The Industrial Revolution changed the world forever, creating faster, better, and more efficient sectors of the economy. Drawing on parallels to this important period of history, much has been written about the “Industrialization of Hacking” which has created a faster, more effective, and more efficient sector aimed at profiting from attacks to our IT infrastructure. Fueled by the convergence of mechanized and process-driven methods, economic and political incentives, weak links in the security chain, and new vulnerabilities in evolving business models, hackers are executing more sophisticated and damaging attacks. This era is profoundly changing how we must protect our systems, driving us to think about how to evolve our approach to cybersecurity.
Hacking has evolved over time and protection will evolve over time as well. It requires moving across a scale of controls that include static, human intervention, semi-automatic, dynamic, and predictive, as outlined below:
• Static – An environment in which critical controls exist but the visibility and intelligence needed to update them do not. Many traditional, point-in-time security technologies work this way with defenders needing to wait for vendors to update protections. This approach worked fairly well when basic PC viruses were the primary method of attack. But today, in and of themselves, they don’t provide defenders with what they need to properly assess their security posture and make adjustments in real time. In some deployments, however, these process-laden controls are intended to be static to meet regulatory compliance mandates. And while they do provide a baseline of protection, they still lack the agility to protect and scale in a constantly changing environment.
• Human intervention – Visibility and intelligence is available, but defenders still need to manually change controls. Labor-intensive intervention isn’t sustainable given the pace and complexity of attacks and the cybersecurity skills shortage. Although static controls are the reality of most organizations today, more Security Operations Centers (SOC) are being built to compensate for the lack of flexibility and agility of these controls and a dearth of trained internal staff. Reliance on human intervention to make security adjustments is no match for modern threats that use new methods that make it easier, faster, and cheaper to launch attacks, penetrate the network, and change rapidly as they progress through the enterprise.
• Semi-automatic – Defenders have visibility and intelligence and, in select cases, they trust it enough to allow certain systems to automatically apply some controls. However, for the most sensitive data – given that not all data protection is created equal – they will allow the system to automate and generate recommendations but still require a human to review and press the button to apply. But that highly-sensitive data is precisely the type of data that well-funded and fast-moving attackers target. Unfortunately, practitioners lack confidence that they have the right intelligence to make decisions. They tend to revert back to human intervention, leaving open a window of opportunity for attackers. In semi-automatic environments protection begins to evolve, but it is not sufficiently standardized, mechanized, and process-driven to be as effective as required.
• Dynamic – Defenders use visibility and intelligence to rapidly adapt security policies and enforcement in real time based on what is seen and learned to reduce the surface area of attack or remediate compromise. Dynamic controls are about high degrees of automation, where security systems automatically respond to threats. Automation was at the heart of the Industrial Revolution and it is at the heart of the Protection Revolution. It is the only way to combat modern attacks that circumvent protection using methods such as port/protocol hopping, encrypted tunneling, droppers, and blended threats and techniques incorporating social engineering and zero-day attacks. These attacks change rapidly as they progress through the enterprise seeking a persistent foothold and exfiltrating critical data. With dynamic controls, security practitioners increase degrees of automation based on ‘adaptive trust’ or increased confidence in devices, users, and applications over time. And they can deploy the right technologies as needed, for ultimate flexibility. Dynamic controls already exist and are required to meet the new security pressures of mobility, cloud, and the Internet of Things (IoT) and Everything (IoE).
• Predictive – Predictive doesn’t necessarily mean seeing an attack before it happens, but leveraging machine learning and advanced analytics to learn and improve intelligence continuously, leading to the prioritization of controls, protection, and remediation. As I discussed in my last article, the foundations of predictive technologies exist but are in their early days. Over time they will continue to evolve and improve, unleashing the full power of a new era in protection.
Advancing our security controls isn’t going to happen overnight. But we are well on our way with technology and capabilities that are already headed in this direction, implementing dynamic controls to see more, learn more, and adapt quickly. How we move, the rate at which we move, and where we end up along the scale will vary based on our existing models and infrastructure, industry requirements, available resources, and experiences. But one thing is certain. We are all better served by a new era that revolutionizes how we protect ourselves from cyber attacks.