CyberJAGO Thoughts & Opinions

JAGO

Sharing a Pragmatic View of Cybersecurity

From Defense to Offense: a new tactical approach

“Defense in depth” is a philosophy that many of us live by, but the time has come for a shift in mindset.

Instead of always layering on more and more defenses, I’d like to propose that we go on the offense instead, because we’re obviously not winning the battle. We need to change the strategy and the tactics we use, and adopt what my good friend Tony Zirnoon calls “defeat by design.”

That means emulating our adversaries’ bad behavior in a very controlled manner, because that’s what will give us the opportunity to really test how secure we are. By using malware that’s published in the dark web, we can actually test end-to-end how good our defenses and responses are. In so doing, we’d be pre-empting attacks by discovering whether we’re prepared for them, and whether the plans we have in place are effective.

Right now, what we basically do is take the word of vendors who say they have the best thing in the world, but we very rarely actually test those tools we buy. We take their word and implement the tools, and create a sense of security because we’ve bought into something the market has accepted as good.

But the fact is, we still have a lot of incidents, some of them potentially catastrophic for business. Actors have become more and more sophisticated in the way they breach our defenses. Artificial Intelligence or AI will make this exponentially more painful.  They’ve also developed a lot of patience and can be in networks for months before they’re discovered.  

Obviously new technologies coming in will address some of our vulnerabilities. Passwordless approaches, for instance, not only eliminate passwords, but tie proof of identity to the actual device. These are things we need to start looking at more aggressively because we’re seeing that the softest spot is still users.

But we need to really move away from that state of complacency where we think installing software automatically makes us secure. Vulnerability management and Penetration Testing are still essential, but we need to validate how really secure we are, and the best way to do that is to pretend to be the enemy, emulating attacks and breaches.

Having proof of your organization’s true security posture changes the tone when you’re asking for funding to fortify your systems. You’ve got data, factual information, and data is your best friend. You can make a far more compelling case to senior executives and the board if you have a good starting point for really knowing how secure your defenses are, and what the financial impact of a breach would be.

Bigger organizations obviously have greater capacity to go on the offensive. For smaller businesses, it’s going to be up to managed service providers to adopt this approach. Service providers that are smart will pivot because that will encourage customer loyalty.

Why aren’t more CISOs willing to emulate bad guys in an exercise? I think it’s a combination of teams and budgets being stretched too thin; complacency; and hesitation because the drill can go awry.  

But the bad guys aren’t going on vacation, and the fight we’re currently putting up isn’t good enough. We’ve got to change tack.  

, ,

CyberJago

I am a senior executive with over 25 years in the information and cyber security space with a passionate focus on technology, strategy, market share expansion, sales growth, and merger & acquisitions. Formerly the Mexico Chief Information Security Officer for a top 20 Global Bank, I love to tinker and seek solutions to the challenges of technology, regulatory compliance, and Cyber risk.