Cyber101: How the Defense Works

For the complete White Paper (“Angel Investing in Cybersecurity: Understanding the Technology”), please check out

Last week’s post explored the reasons that cybersecurity is so hard: asymmetries, business imperatives, and risk. Because cybersecurity defense is much harder than attack, there are more categories to consider when trying to understand. Three primary categories are:

  • Direct defense to protect against or limit the four major targets of attacker threats
  • Tools for detecting and remediating successful attacks
  • Tools to support related business processes such as compliance or investment assessment.

Much of the early efforts towards cybersecurity relied on the paradigm of “preventing” attacks. Firewalls limited unusual traffic, or activity from known bad sites. Anti-virus software searched for known malware on the basis of a unique signature for each type. Virtual Private Networks (VPN) were implemented to provide protected access to known devices (and exclude others). Public Key Infrastructure (PKI) or other identity and access credentials separated authorized users from unauthorized.

With the advent of more sophisticated attacks in response to these first generation defenses, and with the advent of smartphones and other devices into the corporate infrastructure, the paradigm began to shift to the current approach of “risk management”. Approaches such as Security Information and Event Management (SIEM) and Mobile Device Management (MDM) have shifted the emphasis towards protecting data in individual applications or on shared networks.

The most recent techniques, spurred by insider threats and weaknesses in other approaches, have begun looking at behavioral characteristics, and it seems as though a second paradigm shift is now under way. These approaches assume that a system’s defenses have been breached, and attempt to determine and prevent “unusual” behavior by users or automated components, such as a large transmission of data to unknown external sites, or user accesses to data holdings not normally accessed or available to that user.

Because this cybersecurity infrastructure is so complex, several support areas have grown up around the primary lines of defense. Forensics tools have evolved to try and determine what happened and what information was lost, after an event has been contained. Some metrics tools are now evolving to validate compliance to various regulations or assess recommended upgrades, in a semi-automated way. Others help manage the response process, and so forth.

Finally, the weakest link in all of these approaches is not technology, but the users of the technology. In the Target breach the technology sounded appropriate alarms, but they were ignored. The preponderance of all attacks use phishing or similar mechanisms to gain network access through the users. Although we are closing the gap, there is still a long way to go.

So in next week’s Cyber101 post comes the big questions: “Are we winning? Can we win?”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s