Today, everyone is talking about resilience, but achieving it can seem easier said than done. Security is an essential component of this mission-critical capability. In a recent interview with MeriTalk, Andy Stewart, senior national security and government strategist at Cisco, broke down security resilience into five dimensions. Stewart, who previously served as the assistant chief of staff for operations and maritime operations center director at fleet cyber command, U.S. Navy 10th Fleet, also discussed the role of zero trust in achieving resilience.
MeriTalk: Resilient is a buzzword of late, but it’s a very serious requirement. What does resiliency mean to you?
Andy Stewart: It is a serious requirement – and I hope we can get beyond the buzzword because businesses, governments, and consumers have been under pressure to keep going despite dynamic disruptions that are happening faster than ever. I think of resilience as the ability to protect the mission integrity of every aspect of an agency’s operations, enabling the organization to withstand unpredictable threats or changes, and then emerge stronger and able to continue performing core mission and tasks.
Organizational resilience is critical across all mission functions – not just day-to-day operations. Security resilience is especially critical because security underpins everything. Security resilience is core to what we often refer to as commander’s business: It’s so important it needs to be addressed at the highest levels of leadership, not just the IT team.
MeriTalk: Will resiliency always be a moving target?
Stewart: My experience in the Navy led me to view resiliency not as a moving target, but as an integral part of operating in a dynamic environment. Security resilience, specifically, is a continuum that is not simply alert or threat centric. It’s context centric. We’re asking new and increasingly deep questions. We need to know where we are exposed to risk, both directly and indirectly – and how we will demonstrate measurable progress. And we need to understand all of this in the mission context.
Security resilience requires us to move beyond point solutions that were built in silos. We must move from prevention to detection, response, and recovery – from the siloed environment to the highly connected, dynamic environment.
MeriTalk: Where do you see agencies succeeding at being resilient with their IT infrastructure and specifically their security? Where and how do agencies need to become more resilient?
Stewart: The new, digital world where everything and everyone is connected has enhanced agencies’ capabilities and capacity to deliver services, but it has also created an ever-expanding attack surface because business boundaries are blurred. Agencies’ information environments are operating much more like digital ecosystems – creating billions of connections to collaborate, share data, process information, and operate very, very quickly.
Security is also complicated by the hybrid, multi-cloud environment in which agencies move their workloads dynamically, depending on operational needs, cost, and risk profile. Agencies that can adapt their operating IT Infrastructure into a hybrid model that supports mission resiliency have a big advantage. But the infrastructure must be designed with security built in – not bolted on.
For security resilience that is built into the infrastructure, successful agencies begin by addressing five core dimensions. The first dimension is visibility. Agencies need to leverage telemetry to make sense of billions of signals and data points flowing across the ecosystem. That information helps them understand the environment so they can implement and adjust policy while working with active monitoring and filtering solutions.
The second dimension is to anticipate what’s next with built-in actionable intelligence and expertise, like that provided by Cisco Talos. Combined with visibility, this fuels rapid response and takes detection and response to the next level.
The third dimension is taking the right action. It is hard to remediate every vulnerability. We need to prioritize. That’s where risk-based contextual analysis and continuous trust assessment helps.
That leads to the fourth dimension, which is to aggressively close gaps across the span of users, devices, networks, and applications – the whole connected ecosystem. This is where an integrated security and networking platform that is open and extensible helps agencies recover from disruption faster.
Finally, the fifth dimension is dedication to getting stronger every day. Providing the application, networking, and security teams with an integrated environment helps them do everyday tasks – enabled by automation. Organizations that build this muscle memory allow the whole team to respond to disruptions, restore operations, and continue fulfilling the mission.
MeriTalk: How are initiatives such as zero trust helping agencies improve their security resilience?
Stewart: Zero trust helps by taking an integrated approach to an agency’s security, networking, and applications. We think of it as four steps of a continuous cycle: establishing trust, enforcing trust-based access, continuously verifying trust, and responding to changes in trust in the relationship between users and devices and data, applications, and workloads. By taking these steps, agencies are realizing better security resilience.
Establishing trust is about understanding the contextual identity of users, devices, and services to make risk-based authentication decisions across IT and OT environments.
Enforcing trust-based access means applying micro-segmentation, access control, and the principles of least-privilege access to provide consistent, policy-based verification across people, applications, and machines.
The key to continuously verifying trust is constantly reassessing it, looking for indicators of compromise, sharing telemetry and signals across the enterprise, using behavior monitoring for both threat and non-threat activity, and employing vulnerability management – all with a risk-managed approach.
A risk-managed approach enables agencies to respond to changes in trust like moving into a prioritized incident response mode – leveraging orchestration and remediation to the maximum degree possible. This is where the team can make use of integrated and open workflows to ensure a resilient response.
MeriTalk: What obstacles do agencies still face?
Stewart: I think most organizations struggle with how to integrate people, processes, and technology. Getting the team to buy in to zero trust will naturally bring the security and networking teams to work more closely together. When you build an integrated networking and security platform, the integrated technology solutions should naturally lead to integrated processes and help bring people together.
Another challenge is the fear that stronger security will result in a poor user experience and impact productivity. This needs to be addressed up front. The sweet spot for zero trust is where attackers are frustrated, and users are empowered to do the right thing. You want to make it easier for users to authenticate and understand when they are out of compliance – and help them remediate themselves.
MeriTalk: How is Cisco helping agencies protect against the unknown and thus improve their security resilience?
Stewart: Earlier, we talked about how agencies are moving to a highly connected environment that necessitates security resilience with an approach that is based on detection, response, and recovery. This is what the Cisco Secure platform delivers. It is a threat-informed, integrated networking and security platform that is open, extensible, and built to scale for a hybrid, multi-cloud environment.
Cisco has an unparalleled vantage point for protecting the integrity of our customers’ missions because we see more than 80 percent of the world’s internet traffic across our devices. We see more than 1 billion authentication requests each month, and we have more than 400 third-party integrations.
We also have a response organization that understands how bad actors get into organizations and how to quickly remediate so agencies are more resilient and can spring back faster. Our response organization feeds threat information into our detection and response systems so all our customers can respond more quickly to threats.
And finally, we have multiple partners and services that can help our customers design, deploy, and optimize their environments for zero trust.
Whether it’s protecting and enabling an agency’s mission-critical operations or protecting the Super Bowl or the Olympics, Cisco is empowering our global customers with the resiliency needed to withstand unpredictable threats and changes and emerge stronger – in spite of a dynamic and ever-changing threat landscape.