Earlier this week, I shared my views about best practices and cybersecurity. Now I want to move beyond best practices as your sole defense.
The traditional cybersecurity mindset is one of prevention, believing threats cannot penetrate — and this is why security plans fail. It’s easy to assume defenses are successful against an insidious threat. Metrics will show an effective compliance program, intrusion detection and access denial. Yet to take for granted that the threat is gone, rather than having simply moved to another path within your network, is foolhardy. Assuming there are numerous threats to your security measures that are coming in a dynamic and continuous fashion may seem paranoid, but just because you’re paranoid doesn’t mean no one is out to get you.
Say your defensive measures and best practices are in place; threats are deferred to other paths and targets. Plenty of scientists, academics, organizations and companies have cyber behavior pattern detection and assessment algorithms, programs and products. The industry’s arguments about who has the better thought process, mathematical algorithm or mouse trap is entertaining. But what’s missing is a very simple rate problem: The reason best practices are not completely effective is because threats change and advance more quickly than practices can be implemented.
Current thought is centered on using behavioral analyses to find threats before they become problems. Let’s assume someone, somewhere has the perfect process and algorithm to find all behaviors and sift through them in a precise manner to find the ones that are or will be threats — we will call it “The Model.” (I must interject here that I believe this is possible although not yet completed, and it will be incredibly computationally complex — a hard problem).
Now, the final requirement is keeping up with the rate of new threat behaviors. We can estimate this rate from historical data — model the potential rate change, build in an error rate, make SWAG (or ‘best guess’ predictions) and check against incoming results.
We can engineer the solution — maybe — but can never assume the cyber battle has been won. This is one battle that will never end. It ebbs and flows like crime, poverty and the economy. The best assumption is to process “The Model” as quickly as possible with as much data as possible. What’s quickly enough, and how much data is adequate? The answer is, whatever your organization can afford. The more you invest in a system, the higher your expectations can be for its effectiveness and ultimately, a decreased level of risk for your company.
An organization’s finance or budget office will need to see estimated ROI for your new system before they’ll sign off on it. I suggest that the formula for a cyber compute investment should be the value potentially at risk from a cyber threat (not an easy thing to calculate, but a SWAG at 1-2% of the company’s market value is probably close) divided by the ratio of new behaviors identified in a time period over those identified for the same period, but well after. It can be tricky to educate others in your organization about the value of investing in behavior identification and new behavior detection on your network, but it’s increasingly critical in order to protect your growing collection of sensitive data.
It’s important to keep in mind that in addition to adding cyber compute power, you’ll need to build a workflow. Workflows are often mapped out as a first step, but if your organization starts with a cyber compute platform that can identify new behaviors in an accelerated time frame, your workflow will be considerably more efficient. Then optimizing will be the easy part…. if you’re using a Cray!