Security Experts:

Transitioning to the Age of Adaptation

Evolve or adapt? For enterprises today confronted by increasingly intricate – and damaging – cyber threats, there may no longer be a viable choice: We must carefully phase out the evolutionary-rooted security tactics which organizations have depended upon for decades.

Such a move would pave the way for adaption.

First, allow me to define these two terms within the context of this kind of conversation: “Evolve” references the long-held, standard-operation procedure for companies, as they invest in cybersecurity point products that are framed upon one, specific universe of cyber threat. “Adapt” is about deploying solutions which are flexible enough to effectively respond to constantly-shifting conditions in a dynamic, agile manner – a functionality that point products cannot achieve on their own.

Many enterprises, however, still cling to “evolve” models. This is understandable. After all, for quite some time, it worked relatively fine, akin to pressing an “easy” button so you could forget about the hackers and move on with business.

Time to AdaptIn the old days, security vendors would scout for various viruses and then develop an assortment of intrusion detection/protection systems based upon the current, finite threat footprint. This was pretty much a “no harm/no foul” approach: Build firewalls and other remedies to keep the network fortress safeguarded against what was known. If there were multiple solution vendors with multiple templates, then you bought into as many as you felt you could afford in the interest of maximizing protection. Why not? Keep adding various cybersecurity ingredients into the fold and you could sleep at night, convinced that you probably have most threats covered. (But never all.)

Then a sticky situation got worse. Advances in software, open-source solutions, globalization of the Internet, and the cloud came along and changed everything. So the evolution stepped up its game, combining traditional and new products with managed services to create SIEMs which ushered in real-time threat surveillance/analysis. Unified threat management cobbled together pieces of the security-solution string to put a holistic face on enterprise protection. And VPNs/mobile device management addressed the rapidly shifting nature of the perimeter in light of globalization and BYOD-fueled mobile-mania. Today, next generation firewalls have helped internal IT security teams – drowning in an abundance of user apps introduced to the network – recognize and identify suspect apps, red-flag anomalies, isolate/remove malware and enforce business rules/policies.

Regardless of the progress – and there’s no denying the progress has been considerable, and admirable – we’ve reached a watershed era in which we can no longer afford to “evolve.” Threats are unbound, as adversaries devise new attacks more quickly than enterprises can identify and mitigate. Even a “next generation” firewall solution’s effective shelf life will last only until a new, previously unidentified threat is launched to circumvent that solution. Like an international jewel thief with multiple aliases and disguises, a hacker will change his cyber fingerprint – his intrusion methodology, ‘shadow’ network activity, etc. – as soon as next-generation solutions profile his last one. The 20th Century hacker has “grown up” into the modern-day version, from the multi-pierced kid in his parent’s basement acting solo to a methodical, sophisticated member of an syndicate or enemy state, driven to develop unfamiliar and, yes, clever techniques to gain trust – and entry.

The adversary acquires the awareness to do what he wants because he has greater familiarity with the enterprise target. This is due to a number of factors: Because he works as part of an organization now, the intrusion-technique intelligence of many has converged into one, and the whole is indeed more formidable than the sum of its parts. Also, as is the case with insurgents in the Middle East, the more they engage with us, the more potent their “next move” in aggression will be.

Which is why the time to “adapt” has arrived. Our adversaries move quickly. We must move with them, not two or three steps behind. Our solutions must be flexible enough to recognize and adjust to “changes in the opponent’s game plan,” as opposed to fixating on point solutions which are simply the point solutions of the moment. By the very historic, Darwinesque context of the word, “evolution” speaks to a reactive cycle. In contrast, adaption requires a proactive posture.

This would better equip today’s enterprises to match the speed of adversaries. How so? Because the leveraging of existing capabilities with incoming, new information about all things both inside and outside the perimeter would create a higher form of context-based threat intelligence, cultivating an environment for augmented decision-making. It would take into account the totality of the entire ecosystem – including the third-party presence of partners, vendors, etc. – and correlate them with enterprise incident issues. Security operations centers would take the entire Internet infrastructure/topology into account, with new patterns, identifiers and other threat “tells” updated in real-time, 24/7/365. Thus, companies would position themselves to filter out the noise and zero in on the real threats.

Much of this would involve open interfaces, so cybersecurity professionals can exchange information about threat intelligence, policy enhancements and data enrichment. This can be accomplished without compromising proprietary interests. If history has taught us anything, it’s that demand for “a better way” will inspire proponents to sufficiently address what amounts to relatively small, “process-clearing” bumps along the road.

Adaption isn’t “all about tech” either; the human part of the adversary equation must be accounted for, to drill down into the very nature of people who view an act of network intrusion as part-business opportunity and part-sport.

And therein lies the key to the evolve/adapt question: the “gaming” nature of our adversaries. In sports, the most successful teams don’t win with an “evolve” mentality, i.e. waiting to see what an opponent will do on the field before responding. In contrast, they execute with the “adapt” philosophy – to immerse themselves into the entire context of the opponents’ history of strategies, behaviors, patterns, etc., and then remaining flexible enough to revise pre-set plans on the field, based upon new wrinkles that the opponent introduces.

Of course, the preservation of our enterprise operations/informational assets is no game, even if hackers attempt to turn it into one. The stakes are high. The risk is immense. To survive, organizations must advance cyber-protection capabilities – by adapting.

view counter
Chris Coleman is President at Lookingglass Cyber Solutions. He brings over 20 years of experience in information security and technology. Prior to Lookingglass, Coleman served as the Director of Cyber Security at Cisco, where he focused on identifying solutions to critical customer challenges for civilian, defense and intelligence organizations. Previously, Coleman served in key management roles with Integrated Data Systems and ManTech. Coleman also managed the NetWitness product development team. He studied Electrical Engineering at the New York Institute of Technology – Old Westbury.