Effective cyber resilience comprises several stages. © T-Systems

All measures - both proactive and reactive - must be continuously optimized and adapted to the behaviour and methods of hackers. Far-reaching cyber resilience is achieved when individual security, recovery and business continuity methods become a closed cycle that begins with the identification of risks (Identify), derives protective measures from this (Protect), recognizes threats as far as possible automatically (Detect), responds to these threats in a targeted manner (Respond), restores normal conditions in all areas of the infrastructure (Recover) and uses the analysed findings from security incidents to optimize cyber resilience mechanisms. Companies that use adaptive AI algorithms for this purpose are even able to better assess future threats and their characteristics (predictive security).

Identify: Recognize and evaluate risks

A comprehensive and effective cyber resilience strategy requires one thing above all: a clear view. Where are the weak and predetermined breaking points in the system and how far-reaching is the risk posed by these neuralgic system areas? How could an attack occur? These questions are not only relevant during operations, but should also be considered during the development of new solutions and system components. This is why DevSecOps mechanisms and automated scanning and testing activities are increasingly becoming the standard for secure IT infrastructures. What is also charming about these types of solutions is that they keep an eye on the entire life cycle of a software in the spirit of end-to-end cyber resilience and therefore record and evaluate all security-relevant events.

Protect: Define security mechanisms

The results of the Identify process have a direct impact on the selection and design of preventive security measures. Ultimately, the solutions and processes used for this purpose must be specifically coordinated so that they neither create redundancies nor unintentionally leave gaps open. Constantly adapting the underlying metrics and functions ensures that the developed concepts "learn" and that the established mechanisms remain responsive. Raising staff awareness is just as important as using smart software: after all, even the best email encryption is useless if employees carelessly disclose sensitive information or fail to keep their access data under lock and key.

Detect: Detect deviations, recognize attacks

This stage of the cyber resilience cycle shows how valid the classification of vulnerabilities from the Identify phase is and how well the monitoring tools used can evaluate the resulting metrics. Learning, AI-based monitoring tools use defined parameters to automatically detect whether there are irregularities in the infrastructure that indicate an attack - this is made possible by monitoring network communication and intelligent pattern recognition, among other things. The incidents range from criminal hackers accessing the internal database, acute denial-of-service (DOS) attacks or data-stealing Trojans to bots that distort the statistics of your own website through spamming and thus drive up cost-per-click fees, for example.

Respond: Implement measures in a planned and prudent manner

The challenge in this phase is to prevent damage and shield business operations from a threat as much as possible. One thing is clear: if the detect mechanisms identify a threat quickly and efficiently, countermeasures can also be initiated with a correspondingly short response time. Just as important as a high detection speed is a catalog of measures that is as differentiated as possible. The more targeted and versatile an incident response plan is, the easier it is to reach straight into the right drawer in the event of a security incident. This makes it possible to plan a step-by-step response to an incident - both for minor, everyday security incidents such as a bot that simulates real user behavior and for a serious sabotage attack that puts the operational processes of the entire company at risk.

Recover: damage repair and system stability

Harmless incidents such as a bot attack can be remedied with simple means. It is often sufficient to block the malware, document the attack in the log and restore the system from the backup - without malware, of course. In the case of more severe attacks, however, more extensive recovery measures are required in order to restore a stable system status as quickly as possible and thus return to normal operation. Depending on the nature and severity of a security-relevant event, the processes defined in the business continuity and disaster recovery strategies come into play here.

Predict: Predictive analyses

This important stage of the process closes the cycle of an intelligent cyber resilience strategy by integrating the monitoring and analysis results from security incidents and using them to develop targeted assessments and predictions for new, potential threats. The predictive evaluations flow directly into the identification of security-relevant vulnerabilities in the company infrastructure. AI-based monitoring tools create the necessary framework for automated detection and evaluation processes, which are essential for responsive and accurate tactics to achieve cyber resilience.

It's obvious: a security strategy that aims to ensure the highest level of data and system protection even in complex IT environments must be more than a collection of individual measures. Cyber resilience depends on all security-relevant processes being optimally coordinated and the underlying solutions continuously learning. In this way, companies can effectively counter the high level of inventiveness of cyber criminals and always stay one step ahead.

Frank Schönefeld, Head of Business Area Digital Reliability and Member of the Management Board and Katja Tietze, Senior Business Development Manager and Consultant, both T-Systems Multimedia Solutions