Proactive Cybersecurity: Because a Mb of Proactive Prevention is Worth a Gb of Reactive Remediation
As a CISO, you know that cybersecurity is crucial to the success and survival of your organization. Cyber threats are constantly evolving and it's important to stay vigilant in order to protect your business from attacks. While it may not be possible to completely eliminate the risk of a breach, there are steps one can take to significantly reduce the likelihood of an incident occurring and minimize the impact if one does.
One approach that has been gaining popularity is "proactive cybersecurity," but what exactly is "proactive cybersecurity"? Is it merely just the latest next-gen marketing buzzword being applied to everything from AV to ZTNA, or a crucial component of cybersecurity? As is often the case in these matters, the answer lies somewhere in between. While the term has unfortunately become an oft-hackneyed cliche, at its core lies a kernel of crucial cybersecurity strategy that is becoming increasingly important in this rapidly evolving landscape.
In this post, I will discuss proactive cybersecurity as a strategy: What it is, why you need it, how to implement it, and finally, how to communicate to the board.
What is Proactive Cybersecurity?
NIST (following CNSS 2015 & DSOC 2011) defines proactive cyber defense as “A continuous process to manage and harden devices and networks according to known best practices.” While this definition may seem overly broad and vague, it contains a crucial element of proactive cybersecurity - it must be “a continuous process.” The reason for the criticality of this element will be the subject of the next section, but in a nutshell, you need to continuously improve your defense, because threat actors are continuously improving their offense. If you aren’t continuously improving, you can be sure threat actors will be, and it will just be a matter of time until they find their way in.
However, the provided definition is lacking; rather than being too broad, the previous definition is in fact too narrow in scope by focusing on hardening software and hardware (“devices and networks”) while failing to include other critical aspects of cybersecurity such as wetware (human vulnerabilities). Perhaps for this reason the latest 2022 version of the CNSS Glossary instead defines active cyber defense (ACD) as ‘Synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities’ (CNSSI 4009-2022; DARPA; DOD, 2013; NIST quoting CNSSI 4009-2015 from DSOC 2011). Here the emphasis/focus shifts from mere hardening of “devices and networks” to a more holistic approach of proactively seeking out all threats and vulnerabilities.
Aside from being more inclusive of all forms of threats and vulnerabilities, there is a subtle, yet important nuance here in this shift in focus from hardening devices to seeking threats and vulnerabilities. True proactive cybersecurity goes beyond checking off a checklist of best practices, it requires actively seeking out threats and vulnerabilities. Again the reason for this criticality will be discussed in the next section, but in a nutshell, a chain is only as strong as its weakest link, and if you aren’t searching for it, you can be sure there will be others who are.
Other definitions further widen the scope to include a wider spectrum of activities, up to and including so-called “hack back” operations (to recover digital assets or even disrupt threat actors)(Broeders, 2021; Craig et al., 2015; Shackelford et al., 2019). Such tactics are beyond the capabilities of most organizations, and therefore will not be covered here. However, this brings us to one final point about proactive cybersecurity - it’s relative. For a small organization, basic vulnerability scanning might constitute proactive cybersecurity; while for a larger one, such measures wouldn’t even meet basic requirements. It is impossible to perfectly cover the full spectrum of proactive cybersecurity; however, organizations must ensure that they do not fall behind other organizations of similar size and/or industry. Again, this will be discussed in the next section, but in a nutshell, as the saying goes, “You don’t need to be faster than the bear, you just need to be faster than the guys next to you.”
Why Do You Need Proactive Cybersecurity?
Risk management includes a wide variety of risks faced by organizations, so what makes cybersecurity unique that necessitates this proactivity? There is no shortage of reasons and statistics that can be used to show the challenges and necessity of cybersecurity defense; however, here I will focus on why merely bolstering defenses is not enough, and why specifically the continuous process of proactive cybersecurity is needed as well.
One of the key aspects that make cybersecurity challenging is the adversarial nature of the risk. Unlike most forms of risk management that deal with natural uncertainty, unfortunate occurrences, and bad luck, risk in cybersecurity comes from active adversaries - numerous skilled and highly motivated adversaries with vast resources, such as:
Millions of script kiddies and automated scans incessantly probing targets until they inevitably eventually get lucky and find a way in (ex. Lapsus$)
Skilled, ideology-driven hacktivist groups collaborating to breach and bring down their targets
Well-organized criminal organizations with corporate structures, pulling in hundreds of millions, and creating an entire cybercrime industry & ecosystem
Nation states, with billions of dollars and access to the best and brightest minds in a country, which are then trained and organized into elite units consisting of some of the most skilled hackers in the world.
