are some threats you can see some of them that can can successfully attack and can successfully make pre pre preventive controls um unsuccessful as zero days or as third party we talked about third party vulnerabilities or third party risks uh so those companies have to reflect those things but they have to consider also moving forward because they need to U reach their Journey make money so um there are some examples that I want to bring today like Equifax in 2017 they knew the vulnerability they delayed the patch it doesn't not mean that their uh uh processes were okay were not okay they had the processes they had vulnerability it didn't uh patch in time

they got hacked U part of those um pillars that I showed before Mar 2019 compromis third party they got breached even though they might have many controls in their side preventive firewalls all the shiny that you can see in the cruise they got breached uh in 2019 Capital One a misconfiguration of the cloud infrastructure again same result they got breached in 2021 there was a big uh Exchange Server zero day that led to thousands hundred companies getting breached even though they had everything in place they had defense in depth they had edrs firewalls all the shiny things again they got breached so um we can see that that layered there are some holes nowadays so um we need to

address that concept of how we can move forward even though we are getting hit and there's a quote that I want to bring it which I I live by every day so um in cyber security there was this new trend the devops concept uh and we said we need to start shifting left so we had uh buggy software so we shaft shift it left uh and we try to train developers uh in order to for them to make good softwares and then we had users uh even though we had edrs we had far we had users that clicked then we shift left trying to train them awareness still they were clicking like the Hugo example so I

think now it's time to shift right we need to consider also resiliency um so how what are some of the key components of The Residency but it went so fast I like to bring a quote uh which says it's about how hard you can get hit and keep moving and people use quotes all the time the many Einstein and whatever but this one was from Roi Bala in 2006 and he was talking about life but this should apply out about businesses because as you remember from a cruise you are getting hit all the time but you need to move forward and you need to be resilient so in my perspective what are the core component

of cyber resiliency you need to have a good incident response plan um people say we have a sock but sock is not incident response incident response is part of sock but it should be a core pillar I going to uh I'm going to mention it in the later slide uh you need to have a swift recovery as we said backup Backup backup it's always backup remember Oki so every time you get hit you need to move forward and last you need to continuously improve learn about others that got unsuccessful or try to share intelligence between each other because definitely there might be something that someone else experience that you need to get some uh fixes in

place so I would like to bring some uh real world examples that cyber resiliency worked uh and businesses moved forward we have uh marsk a big shipping company uh got hit by ransomware they went down more than 400,000 um end points um encrypted and everything was down but based on their offline backup and I think it was in some someplace in Kenya in Africa they were able to restore all their systems within a period of 10 days and based on those cyber resilience processes they are now one of the biggest shipping company in the world Capital One they got hit um someone stole credit card information more than 200,000 users and Social Security numbers Etc So based on their quick

Swift on incident response and recovery and notification they were able to recover themselves you have Uber and Uber got hit three times uh recently 2016 18 and 2022 more or less the same approach but the same uh attacks vectors but then they reserver based on their incident response and Uber is Uber we know then we have solar winds we have cognizant we have uh snowflakes recently everyone was got got hit but they are able to recover and be resilient so we have some unsuccessful businesses uh travel Le most probably you have seen right now um if you travel around the Europe but in 2022 they got R somewhere and they filed for backy but they were

saved by the European country being a big sorry European um Community because being a big uh exchange uh system yeah they are too big to fail but they file for uh be so we have levitas Capital 2022 they f um yeah they fall about um they fall on the fake Zoom link it was a zoom sorry I forgot to mention it it was a fake during Corona uh Zoom being a very um successful let's say intercommunication application um it was used in Attack the vector for levitas they are out of the business right now we have Cod space 2014 a big big uh Cloud hosting infrastructure they hacked AWS they're out of the business right now because they locked back up

everything was in one Cloud environment and they are not here anymore so let's try to learn about this scenario so don't do that but do this one here because it's quite important to move forward uh so some of the best practices in my opinion defense in depth is always um try to to be as granular as possible in your infrastructure segmentation goes without saying secure network secure end points try to uh uh analyze Behavior Analysis based on my previous talker uh and focus on IR make IR a core pillar of your infrastructure not so um I will dig more deeper on some of the incidental response playbooks but focus more on IR being a core pillar of your security

operations team have playbooks test them um update them do tabletops it was mentioned to do tabletops exercise is very important and then share intelligence so if I got hacked or I see there are something in my infrastructure I can share that information within the same medium or the same business domain or even in other domains it's quite important and especially in the Netherlands I'm I'm part of those communities they call it defcom Holland but it's not part of decom but we get together once a month and we share information we go in a bar have some drinks and then we share I got hit you got hit Etc so share that information is very helpful to uh to mitigate any

future um attacks and uh last but not least I would like to focus on um how to build a more effective incident response plan people say they have I have an incident response plan but maybe it's dusty maybe it's old Etc but it's quite important on these four points in my opinion as I said everything is personal have an Incident Commander have an Incident Commander in the same role as you have a chess player that he's ready to sacrifice the queen to win the game so don't focus on I need to get some approval from the management I need to do that no uh ask someone to take uh the frames of all their incident and appoint

someone that has the visibility on the business but also on the technical of the security operations team have someone to play that role not be always but someone should do that um leaving playbooks we have playbooks in in in the internet but they are quite static so you have from left to right I do analysis the text containment eradication Etc but they don't let's say go back because it's always important to have informations right away and you can make different decisions if if you had different information so you have need to have leing playbooks playbooks that always recycle the information back to make different decisions uh do life fire simulation Netflix does a very crazy

thing uh Cow Monkey in the middle of of the day they bring down one system uh in order to test their resilienc in order to test the backup plan I'm not saying go install around somewhere in your active directory but nowadays we have a lot of cyber ranges environment and very easy to build one so you can prepare your cyber security operations to be up to speed and promptly take reactions on any kind of incident fishing run someware whatever the case but do life fire simulation tabl toop exercises are important but not quite efficient as a live one and then do Post reach Intel uh don't recover but rebuild better so use that information in order to improve

your living playbooks life art exercises and appointment of The Incident Commander and um yeah last but not least uh Europe is giving a hand starting for 2024 we have a cyber resiliency act it's going to be effective end of the year 2024 um is going to let's say push companies to be more proactive in their softwares and you can see there's a everything that you have nowadays in laptops machines uh computers at home everything will be tested properly before being sold in Europe um so solar wind because I was doing my research solar wind that it was a third party bre simulation would have been hacked because they didn't do the proper hygiene to be preventing or to uh be

let's say a utilizer for other companies to get breach so this is something that it will bring us more let's say attention and more protection in moving forward so in conclusion I would like to bring more three um let's say top this three main topics are gave away for today uh cyber resiliency is not negotiable anymore so cyber resiliency should focus businesses but should focus also persons as well I'm considering cyber resiliency myself so sometimes I'm waken in the middle of the night because I have kids they have social media they can click and they can do a lot of damage so I need to do my own cyber resiliency as a person in the companies

that have multi-million dollars it's they should have done it many years before cyber resiliency is the new metric right now so it's not anymore how many files you have how many uh playbooks you have Etc you need to be resilient in the market and then learn from your survivors uh nowadays there's a lot of communities there's a lot of information that you can compile you can research you can bring it back in your environment in order to be more resilient and more productive so thank you very much I wanted to keep it short because it's 5 a.m. and thank you