For cybersecurity pros or cyber investors like me, there are two main modes in which we can engage in cyber defense. First, we can react, and that’s where most in the industry operate today. The second option: we can anticipate what the attacker will do next.
Now, many jaded security pros are likely to say: “Yes, yes, be more proactive. I already do this with threat intel.” But anticipatory cybersecurity takes much more than building protections around what's happening on the ground in today's threat environment. It's about anticipating tomorrow’s offensive innovation and next year and five years from now, and building a roadmap to head these newly-emerged threats off in the future.
Those reacting have already lost
Here's the real reason why cybersecurity fails so badly today: Defenders in reactive mode have already lost because the offense always has the initiative.
Unfortunately, most CISOs and their teams respond to incidents, look for root causes, and retroactively invest in protections that might prevent something similar from happening again. What's more, so many of the hundreds of poorly conceived cybersecurity vendors setting up shop out on the market are also built on this model of responding to today's threats.
If defenders feel a smidge more proactive, they might not wait for an incident in their own environment, but will pore through the latest threat intelligence to build some protections around the threats that are hitting organizations like theirs. But that's still not truly anticipating where attacks will go at the time of engagement. It comes after the attackers have already evolved—they just did it in someone else's environment. But their next move is often an evolution off that last one. There's always a new technical or tactical twist because the offense invents new ones all the time.
If CISOs want to make a real impact, they've got to find a better way to plan their investments. They can do this by denying the adversary the initiative.
What it means to take an offense-to-defense approach
So, how do security teams deny the adversary the initiative? It means they must understand the offensive mindset and predict the adversary's behavior and their time of engagement.
Hockey great Wayne Gretzy was famous for saying: "I skate to where the puck is going to be, not to where it has been." That’s what security leaders have to do. My challenge to all investors and practitioners out there is we must get a whole lot better about figuring out the target of the next attack. We need to understand the offense – their different motivations, their economic models, and their innovation paths. In my many years as a venture capitalist I have found that there's a demonstrated path from cutting-edge offensive innovation to a threat manifesting itself regularly in the wild. For most tactics, it's about four to six years.
I take this offense-to-defense mentality to vet new cybersecurity vendor investment opportunities. Some of my favorite investments are ones led by former offensive security pros—often from military or government backgrounds—because they've occupied the offensive role. They've been the military adversary and know exactly the kinds of new, advanced attacks that a typical attacker will bring to bear on defenders of the future. They then turn this around into anticipatory defensive measures.
Now, obviously that level of insight won’t always be at a non-military veteran CISO's fingertips. And a practitioner will have different concerns than an investor like myself. But there's a very good level of applicability of the offense-to-defense mindset whether an investor or a practitioner. The importance of understanding the offense makes it much easier to anticipate the threat landscape a practitioner will confront in the future. And that can help a CISO prioritize where they need to deploy resources, how they plan out roadmap investments, and how they can get staff prepared.
When CISOs are pinned down in the here and now of incident response, it might feel impossible to worry about anything beyond present concerns. It may feel unrealistic to worry about what's happening four years from now if I got hit by ransomware this week. The board will rake security leadership over the coals for that lapse. But think about it, the CISOs who many years ago could view ransomware beyond a novel, clever little attack against consumer PCs and understand how the bad guys could leverage ransomware against corporate environments were able to rethink their whole approach to resiliency and protecting backups. And four years from now, CISOs will get raked over the coals for not anticipating the next generation of hurt that adversaries are inflicting on the organization.
That’s why an offense-to-defense mentality will be the defining trait that separates CISOs who are true leaders from those who are simply just technical managers. CISOs who can read the research that offensive experts are producing—who attend Black Hat, DefCon, RSA, and Global Cyber Innovation Summit--and who can turn that early intelligence into anticipatory defense, are the ones who will skate toward where the puck will be – not fight the threats of the past.
Bob Ackerman, founder and managing director, AllegisCyber Capital
