Over the course of history, the distribution of power has fluctuated between the attacker and defender, with technology often serving to shift the balance between the two. In the past, a well-defended and provisioned castle was essentially impenetrable, with advantage granted to the defender. Once gunpowder, cannons and other weapons came into play, however, the balance shifted in favor of the attacker. We see similar scenarios play out throughout history. Barbed wire and machine guns made it almost impossible for soldiers in World War I to break through the trenches, but 20 years later the internal combustion engine made those trenches totally obsolete, and once again the advantage shifted from defender to attacker.
In today’s world of cyberwarfare, the balance of power tends to favor the attacker due to a variety of reasons. First, malware has become ubiquitous, so much so that the masses now have access to powerful tools for attack and can easily compromise users with phishing campaigns and other strategies. Perhaps even more disconcerting, zero-day vulnerabilities are easily accessible, and command and control infrastructures can be purchased at a moment’s notice. Finally, cybercriminals can use large-scale botnets to leverage internet-of-things (IoT) devices and launch distributed denial of service (DDoS) attacks of unparalleled scale and sophistication.
At the same time, the speed (and volume) at which data crosses the enterprise and external systems continues to accelerate, making it difficult for defenders to keep attacks at bay. On today’s 100Gbs networks, the time from the start of one packet on the wire to the start of the next packet can be as little as 6.7 ns -- that is 6.7 billionths of a second. Put simply, this makes it nearly impossible to do any intelligent or meaningful analysis of data flying by in real time. As you might imagine, this makes it increasingly difficult to prevent malware from penetrating core business-critical systems.
The opportunity exists today to reverse the current cyberattacker advantage, but it requires us to rethink our existing security framework. Traditional security models focus on keeping threats out. Similar to the way a Band-Aid protects a cut but doesn’t defend against airborne, waterborne or other communicable diseases, this approach falls short when it comes to protecting an organization’s entire network infrastructure and data crown jewels.
Alternatively, consider if we flip the model and focus on the inside. In this new model, security acts like the human immune system, providing full coverage of the body from the inside out. The human immune system can learn about threats and adapt accordingly, responding rapidly to combat the threats from within and provide comprehensive and complete coverage against massive numbers of diseases and strains of bacteria and viruses. A similar model should be undertaken within cybersecurity so that organizations can achieve complete coverage to detect malware and emerging persistent threats within the organization. Security tools should be able to learn and adapt to polymorphic threat variants and act quickly to mitigate risk.
In a recent blog post, I presented four central pillars -- good hygiene, detection, prediction and action -- that are at the core of this new security immune system, with pervasive visibility as a critical foundational layer. Strong cyber hygiene -- in the form of network segmentation, identity, and access management and perimeter protection -- forces attackers to take unnatural steps if they’re able to break through an organization’s defenses. From there, a baseline of normal behavior must be developed so anomalies can be detected. At that point, machine learning and artificial intelligence technologies can be employed to uncover threat patterns and predict intent, and action can be taken to neutralize or detonate a threat. Pervasive visibility forms the foundation of this framework, acting like the human circulatory system to provide full coverage throughout the organization.
To reverse the asymmetry between the cyberattacker and defender and shift the advantage back to the defender, we need to adjust our mindset and approach to security. It’s time to learn from the human immune system and implement an approach to security that provides comprehensive protection across the entire network infrastructure.