Cyber security and cyber defense
03/30/15 Category: Security
The press talks about cyber war and cyber security, however, for companies it's all about cyber defense.
As companies, we're not allowed to counter attack or do preemptive attacks. Those options are purely for nations to exercise in their arsenal, albeit with discretion and unexpected consequences.
While we hear a lot about cyber security, I believe it misrepresents the field. When we think of human based security (think guards), we think of active patrols, humans, potentially armed responders and the ability to call for backup and external entities. We really don't have any of those options in corporate data security.
In the cyber world, we're limited for the most part to passive defense, that's automated, not reactive and requires human oversight. It's purely a defense oriented game. Like all defense only based approaches, the attacker merely needs to win once and it's game over. Worse yet, automation can be used to overwhelm defenses, probe for weaknesses, play a waiting game, attack during unexpected times/hours and even use human spies and deception to trick or even bribe our own employees. To make matter worse, encryption has blinded most security systems and over 35% of traffic now is encrypted.
Since it is defense only, we really do have to rely on layered security. A single line of defense is crazy and reckless. Multiple lines of defense are required. Different approaches are needed to sustain brute force volumetric (DDoS - Distributed Denial of Service) attacks versus recon and probe techniques meant to assess our defenses for a future compromise and deeper internal inspection.
Lastly, we need the ability to detect an attack and then respond (limited as our options are) and recovery has to be part of the plan.
Cyber security is not and cannot be a set and forget approach.