For years, security experts have been struggling to create proactive security products and proactive cyber defense strategies. If we had them, would we have been better prepared for all the major attack campaigns the industry has experienced of late – from the Target breach in 2013 to the Sony hack in 2014 to the recent IoT DDoS hacks and the DNC-related attacks?
What these “successful” attacks tell us is that we are more reactive than proactive. Sometimes we are quick enough to react in time and companies which are frequent targets of cyberattacks seem to be satisfied with their ability to swiftly minimize the damage. But the question remains – does proactivity exist or are we in search of an unattainable goal?
First, we should consider whether proactive defense strategies exist in the realm of real battlefields. If we examine battlefield defense strategies, “proactive strategies” are a rarity. Rather, we usually encounter strategies quickly identifying the “main effort” which the attacker chooses to achieve their goals, and then organizing defense resources quickly enough to neutralize it. Of course, in the realm of cybersecurity, everything is accelerated and therefore all defense operations need to move quicker. Defenders must collect relevant intel before the attack and, most importantly, during the attack – because hackers can change their methods pretty quickly – and then react: organizing security resources accordingly. Decisions need to be made swiftly, including sending the right “cyber troops” to the right positions at the right time.
Instead of counting on proactive systems to significantly improve our chances of winning cybersecurity confrontations, there are two main questions we should consider, the answers to which will determine our odds of winning the battle:
1. How nimble is our cybersecurity apparatus?
2. How quickly can we collaborate with others in order to deploy new defense strategies?
Having a nimble security apparatus means being at least as nimble as one’s attackers. It is a big challenge, despite the huge amounts of money organizations with a strong focus on cybersecurity are spending on more and more security tools. The problem is, these tools are typically delivered in non-integrated silos, which creates a very cumbersome and slow security apparatus. In effect you are creating an army of great divisions which do not wage their battles in coordination. Ironically, the abundance of security tools has thus slowed down response time, instead of the opposite.
Creating a nimble security infrastructure requires certain “ingredients,” starting with the security tools themselves. The tools need to be ready to cooperate with one another, meaning that their APIs should be open and “friendly” to both information exchange and “programmability” – they shouldn’t be locked on a few predefined security workflows, but should be able to be activated in various ways. Effective collaboration is another issue that needs to be redefined because current collaboration methods deal only with sharing attack-side information such as vulnerabilities, intrusion patterns, techniques and procedures. These are all necessary of course, but the time it takes to analyze this intelligence information, form a defense strategy accordingly, and implement it is far too long, and by then it’s usually too late.
Collaboration strategies need to aim at sharing defense strategies and solutions which will enable faster response times both before and during attacks – and this of course requires a nimble security architecture, as they are dependent on one another.
Finally, as in real battle, we need a general. This entity needs a big picture, bird’s eye view of the battlefield to make swift decisions and coordinate security arsenals accordingly.
This “general” along with a nimble security architecture and the ability to share solutions can form that elusive goal – a “proactive security system.”
The cybersecurity industry has begun taking steps towards this end, including development of new security analytics technologies and services, security orchestration systems, and threat intel platforms that can begin addressing some of these challenges, making our existing security systems more adaptive and nimble. But plenty of work remains.