[BreachExchange] Opinion: Cybersecurity needs an offensive playbook

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 13 19:39:38 EST 2016


http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/1213/Opinion-
Cybersecurity-needs-an-offensive-playbook

What do recent political hacks, the massive cyberattacks that took down a
wide swath of the internet, and digital assaults on a portion of the
Ukrainian power grid have in common?

All of them reveal that attackers are far ahead of defenders when it comes
to digital security. But with global investment in cybersecurity expected
to top $1 trillion over the next five years, why are the government
agencies and companies charged with defending public networks and corporate
systems so far behind?

It's simple: Cybersecurity defenders aren't playing enough offense.

The traditional way of thinking about cybersecurity has been that you can
only have good a digital defense if you "build secure from the ground up."
But this approach assumes a perfect world where everyone constructs
bulletproof computer programs. That's a fantasyland.

Instead, cybersecurity is more like sports. You have to excel at both
offensive and defensive strategies to win.

This doesn't mean that information security firms and independent
researchers should start launching attacks on adversaries. But the good
guys need to be more aggressive about finding and fixing vulnerabilities in
systems and networks before malicious hackers uncover and exploit them.

Think about it this way: Defensive teams in sports improve their skills by
practicing against offensive teams, studying their plays, and understanding
their approaches. We need this kind of tactic for improving cybersecurity
across the board.

In the digital security business, the skill set between offensive and
defensive groups are strikingly similar. Both sides want to discover flaws
first. But to build more robust offensive teams – for seeking out
vulnerabilities in government or business networks – and defensive ones –
for building the barriers and fighting off the malicious hackers – we need
to invest more heavily in automation.

We need automatic tools that play offense – tools that can check every
program, system, and piece of critical infrastructure for flaws. These will
become more essential as the number of hackable devices – cars, medical
equipment, industrial machinery, and home electronics – is exploding.

Many wireless routers, for instance, are laden with security bugs. There
are hundreds of different routers, and examining each one for security
flaws by hand is not possible. But we could program computers to hunt down
those bugs.

Earlier this year, the cybersecurity community witnessed its equivalent of
the moon landing: The Defense Advanced Research Projects Agency (DARPA)
showed that computers are capable of autonomously deploying offense and
defense in battles between supercomputers. The event dubbed the "Cyber
Grand Challenge" paved the way for a new era of machines defending against
computer attacks.

During the challenge that took place over nearly 10 hours in a Las Vegas
conference hall, seven competing computer systems autonomously detected,
evaluated, and patched software vulnerabilities before other competing
systems had a chance to exploit them in a classic cybersecurity exercise
known as Capture the Flag. It was the first all-computer hacking contest,
and its success illustrated the potential of automation in cybersecurity.

Right now, most companies rely on a small number of security analysts to
test their products, so countless vulnerabilities go unnoticed. The Cyber
Grand Challenge showed that in the not-too-distant future, it will be
possible for companies to use automated tools to find and fix software
vulnerabilities much faster, and at scale.

Even though cybersecurity automation will eventually make everyone safer,
we still need skilled engineers to build these kinds of systems. The
computer security field is projected to grow 50 percent faster than
computer science in general, and more than 200 percent faster than average
jobs. And demand is quickly outpacing supply.

Burgeoning efforts within government, from foundations, and private sector
to focus on innovation and training are helping. We need more smart people
building automatic systems that can work harder and faster – on both
defense and offense – than even the most skilled hackers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161213/64be9752/attachment.html>


More information about the BreachExchange mailing list