Defense and critical national infrastructure (CNI) networks are the cornerstone of operational readiness and resilience and ensuring threats don’t prevent organizations from accomplishing their mission.
So, in a cybersecurity landscape where threat actors like Volt Typhoon can live undetected for years in CNI networks, it’s particularly necessary that organizations become more proactive in their approach to detecting and limiting any exposure.
This requires enhanced network visibility and advanced hardening practices to protect the organization’s ‘soft underbelly’ - namely ‘connective tissue’ devices like routers, switches and firewalls - that state-sponsored adversaries are known to target.
The previous article in this series explored why an industry-specific operational readiness approach is so vital and how the US Department of Defense (DoD) is leading the way with its Cyber Operational Readiness Assessment (CORA) program. It also showed how Nipper Resilience helps Security Operations Center (SOC) and Network Operations Center (NOC) teams proactively assure that their networks are constantly mission-ready and resilient.
This article takes a closer look at the foundational principles and practices for continuously monitoring and managing network risk exposure to maintain operational readiness.
The shift to continuous operational readiness
While the CORA program is aimed specifically at DoD networks, it pioneers a new approach to network security that can be applied to other CNI networks. This shift is especially urgent given the growing threat to utilities and telecommunications networks from state-linked groups such as Volt Typhoon, Salt Typhoon, CyberAv3ngers, and others.
These groups have already been shown to target vulnerable network components such as routers to penetrate the perimeter and lie dormant and undetected in CNI networks.
Clearly, relying on periodic checklist compliance is no longer adequate; CNI organizations should take a lead from the DoD and rethink every aspect of their approach, from the focus, frequency, and scope of assessments, to the outcomes assessments deliver and the way findings are prioritized.
Comparison: traditional audit approach vs. operational readiness approach
|
Feature |
Traditional audit approach |
Operational readiness approach |
| Focus | Checklist compliance | Business impact and threat context |
| Frequency | Point-in-time | Continuous readiness mindset |
| Scope | Cybersecurity only | Attack surface including cyber physical systems/ operational technology |
| Prioritization | All findings treated equally | Risk-based triage |
| Outcome | Pass/fail or scorecard | Actionable operational risk insights |
Protect business-critical systems with macro segmentation
Network segmentation is one of the key principles of Zero Trust network security. Macro segmentation, or Layer 3 segmentation, separates the most business-critical parts of the network from general IT and administrative network areas.
Macro segmentation helps organizations prevent lateral movement in the event of a breach by minimizing access to the most critical parts of the network based on a principle of least privilege. It also allows organizations to prioritize risk management, remediation, and response based on network criticality and the potential for an exploited vulnerability to directly jeopardize operations.
For example, organizations might prioritize an ‘amber’ or ‘high priority’ vulnerability in a business-critical segment over a ‘red’ or ‘critical priority’ vulnerability in an administration network.
Enacting macro segmentation is a vital first step, but continuously monitoring for network device changes and misconfigurations, particularly in business-critical segments, is essential to ensure the network remains segmented as intended between audits.
With visibility of every change in the most critical parts of the network, NOC and SOC teams can understand and continuously maintain or reduce their current risk exposure. The right solution will also quickly identify indicators of compromise (IoCs) that could endanger the organization’s mission.
Increase network visibility and hardening with CMDB-centric, centralized configuration change management
To support operational readiness and consistency with best practice, it’s now widely accepted that network devices such as routers, switches, and firewalls should not be treated as the primary source of truth for their configurations.Instead, organizations should maintain an accurate, centralized configuration management database (CMDB) or configuration repository, which serves as the authoritative reference for all device configurations and changes.
Adopting an automated, CMDB-centric approach to labeling and managing device configurations also ensures alignment with recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) and delivers valuable SOC and NOC benefits.
For example, labeling devices as belonging to business-critical parts of the network in the CMDB allows Nipper Resilience to prioritize changes in high-risk segments for investigation against known attack vectors and Zero Trust policies.
Pairing this approach with a proactive Nipper Resilience deployment that detects and analyzes each configuration change when the CMDB record is updated gives NOC teams near real-time visibility of critical network exposure and IoCs.
Teams can also use Nipper Resilience to keep the CMDB continuously updated with the live device configurations—and in doing so create a digital twin of the CMDB. This twin enables organizations to manage configuration as code and follow network management best practices that support:
- Pre-deployment testing to identify updates that might introduce exposure to known attack vectors, or violate Zero Trust policies or other compliance requirements
- Faster, more reliable rollbacks
- Rapid disaster recovery in the event of an incident
As well as identifying unauthorized changes, Nipper Resilience enforces that planned and authorized changes are secure and policy-compliant to ensure operational readiness and resilience across the network.
Use automation for continuous monitoring of segmented network areas
Effectively managing constant change across the vast networks of DoD and CNI organizations is impossible without automation. But automation alone isn’t enough. What’s needed is a practical, proactive solution that can:- Detect changes in real time
- Accurately assess their operational impact
- Prioritize risks based on business criticality
- Accelerate remediation and response
- Maintain accurate CMDBs and manage configuration as code
- Evidence compliance with internally or externally mandated resilience and security frameworks
These capabilities are essential for maintaining operational readiness in today’s complex threat landscape. Added to this, Nipper Resilience automatically leverages multiple risk management frameworks and industry-specific attack vectors in its reporting. It evaluates configuration compliance with trusted benchmarks such as the DoD’s Security Technical Implementation Guide (STIG) and automatically detects CISA Known Exploited Vulnerabilities (KEVs).
Designed for scale, the solution can assess networks of up to 250,000 devices daily, enabling teams to layer and contextualize their analysis.
And by integrating with a SIEM, security teams can visualize how their security posture may be vulnerable to specific attack vectors—such as lateral movement through misconfigured administrative shares—so they can prioritize remediation efforts accordingly.
Near real-time insights on business-critical segments help NOC and SOC teams determine how best to reduce exposure to KEVs and CORA key indicators of risk (KIORs). But to improve prioritization even further, Nipper Resilience uses trusted mappings—either from the National Institute of Standards and Technology (NIST) or from the STIGs up to MITRE ATT&CK—to correlate vulnerabilities with industry-specific adversarial tactics, techniques, and procedures (TTPs).
Supporting the shift to proactive vulnerability and exposure management
The combination of segmentation visibility and layered network risk analysis automation enables organizations to combine reactive threat management with proactive exposure mitigation.
This approach not only ensures operational readiness by preventing attacks but also minimizes attackers’ ability to achieve their goals by moving laterally, should they breach the perimeter.
However, to deliver real-world value, solutions must provide interoperability with existing systems.
That’s why Titania developed Nipper Resilience to function in the air-gapped networks relied on by DoD and CNI organizations while using REST APIs to integrate seamlessly with the trusted NOC and SOC tech stack, including Forescout and ServiceNow, as well as SIEMs like Splunk and Elastic.
This allows teams responsible for operating and securing critical networks to plug the gaps left by endpoint-focused solutions and get ahead of any network risk exposure that has the potential to disrupt operational readiness.
Learn more about how Titania helps organizations assure operational readiness and resilience across business-critical enterprise networks.
