The National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (CSF) 2.0 earlier this year, the first update since the original was released in 2014. The framework offers detailed guidance and recommendations on a wide range of cybersecurity topics, including the role of data backups in incident response and recovery plans. MeriTalk recently sat down with Travis Rosiek, public sector chief technology officer at Rubrik, to discuss the current threat landscape and the changes in the updated framework that help agencies and organizations plan for worst-case cyberattack scenarios.
MeriTalk: NIST’s Cybersecurity Framework dates back to 2014, which seems like a lifetime ago in cybersecurity. How much has the cyber threat landscape changed since then, and how effectively, broadly speaking, does the new version 2.0 address this evolution?
Rosiek: The volume of threat actors and cyberattacks has increased tremendously in the past 10 years. In 2014, the most destructive malware could only do things like bring down websites. Now, organized cybercriminals have monetized their cyberattacks with ransomware, which is affecting every industry vertical at scale and can have catastrophic effects. Another significant change is the adoption of cloud technology and managed services, which have dramatically increased the attack surface. We are also seeing more cyberattacks targeting the supply chain, which is the Achilles heel for many organizations. A weak link in the supply chain negatively impacts every organization up the chain.
The rise in threat actors and the types of attacks they are launching significantly influenced the latest version of the framework. It is heavily focused on governance, securing the supply chain, and data protection and recovery practices. It also includes quick-start guides to increase adoption of cybersecurity mitigation tools. These quick-start guides are especially useful to smaller entities that may lack cybersecurity resources.
MeriTalk: A key difference in CSF 2.0 is that it is aimed at all organizations, regardless of type or size, in contrast to version 1.0’s focus on critical infrastructure. How would you assess the change and the impact it might have?
Rosiek: Given the significant rise in threat actors and their evolving tactics, this version needed to be more inclusive of different types of organizations. Threat actors are no longer just trying to steal intellectual property or disrupt national security. Ransomware has made cybercriminal activity lucrative. Every entity, no matter the size or industry, is a target, and the cyber attackers are relentless. Version 2.0 of the framework raises overarching awareness of cybersecurity practices and the responsibilities organizations have to secure their systems. The updated framework will be very helpful to all types of organizations, especially small- and medium-sized entities that need more assistance and guidance to improve their security.
MeriTalk: Within its 27 pages, the new framework also contains myriad suggested changes. Among them, under data security, is the recommendation that organizations create, protect, maintain, and test “backups of data.” Based on your experience at Rubrik, why is it important that Federal agencies consider this recommendation in particular?
Rosiek: Backups are critical to recover from an incident, whether it be a ransomware attack, human error, natural disaster, or anything that impacts an agency’s networks and data. We are seeing that cyber attackers are targeting backups because they are less visible and often less protected than other assets. If backups haven’t been created, protected, maintained, or tested as outlined in the framework, they won’t be there – or won’t work – when they are needed for incident recovery. That turns recovery from something that could have been a quick and inexpensive process into one that takes a very long time, leading to downtime and loss in terms of financial, reputation, and data loss.
Many agencies and other organizations simply aren’t maintaining and testing their backups. To help overcome backup oversights, Rubrik offers “Save the Data” tabletop exercises, which walk organizations through sample attacks. The exercises demonstrate the processes and personas involved in recovering from an attack to help IT teams see any holes they may have in their processes.
MeriTalk: In a section on continuous monitoring, CSF 2.0 urges organizations to monitor “computing hardware and software, runtime environments, and their data” to “find potentially adverse events.” How would you assess this revision, and how would implementing it better protect agencies from potential attacks?
Rosiek: The addition of this recommendation shines a light on the depth and breadth of the art of the possible in cyberattacks. It pushes agencies to think about all of the different attack possibilities, not just ransomware. Critical attack types to watch for, especially as agencies adopt artificial intelligence, are data modification and data poisoning attacks. In these attacks, bad actors, including insider threats, alter data for nefarious purposes. The inclusion of this recommendation helps agencies look at cybersecurity more holistically so they can better anticipate, mitigate, and respond to a variety of threats.
MeriTalk: Once an organization has suffered a cybersecurity incident, CSF 2.0 addresses how affected assets and operations should be restored. As part of its suggested Incident Recovery Plan Execution, the document recommends verifying “the integrity of backups and other restoration assets” before using them for restoration. In your experience, how careful should organizations be in turning to backup systems after an incident? Why is this recommendation something that Federal agencies should follow?
Rosiek: This recommendation is significant. If an agency or other organization is impacted by an attack that compromises their systems, it may not have a full sense of when the attack happened or which systems and backups were compromised. Without verifying the integrity of backups before they are used in response to an incident, agencies could just propagate that malware back into production. Monitoring and testing backups before an incident are important parts of an incident response plan, but so is analyzing backups after an incident to ensure they haven’t been compromised and are safe to use.
MeriTalk: Some of the changes in the new framework align to the value that Rubrik can provide Federal agencies. Data security, for example, lies at the core of Rubrik’s cybersecurity mission. What are some specific Rubrik solutions you can highlight that might help the Federal government implement the new CSF – and better protect the American people?
Rosiek: In today’s environment, it’s no longer about preparing for if you get attacked, but when. Being hit with a cyberattack is scary. At Rubrik, we are focused on helping agencies and organizations recover quickly from their worst day or worst-case cyberattack scenarios. We have purpose-built our platform with zero trust principles that minimize risks against threat actors that are targeting backups. The Rubrik Security Cloud protects data and helps agencies recover data and applications quickly. We also help agencies develop and test incident response plans and playbooks. Our product suite can help agencies identify where their sensitive data resides in the enterprise so that it can be properly backed up. We also meet the framework’s recommendations for testing backups. Rubrik acts as a failsafe mechanism for quick recovery, reducing downtime in the event of an incident.