Stop playing catch-up
11 April, 2018
Koen Maris, CTO Cybersecurity at Atos, has two rather surprising messages for CIOs and security officers among us. One: we’ve been doing it all wrong. Two: we should focus on the good, not on the bad. Confused? Here’s why.
Since the very early days of cybersecurity, we have been applying the same security model. The model is based on what we know about the cyberthreats, often referred to as ‘the known bad’. Based on the threats that we have discovered, we provide a defense mechanism that will prevent this threat from striking again. This method was ok at the time it was first developed, because the ‘cybercriminals’ at that time were hardly more than a bunch of spotted youngsters, who asked nothing more than for their malware to hit as many screens as possible. But nowadays, the adversaries are full-time professionals, with a lot more harmful intentions.
The old method of detecting and preventing has therefore become obsolete. Not only because the malware may cause a lot more harm than we would care for before it is actually detected. Also, malware is hitting our systems at an unprecedented speed and in a limitless amount of varieties, making it impossible to keep up with the bad guys. In other words: we’re allowing millions of bad guys to hurt innocent victims before we take action against them, while they are already preparing a new type of threat. It’s like sitting in your house, observing burglars as they steal your household, to find out how they do it, and to make sure they can’t enter like that again. But meanwhile they have found another way of getting inside, which you need to observe again before you can prevent it from happening next time. And so on, and so on. That doesn’t sound very good, does it?
Focus on the ‘known good’ to discover the ‘unknown bad’
But is there an alternative? Fortunately there is. And this solution requires us to radically change our reasoning. Instead of focusing on the ‘known bad’, we should be focusing on the known good’ in order to identify an ‘unknown bad’ when it pops up. When you have established what normal behavior is on your network traffic – remote users logging in, usually at the same time, with the same frequency and from the same location – we can establish a baseline of normal or ‘good’ behavior. Any deviation from this baseline can be considered as suspicious, and worth investigating before we allow it any room to cause harm.
This does imply that we should get rid of the silly notion that we may never get hit. We should start from the assumption that we will get hit, and the remaining questions are ‘when, where and how’. Caution: the ‘known good’ model should be sufficiently modular. It will be different for each organization, and even within an organization: the accounting department probably has different working habits than the IT department. No easy task, as it requires investment in time, staff and financially.
Should we get rid of the ‘known bad’ then?
No, this new proactive approach does not replace the traditional approach of identifying threats and preventing them from attacking again. Both are complementary and together, when combined with machine learning and artificial intelligence, they may provide a tighter security mechanism than what we’ve had so far. We will never make the cyberspace completely malware-free. but we can seriously mitigate the risk of any malware causing harm to our infrastructure. And, as we will learn from my next blog, cybersecurity has become a risk containment effort rather than a risk elimination game. Malware is not a game anymore, played by innocent teenage nerds, but serious business. And that’s how we should treat cybersecurity as well.