It is a confounding reality that the business objectives of IT since the dawn of bytes—to make systems accessible, interoperable, ubiquitous and, thereby, valuable—have led us to a place where we now must spend hundreds of billions every year on cybersecurity just to try to ensure IT remains an asset and doesn’t transform into a liability.
Meanwhile, the profits from criminal enterprises have made cybercrime possibly the fastest growing industry in history. Just have a look at the total value of ransomware proceeds over the last five years, and projections over the next five: from US$350 million five years back to US$50 billion in five years (there are ranges, some much higher, but sources generally have similar projections).
Historically, security has been retrofitted onto our systems after the fact, rather than being built into their design. That can’t readily change. But what’s maybe most surprising is that cybersecurity innovation seems confined to incremental, tactical advancements. These manifest as refinements in the strength and height of the walls to keep intruders out and of ever-smarter, AI-infused analysis techniques to classify and expose anomalous activity on endpoints and within networks. The innovation strategy has ballooned the array of tools we spend money on and that occupy our also ballooning security teams (making the challenge of recruiting and retaining capable teams ever more difficult).
Each new tool constitutes a complex system in its own right, unfortunately, requiring that it properly interacts both with IT systems and other security tools. More tools equal more complexity. And more complexity guarantees the potential for unseen, unmanaged gaps and seams in the security stack, thereby actually increasing exposure for systems not perfectly configured and managed.
What every new tool always has in common with any other new tool is that it is invariably passive and/or analytical. Talk to any experienced red teamer and you will find that passive and analytical defensive techniques amount to an intriguing set of puzzles to be solved. In fact, many passive security approaches that are designed to wall off the most valuable assets inside the network are often tantamount to road signs that paint the target for the adversary: identify the right locks and pick them. Furthermore, most malign goals can be readily accomplished by a capable adversary well within the timeframes that detection solutions—Monitor > Analyze > Alert > Respond—produce effective intervention and remediation. After all, according to IBM, the average dwell time of the adversary’s presence in compromised systems is nine months!
Despite the profound intelligence exhibited by tools and methodologies originating from academia or the minds of Silicon Valley innovators, they inherently maintain a passive stance. More intelligent surveillance simply will not get the job done. Moreover, our faith in AI-based solutions may well be (dramatically) overstated. Like in any arms race, the enemy gains access to the same tools and techniques used in defense for the benefit of their offense. This fact does not make for any “we are pulling ahead” kind of thinking. As AI-designed offensive techniques come online, we might in fact be further behind, which is a terrible thing to say after laying out US$200 billion for security tools last year.
Even Gartner, the font of high-value product insights, published a surprising piece earlier this year: Stop Performing Cybersecurity Theater: It Is No Longer Scaling, saying… “cybersecurity theater refers to actions that purport to reduce risk, without actually doing so, and it’s endemic. The size and complexity of the digital asset base is now so significant that cybersecurity leaders can’t keep up with the demand to pretend to protect everything, let alone do so.”
When each new tool we innovate adds to our burden as defenders, but doesn’t, realistically, alter the awful trends, we need a rethink. Basic zero-sum game theory—my opponent’s gain is at my expense, and vice versa—ensures we will stay on the receiving end unless there is a cost associated with the attacker’s behavior.
To be clear, I am not intending to invoke better law enforcement or regulatory advances as any kind of panacea. That’s not practicable nor readily under anyone’s individual or organizational control. However, we do in fact possess the ability to architect our private networks in ways that can actively confront attackers attempting to exploit us. This perspective draws on strategies employed in armed conflict, not data science. More and better surveillance to root out the enemy cannot be a winning strategy. Just like in warfare, you can’t win by intelligence and surveillance alone. To win as a defender, you must impose your will on the attacker. They need to experience costs from their behavior.
We control our own private networks, which means we have the power to design them in a way that reshapes the field of conflict as it is perceived by the attacker. In military strategy, when you reshape the attacker’s view of the battlefield in accordance with your interests, you change the probabilities that the actual engagement will be victorious. The asymmetry that currently exists in favor of the attacker needs to be inverted in favor of the defender.
A meaningful opportunity exists to make strides in this direction. Our live assets typically occupy a mere fraction of the total available address space. The untapped, expansive “dark space” in the network—unused ports and IPs—is within our control to re-purpose for defense using techniques that reshape the attacker’s experience.
But having reshaped the field of conflict, you must then actually engage the attacker. Their exploitation operations need to be disrupted, impaired and extinguished during connection. The adversary’s experience in the network needs to be painful—not a puzzle-solving exercise—so that they are exited from the network and have no interest in ever returning. Let them go where they can happily pick locks and solve puzzles… but don’t let it be in your network. Finally, active engagements with the enemy cannot be left to manual, human-led defensive efforts. Winning means engaging in real time, automatically. I don’t see any other way to realistically overturn currently prevailing outcomes.