Times are changing and perhaps your cyber defense should too. Do you still rely on just an edge firewall and a virus scanner on the laptops or workstations in your company? Then you’re still in the mindset of classical cyber defense. Let’s see how you can do better!

When is cyber defense traditional?

When firewalls started being deployed you didn’t just deploy a tool. You also introduced the goal of keeping threats out of your systems. Virus scanners reinforced that idea and with that, the concept of traditional cyber defense was born: create a hard shell around the perimeter of your network and keep threats out. Within traditional cyber defense there is no place for the notion that your system might get compromised.

Next-gen firewalls, web-application firewalls, IPS, access-controls, micro-segmentation: they all show that even though defensive tooling has matured heavily over the past decades, the focus is still on keeping the threat out. Vendors like to give you the idea that you’re safe once you implement their latest-and-greatest tool. However, the reality is that these tools still focus on defending a perimeter and are of no use once a threat inevitably finds its way in. In traditional cyber defense, nothing stands in the way of the threat actor once inside your perimeter.

Why is traditional cyber defense no longer sufficient?

Attackers have changed and adapted. They no longer focus on exploiting vulnerabilities in the lower half of the OSI model but have started to abuse the top half very successfully. Most attacks nowadays start with exploiting application vulnerabilities and social engineering, instead of directly targeting your network stack. A firewall can’t distinguish TCP packets containing valid mail from TCP packets containing phishing mail. Nor can it detect that the end-users are less tech-savvy than the CTO imagined.

On top of that, system design has changed from static on-premises architectures to dynamic hybrid architectures (public/private cloud, remote work, classic on-premises, etc.). Today’s company architecture can be drastically different from next week’s architecture. No firewall can keep up with those changes.

Shift the focus!

Evolving with a modern cyber defense program means that you don’t focus exclusively on preventing breaches. It likely has already happened and has remained unnoticed. This doesn’t mean you can just throw out your firewall. Traditional tooling still has its place within the modern cyber defense. But we shift focus from the tools toward the risks. This helps you better assess what tools you need and where you need them.

In the end, it boils down to moving from a preventive focus in your cybersecurity program to a program that is more focused on detecting and responding to actual breaches. Do this using a risk-centric approach: budgets are limited but threats are not, so pick your battles. For example: if state-sponsored actors are probably not going to come after you, don’t waste resources trying to keep them out. You might have a better return on investment by protecting your company’s IP from ransomware attacks.

Why didn’t defenses evolve on their own?

That evolution has happened, but the adoption of new security concepts is slow. Let’s see how a traditional cyber defense program compares to a modern one on some items we can objectively measure:

    • Staffing: a decent network administrator will probably be more than capable of configuring and managing a single-edge firewall. Managing a wide range of complex tools, detection rules and processes that can dynamically scale with the organization is way more complex and requires more and a different kind of staffing.
    • Complexity: where classic cyber defense is usually more of the same, there is no one-size-fits-all solution for modern networks and systems. Depending on the architecture and third-party (cloud) providers there is an endless combination of security architectures that (don’t) work for your organization. This complexity can be a big hurdle (and a hard sell to management) in evolving your security program.
  • Modern cyber-security is uncomfortable. No manager wants to hear that their infrastructure might get, or is, compromised. With traditional cybersecurity programs, they won’t hear such a thing and chances are they like it that way. The lack of detection capability means that you won’t know you’re compromised until it’s too late. That can even be years after the fact. Accepting that a modern cyber defense can and will show breaches is a challenging and uncomfortable thing to do.

Where do I start?

Don’t aim for a 10 out of 10 solution from the get-go. If you don’t have insight into what exactly you want to achieve just yet, start off with some open-source tools. Buying a 500k/year SIEM solution won’t help you any better than an open-source SIEM if you don’t have proper processes in place yet, or don’t know what to look for.

Prevent information overload. This is a pitfall for a lot of cyber defenders, but more information is not necessarily better. Think of a use case you want to be able to detect within your network and only onboard the information needed to do so. Tools like the MiTRE ATT&CK and DETTECT framework are great tools in helping you do so.

Tools are means to an end. Figure out what your cybersecurity program needs to accomplish and pick the tools that help you do so. If you want to know whether you need certain tools in a modern cyber defense program, the answer should always be: it depends. Ask yourself what your budget is (in terms of money and staffing) and what risks you (or the company) are comfortable with. Then find a way to use your budget most effectively to address the cybersecurity risks you want to cover in your system or network, which might mean a shift away from more and more tools and onboarding dedicated defenders.

Evolving into a modern cyber defense program that focuses on detecting and responding to actual breaches using a risk-centric approach is essential in today’s rapidly changing threat landscape.

Raymond Jetten

Sparring with ramond about security?