The Cybersecurity Paradigm Shift

An often heard concern from customers is that they need to manage too many security point solutions, depending on the source somewhere between 40 and 80 tools. Customers are looking for better integration, i.e. platforms instead of tools, with the perceived outcome of needing less people to manage them and reducing the risk of things falling through the cracks, because one point solution does not integrate with another in many cases. Ironically, some platform approaches have the opposite effect, as they become a mile wide but inch deep in their drive to become a single pane of glass. They are more suited to check off boxes in a request for proposal (RFP) than actually hold up in real-world production environments.

But the question remains, how did we end up with this myriad of solutions for cybersecurity?

We have had to deal with information security for almost as long as we’ve had computing. The idea of a computer virus was first proposed by Hungarian-American mathematician and physicist John von Neumann* in the late 1940s. From a practical perspective, the Creeper program, created in 1971 by Bob Thomas of BBN, is often regarded as the first virus. Creeper was actually designed as a security test to see if a self-replicating program was possible. The road to ruin is often paved with good intentions. Fast forward to 1989, where we saw the first documented ransomware virus, the AIDS Trojan, so-called because it was handed out on infected floppy disks by its creator biologist Joseph Popp to attendees of the World Health Organization’s AIDS conference.

We introduced networked computing more broadly, and even connected our systems to a public network called The Internet, leading to a massive rise of cyber activities. Initially, even things we take for granted today, like firewalls, didn’t exist. Only when bad actors started to take advantage of the gaps in our systems did we think about shoring up our security. But we took a very reactive approach to cybersecurity. The paradigm we used at the time was, there is a problem, create a fix! For example, with firewalls, the problem was there was no gate, so people could enter without permission. Build a gate, solve the problem.

Over time, we built many gates. Every time a problem showed up, we thought of a solution. Realistically, defending an organization against cyber attacks today means plugging a lot of holes trying to thwart the bad actors at every turn. This led us to a situation where we are becoming overwhelmed with different solutions to different problems, and the race between defenders and attackers is not letting up anytime soon.

In 2011, Lockheed Martin** called out some major changes in the field of cybersecurity, kicking off a shift in our approach to defending our environments. It brought front and center that we were not only dealing with lone wolf amateur hackers, but also under attack by professionally organized groups and even nation states, commonly referred to as APTs, or Advanced Persistent Threats. What the Lockheed Martin report sought to make clear was that we needed to make a mental shift from a reactive to a proactive approach. Instead of worrying about the cleanup after a breach, we needed to start realizing the potential impact of these threats at a much earlier stage.

Lockhead Martin proposed a framework called the “Cyber Kill Chain” for identification and prevention of cyber intrusions activity. The 7-step model identifies what the adversaries must complete to achieve their objective, allowing us as defenders to understand an adversary’s tactics, techniques and procedures. Other frameworks exist, like the Mitre ATT&CK framework****, while The Cyber Kill Chain focuses on the stages of an attack, from the perspective of the attacker. It provides a high-level view, allowing defenders to understand the attacker’s process and potentially interrupt the chain at any stage. The ATT&CK framework, on the other hand, focuses on the techniques used by attackers. In any case, these frameworks bring out the sophistication and complexity of cybersecurity. They are often used to map cyber solution capabilities and assess their relevance for the organization, again sometimes begging the question which of our many different tools provides what, is their overlap, and can we consolidate some?

The reality is that some of these attacks, especially those perpetrated by APT actors, expose things we cannot easily fix. If these attackers exploit unknown vulnerabilities, i.e. zero-days like those written about in Nicole Perlroth’s excellent book***, a breach might not be avoidable, or for that matter easily mitigated, if no vendor fix is readily available. This has led us to an “assume breach” paradigm, acknowledging that a breach has either already occurred within our organization or that it’s only a matter of time until it will. Shifting from prevention strategies and technologies to cyber resiliency strategies and solutions. Look for example at the myriad of regulations that are upon us with a clear resiliency lens, the EU Cyber Resilience Act, the Digital Operational Resilience Act (DORA), and the NIS2 Directive, to name a few.

To make things even more complicated, our environment is dynamic and keeps changing. It is often said that in the world of ICT, chance is the only constant. Consider the use of Generative AI/LLMs for example, and the new, often unknown unknown security implications***** those entail.

So how do you operate in this complex environment? I would argue you look after your basic security hygiene really well, for example patching and updating systems. How quickly can you patch all your external facing systems in case of a zero-day patch, for example, and if that timeframe is significant, do you accept that risk? Other basics, said to protect against the majority of attacks today, are enabling multifactor authentication (MFA), applying zero trust/least privilege principles, implement a modern anti-malware system,... and most important of all, protect your data. Your attack surface will change constantly. The vulnerability of your data for either destruction or exfiltration is the frame of reference you could and should use to create your security paradigm.

More broadly speaking, figure out who in your organization owns security, and how to drive awareness of security as broadly as possible. Do you have visibility over our entire IT estate, including data you have spread across multiple cloud and SaaS environments? If you do have this visibility, do you also know who has access to what data, and how you rank the importance of said data? (again think risk acceptance), and finally how many layers does your security onion have?

Building a cyber resilient organization means combining cyber posture and cyber recovery capabilities.

* If you want to know more about John von Neumann I highly recommend the book “The Man from the Future: The Visionary Ideas of John von Neumann”: https://www.goodreads.com/en/book/show/61089520?

** Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

*** This Is How They Tell Me the World Ends: The Cyberweapons Arms Race: https://www.goodreads.com/en/book/show/49247043?

**** MITRE ATT&CK?: https://attack.mitre.org/

***** Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training: https://arxiv.org/abs/2401.05566