About a decade ago, the Dutch bike company VanMoof found themselves in a pickle: when they started shipping their products to America, the bikes were repeatedly damaged in shipping. As unhappy customers and expensive replacements piled up, they knew they had to find a solution for this, and fast. The solution they found wasn’t an expensive re-engineering project or finding “better” boxes. Instead, the fix was much simpler yet much more effective: they printed a picture of a flat screen television on their boxes so carriers would handle them with the care they would when handling a TV. Immediately, shipping damages went down about 80%.
The reason I’m telling you a story about a bicycle company is that the cybersecurity industry is sitting exactly where VanMoof found itself almost a decade ago. Only instead of damaged bikes, organizations are facing multi-million dollar network breaches. VanMoof succeeded not by changing their products, but by asking a different question. And we need to do the same.
Instead of asking ourselves how to contain the threats, we have to ask ourselves: why are we allowing known threat actors in and out of our networks in the first place?
The challenges of modern-day networks and security are well documented. Here are just a few:
- Too many tools to manage. Organizations (on average) use around 45 different tools to manage cybersecurity threats. This puts an undue burden on cybersecurity teams. Which brings us to…
- A talent crisis. A recent study indicated that 70% of cybersecurity professionals feel their department is understaffed. By 2025, we can expect up to 3.5 million cybersecurity job openings worldwide. Overburdened with both workloads and suffering from alert fatigue, many are leaving the industry entirely, further exacerbating a crisis. And when demand is high, prices shoot up: the costs of hiring and retaining these high-demand employees are eye-popping.
- Siloed tools. Integrating all these technologies is often difficult, if not impossible, leading to cracks in the system threat actors can exploit.
- Astronomical costs. Many of the must-have tools in modern security stacks cost millions of dollars, not just to purchase, but to maintain as well.
The solution is also exacerbated by threat actors who are sophisticated, motivated, and well-funded, often by nation-states. A dispersed workforce has led to wide and open attack surfaces, and the payouts have been enormous. For every hole they exploit, we have developed a technology to identify and respond to it and added another acronym to our security stacks. The problem is that even after all our technological advances we’re still losing.
Shifting to a proactive approach
When firewalls arrived 20-plus years ago, they were heralded as the proactive network protection we had been waiting for. Fifteen years ago, “next-generation” firewalls arrived, promising the same. Unfortunately, this is where the proactive cybersecurity technology development seems to have stalled, despite the amount of encrypted traffic the firewalls are expected to handle exploding in volume. This stagnation also explains the focus on developing “Detect and Respond” technologies.
The amount of traffic hitting network security stacks is growing exponentially as the tools and technologies threat actors have at their disposal become cheaper and more accessible via the dark web. The modern-day attacker can easily run programs/bots to scan internet connections to see what is protected. They have used techniques to obfuscate intrusion detection systems (IDS), intrusion prevention systems (IPS) and deep packet inspection (DPI)as part of building profiles of company activities. Firewalls have been tasked to act as the sole proactive defense to thwart threat actors from coming into the network, but more importantly, out of it, too. It shouldn’t come as a surprise that decades-old technologies have been unable to keep up with these new demands.
One example of firewall limitations is the ingestion of threat intelligence. The amount of vital third-party threat intelligence firewalls can ingest is capped by both hardware and software limitation, which means they have been tasked with enforcement without a full view of the threat landscape. Once we add in sophisticated “side door” network access such as AI-assisted phishing emails/links, insider threats, etc., threat actors essentially have free reign in and back out of the networks.
Instead, what if we leveraged the full power of the cyber intelligence community to stop these known threat actors before they can inflict damages in the first place? And, more importantly, why aren’t we doing that already?
Sometimes the simplest and most effective solutions go unnoticed, much to Occam’s dismay. Leveraging the full power of threat intelligence after a breach has occurred is good, but doing this before one is much, much better. This is the crux of proactive security: protecting our networks and lightening the load we have placed on all our tools so they can actually perform their functions as designed.
The shift to proactive security doesn’t require massive engineering projects or network redesigns. VanMoof succeeded by asking themselves how the carriers were viewing their product, and where it was going wrong. When we ask who these threat actors are, and why they are allowed in the networks, the solution of moving to proactive security becomes clear as the image of a TV on a box.