It’s not hard to understand the concept of proactive cyber defense: acting in anticipation of an attack against a computer or network. The goal is getting in front of attacks by evading, outwitting, or neutralizing them early instead of waiting for the damage to start like reactive cyber defenses.
It’s also not hard to understand the benefits of being proactive: preventing the negative effects of cyber attacks instead of trying to minimize the damage. The only thing hard to understand is why every company doesn’t practice proactive cyber defense already.
To answer that question, we need to dive into the history of cybersecurity. It offers a powerful lesson about what can happen when we’re blind to the flaws in our own methodology. It also helps explain why catastrophic cyber attacks have become so common lately. Most importantly, a look at the recent past tells us a lot about the path forward for cybersecurity, and it looks drastically different than the path we’re currently on.
WHERE CYBERSECURITY WENT WRONG
Historically, cybersecurity wasn’t proactive, per se, but it was close. As soon as experts observed a new attack, they would add it to a registry of known threats. Various antivirus products would then draw on that registry to identify and block incoming attacks at the perimeter of enterprise IT, which was reliable because these attacks were infrequent and carried an obvious calling card. Brand-new attacks could still get through, but their efficacy was short-lived, and the antivirus product stopped the vast majority of attacks proactively.
This approach worked reasonably well for years, until around a decade ago. Consider that in 2009, U.S. cybersecurity spending totaled $27.4 billion, but by 2018, that number had increased to $66 billion and continues to skyrocket.
What happened in the intervening years? Tools enabling polymorphic attacks began to proliferate, which exploded the potential number of signatures on files. Vendors could not cope with this explosion in new techniques, which further led to a rise in fileless attacks and in-memory exploits.
Unlike traditional malware, which arrives as a file with a distinctive “signature” that antivirus products can detect, fileless and in-memory attacks use ever-changing signatures and behaviors (disguises, essentially) to bypass gatekeepers without making their presence known. Then they work inside of the software, operating systems, or protocols to cause harm for as long as they go unnoticed.
Conceding that they couldn’t stop these attacks on the outside, security professionals shifted their focus to finding threats hiding on the inside ? a fundamentally reactive strategy, and one with spotty results. Modern attacks are particularly hard to spot or stop because they leave few fingerprints within the vast amount of data that modern security solutions often collect. It’s akin to finding a needle in a haystack.
In response to this challenge, companies have spent billions on detection and mitigation over the last decade, investing in behavioral and heuristic analysis products that promise to uncover the tracks of fileless and in-memory threats; the reality though is that there is a massive noise-to-signal ratio involved with detection and response, making it difficult to quickly identify the footprints of fileless attacks.
The results of this approach speak for themselves: cybersecurity spending has more than doubled, yet the cost of cybercrime is projected to grow from $3 trillion in 2015 to $6 trillion as soon as 2021. Furthermore, behavioral antivirus software delivers frequent false alarms that distract responders from what really matters. Undeniably, the reactive approach to cybersecurity that still dominates today has been an utter failure.
The future of cybersecurity is about updating the proactive cyber defenses of the past for the advanced threats of today and tomorrow.
PROACTIVE CYBER DEFENSE CHANGES THE NARRATIVE
Companies have settled for a reactive approach for so long despite getting more detection alarms daily than a SOC could address in a month because they assumed it was the only option. The flaws in this strategy were pretty obvious; the alternatives weren’t.
But that’s changing as the proactive cyber defense once again becomes the dominant paradigm. Instead of seeing their perimeter as inevitably vulnerable and porous, or seeing detection and response solutions as infallible, security-savvy companies are starting to move their emphasis earlier.
They’re closing whatever gaps exist in the security architecture through hardening, credential control, and security training. These companies believe proactive cyber defense isn’t just possible, it’s a priority in an era when any successful attack can rock a company to its core.
The notion that companies can stay in front of hackers, outrunning their attacks instead of absorbing the blow, challenges the narrative around cybersecurity. But with the right policies, technologies, and philosophies in place, companies can consistently prevent attacks, including fileless and in-memory variants. Crucial elements of proactive cyber defenses include:
- Frequently updating patches to close security gaps
- Implementing moving target defense to neutralize new and emerging threats
- Hardening endpoints against known attacks, e.g., a classic antivirus strategy
Taking a comprehensive approach creates an unbroken defensive perimeter around a company. But, frankly, any attempt at proactive cyber defense foils many attacks because they’re not used to encountering resistance before accomplishing their objective. Years of reactive cyber defenses have made hackers fat, happy, and complacent. By finally removing the obvious weaknesses and gaping holes in a security perimeter, proactive cyber defense confronts hackers on the front lines and short-circuits their attacks before they have any negative consequences.
It’s time to reject the defeatist attitude embodied by the detection and response strategy. And it’s time to stop letting hackers dictate the terms of the conflict. Proactive cyber defenses make companies a formidable adversary instead of an easy target.
This post originally appeared on the Morphisec Moving Target Defense Blog