This not only makes cybersecurity more challenging (thus necessitating robust measures), but has additional implications that necessitate not merely robust security but specifically a continuous process of proactive security:
Rapidly evolving tactics and techniques - As a result of these highly capable and motivated active adversaries, the cybersecurity landscape is constantly changing. With so much talent and resources dedicated to finding new means of infiltration, new means must be developed to counter and defend organizations from these new threats.
Information Asymmetry:
Threat actors have access to many of the various frameworks, standards, and best practices in the cybersecurity industry and can thus develop new tactics and techniques to circumvent them.
Additionally, they have access to commonly used apps and even (open) source code, which they can use to find new zero days.
Finally, they may have access to many defensive tools enabling them to test and refine their methods.
Falling behind makes you a more attractive target - The reality is that it’s practically impossible for organizations to defend against a dedicated APT (advanced persistent threat) that is hellbent on targeting & breaching a specific organization. Fortunately, this is rarely the case; like any organization, most cybercriminals are seeking to maximize their ROI (return on investments), and that means seeking out organizations that are weakest (relative to others of comparable value). Failing to maintain a continuous process of proactive cybersecurity will result in an organization falling behind, making it a prime target for threat actors.
How to Implement Proactive Cybersecurity: Communicating the Need to the Board
Today's CISOs need to wear many hats; in addition to cybersecurity skills, CISOs also have to serve as communicators/translators to break down and present relevant information to various stakeholders that require it. As a CISO, it is crucial to speak the language of the organization and in particular, the board. Proactive cybersecurity requires resources, and to acquire these resources, CISOs need to be able to communicate the necessity of said resources.
It is a tricky balancing act to find the optimal way of presenting complex technical subject matter in a manner that board members can understand and appreciate. One way of doing this is by using subject matter with which the target audience is more familiar. Even when not absolutely necessary, speaking in the language of a target audience is an important part of effective communication and increases the likelihood of a more positive reception.
Here are some examples of how analogies can be used to communicate the importance of proactive cybersecurity:
CISOs working in the healthcare industry can create a nice analogy comparing the need for proactive cybersecurity to the need for getting a yearly flu shot. Just as pathogens evolve and mutate to avoid detection by the immune system, so too digital viruses and threat actors evolve to avoid detection and elimination. Similarly, just as epidemiologists and virologists need to be proactive in anticipating, and developing a vaccine for, the upcoming year's flu; so too cybersecurity teams need to anticipate and prepare for changes in the cybersecurity landscape.
CISOs working in the defense industry can use the analogy of an arms race, in which countries must increase defense spending year after year in order to keep up with adversaries that are doing the same. Fighting today's battles with yesterday's technology is simply not a viable strategy.
One crucial caveat is that it is crucial to know your audience. While these analogies are likely to go over well in their respective industries (and even most of the general population), one must consider possible ways that analogies could backfire. For example, if your target audience happens to be "anti-vax," "anti-war," or even have war-related trauma, such analogies could backfire. For this reason, it is crucial to know your audience and tailor your message accordingly.
Conclusion
As a security practitioner, understanding the importance of proactive cybersecurity is crucial to protecting the business from evolving cyber threats. Managing and seeking out all threats and vulnerabilities, including human-driven ones, is necessary to minimize breaches. A proactive cybersecurity strategy should be custom to an organization's specific size and industry and constantly improved to counter evolving tactics and techniques. Cybersecurity is unique as it involves active adversaries who are highly motivated and skilled, necessitating the adoption of robust measures and the continuous process of proactive security.
Sources:
Broeders, D. (2021). Private active cyber defense and (international) cyber security—pushing the line? Journal of Cybersecurity, 7(1); Oxford University Press. https://doi.org/10.1093/cybsec/tyab010
CNSS. (2015). Committee on National Security Systems (CNSS) Glossary. In NSA Archives
CNSS. (2022). Committee on National Security Systems (CNSS) Glossary; CNSSI-4009
Craig, A. N., Shackelford, S. J., & Hiller, J. S. (2015). Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis. American Business Law Journal, 52(4), 721–787. https://doi.org/10.1111/ablj.12055
DARPA. (n.d.). Active Cyber Defense (ACD). Darpa.mil; DARPA
DoD CIO. (2013). DoD Strategy for Defending Networks, Systems, and Data
NIST. (n.d.-a). active cyber defense - Glossary | CSRC. Csrc.nist.gov; NIST
NIST. (n.d.-b). proactive cyber defense - Glossary | CSRC. Csrc.nist.gov; NIST
Shackelford, S. J., Charoen, D., Waite, T., & Zhang, N. (2019). Rethinking Active Defense: A Comparative Analysis of Proactive Cybersecurity Policymaking. University of Pennsylvania Journal of International Law, 41(2), 377–427. https://doi.org/10.2139/ssrn.3303407