Recently there has been more focus on preemptive security, both to confront zero-day threats as well as slow down AI-driven threats. This blog is about how to build the right foundation for preemptive security, because without the context high fidelity data provides both risk and cost are significantly increased. In other words, without the right data and data quality (remember “garbage-in, garbage-out?) the path to achieving the benefits can be a grueling slog through the mud. Avoiding that and getting onto a streamlined path of dramatically lower risk and cost means starting with understanding what data is needed.
For many years cybersecurity has focused on detecting threats that are already known (e.g. virus signatures) and then remediate them with firmware updates, password changes, or certificate management. This approach, while still highly valid, is clearly insufficient as seen by how often malicious hackers succeed. A “defense in depth” strategy emphasizes having multiple forms of defense (in case one is breached); with the new threat landscape now involving AI and cyber-physical systems (such as IoT/OT/ICS) a new layer of defensive capability is now needed.
Let’s start with defining Preemptive Security. Gartner describes it in this way:
What is preemptive security?
Preemptive security is an emerging but increasingly critical approach that aims to prevent and deter cyberattacks before they can launch or succeed, instead of responding to attacks already underway. Gartner advocates that preemptive cybersecurity solutions incorporate capabilities to 1) deny attackers the opportunity to initiate attacks or access desired resources, 2) disrupt ongoing attacks as they occur and 3) deceive attackers to divert them from critical assets.
Denying, disrupting, and deceiving skilled cyber criminals means having a deeper and more comprehensive knowledge about your systems than they do. For preemptive security to be effective you need high fidelity asset and application data, system operational data, and detailed records of what changes have been made. This is new for many security teams and is in addition to current solutions like network-based asset discovery and threat detection and response. Let’s dig a bit into each of these.
High fidelity asset and application data is needed for preemptive security because you can’t protect what you don’t fully understand. Today’s attack surface (especially for IoT/OT/ICS) isn’t only about the devices, it is also about understanding how applications control and manage devices in order to get a complete mapping of the overall attack surface. Knowing what applications are communicating on which ports to which devices on what protocols not only gives a more complete view of the entry point an attacker may use but also to proactively identify and eliminate vulnerabilities before an attacker can exploit them.
System operational data, such as network traffic over time or device settings, is needed for preemptive security because it gives you a narrative of what is happening in your environment over time and in real-time. If high fidelity asset and application data is the “static map” of your city, operational system data is the “live traffic feed” that shows over time when and where opportunity for an exploit can occur. Not only does this type of data provide an operational baseline, it also creates a historical record (such as with a digital twin) that is useful for seeing the small sequence of steps that attackers use in establishing their kill chain.
Detailed records of system updates and changes is needed for preemptive security because it provides a validated history for “who, what, when, and why”, which is essential for determining legitimate activity from a potential attack. Continuing the above analogy, if high fidelity asset and application data is the map, operational data is the live traffic, then change records are the city planners logbook that determine authorized construction from a rogue crew digging in place. Change logs act as the ground-truth of how your systems should be configured and can be audited against to find failed patches, misconfigurations, or policy violations before threat actors do. By definition an attackers actions are unauthorized changes; having a change log to reference against allows for an indicator of compromise to be identified and reviewed quickly, allowing attacks to be caught in their earliest stages.
Are you a security professional working to bring preemptive security solutions to bear on improving your risk profile? Viakoo works with many leading organizations on providing exactly the kind of data discussed in this blog, along with providing advanced asset discovery and vulnerability remediation capabilities. Sign up here for a 30 minute discussion with one of Viakoo’s experts in cyber-physical security and see for yourself how this can accelerate your path to preemptive security.
