Cyber Defense in an Imperfect World, a New ApproachProfessor of Computer Science and Director, International Cyber Center at George Mason University Vice President for Government Relations & Marketing for Sutherland Global Services
Cybersecurity has become a persistent topic in the nation’s boardrooms and C-suites, and it’s a complex problem that is often oversimplified and misunderstood.
The cyber threat landscape is multidimensional and subject to evolving threats by a variety of actors and sophisticated hacking tools. There are many technologies and protocols to help mitigate cyber threats, but there is really no panacea. A comprehensive strategy of risk management is still the best cyber defense.
Most current strategies of cyber defense usually incorporate a five-stage cycle of risk management components:
- Identify the most critical assets
- Protect by controlling access
- Detect any intrusions
- Respond to contain the intrusion
- Recover by restoring to normal operation
This framework is solid, but poses challenges; thinking outside the box might make for a good number six on the risk management matrix.
The first two components of the risk cycle are self-evident. Identification of assets and how the assets are controlled are essential to building any secure cyber defense. The third component, detection of an intrusion, is critical and often the most difficult step; however, detection can lead to some misses and false positives. Excessive false positive alerts are a major part of the problem. Given the limited manpower, security teams focus on the most important issues. Often, false positives will create nuisance alerts leaving the real intrusions undetected.
While perfect detection will ensure zero losses, failures lead to huge losses. It can be argued that overreliance on detection is unwise. In addition, the detection approach is only fighting yesterday’s war.
Overreliance on detection of cyber intruders is unwise. The detection approach is only fighting yesterday’s war.
Detection works best when the system vulnerabilities are understood and the attack methodology is well known. With millions of software coders focusing on delivering performance, security takes the backseat and software vulnerabilities often creep into the software systems.
More than 70,000 vulnerabilities have been found in commercially available software, making it extremely difficult to ensure that all systems are up to date. Also, when the manufacturer needs to construct a patch, it has to be tested at the enterprise before it is applied. This can take several weeks or months. Meanwhile, attackers are agile and constantly searching. When potential attackers become aware of a vulnerability, an exploit is typically available within days. McAfee reports that it detects more than 100,000 new malwares every day.
A New Approach: Employ a Proactive Defense to Limit Attack Window
Thinking outside the box suggests that we have to explore new ways to protect our computing systems. Maybe it is time to accept that some failure may be inevitable and criminals will get in. If criminals are likely to breach the systems, perhaps a new solution is building an extra layer of defense that shifts the target by reducing the duration of the failure, thus reducing the amount of data lost. One approach would be to add a proactive defense layer to the overall cyber defense. This proactive layer would not depend on knowledge of the vulnerabilities or the attacker. If you are willing to accept the possibility of failure, the goal is no longer to eliminate the vulnerabilities, but to make it extremely difficult for the attacker to exploit them. We do this by asking, “How long will it take for the attacker to succeed?”
In widely reported breaches, the intruders installed malware and stayed inside the system for months. In the majority of cases, the initial analysis underestimated the level of damage. It is reasonable to conclude that the longer the compromise lasts, the more time the attacker has to explore the digital footprint of the enterprise and to extract data.
In the proactive approach, the focus would be on moving and changing the exposed systems so that the attacker would not be able to stay in the system long enough to cause damage. The proactive approach is different from the current five-stage method mentioned earlier in one major aspect: It entails using time as an important part of a cyber defense strategy. While the current approach focuses on preventing the criminals from getting in, a proactive approach recognizes that this is an almost impossible problem and failure will likely occur.
Including a strategy that reduces the time that criminals can stay in the system and limiting the exfiltration of data could provide another layer of security. Perhaps it is a good time to think in terms of a roadblock that “moves” the target and keeps attackers hunting. The hope is that attackers will leave, frustrated in their attempts to locate a moving target. Should they decide to stay, the longer they hunt, the more vulnerable they become to detection. It is another component and approach to consider for cyber defense in an imperfect world.