By Shay Siksik, VP Customer Operations and CISO, XM Cyber
There are things we know: 2 + 2 = 4, for example. We call this common knowledge.
There are also things we know that we don’t know, such as “what existed prior to the Big Bang?” We call these things “known unknowns.”
Finally, there are things that we don’t know we don’t know. We call these things “unknown unknowns” — and they are the most challenging to deal with from the perspective of risk management and cybersecurity.
Let me give you a relevant example. After Marriott Hotels bought Starwood Hotels a few years ago, Marriott’s IT department was unaware that Starwood’s servers had already been penetrated by attackers, who were lying in wait. It took four years for them to be detected — and cost the newly merged companies significant financial and reputational penalties following a massive data breach.
Unknown unknowns may not be the most fluid of phrases, but it precisely describes the challenge we’re facing. It’s easy, relatively speaking, to prepare defenses against risks that are well understood. It becomes more difficult to effectively plan and manage risks when we can identify them, but don’t fully grasp their potential impact.
Yet both of these pale in comparison to the Herculean task of managing risks that we don’t understand and can’t identify or anticipate.
Fortunately, there is a path forward.
Managing Risk in a World of Unknown Unknowns
Today, most security control resources are deployed on threat detection and response products. It helps to visualize these tools as smoke detectors. When used correctly, they provide an early warning system that can help put out fires before they grow out of control. However, just as smoke detectors may fail due to a dead power source, detection and response may fail if confronted with an unknown threat.
An alternative solution would be one that doesn’t focus on the smoke detector, but instead identifies the conditions that lead to the initial spark: A child playing with matches in a garage filled with gas and oil, for example. In the context of cybersecurity, this might be user activity, misconfigurations and other vulnerabilities.
To extend the analogy a bit further, smoke alarms are reasonably effective at their designated purpose, as they substantially reduce your odds of dying in a fire. Yet, on their own, they aren’t quite effective enough. Why? Faulty designs, malfunctions and — most importantly — human error.
While most smoke alarms are mechanically reliable, the same can’t always be said for their purchasers and installers. Changing a battery is a simple thing, but people tend to put it off — even when their smoke detectors are emitting those irritating beeps. Using a strong, unique password is a simple thing, but people consistently fail to do so.
Home builders and inspectors understand this tendency — that’s why many battery-powered smoke detectors are backed up by a second power source in the form of electrical wires. Battery based home security systems, too, are often built with a secondary electrical power source to act as a failsafe if an intruder disables the battery or an owner simply fails to remember.
So what does this have to do with cybersecurity risk? It’s simple: A second security layer — extending below conventional threat and detection — is a critical tool for mitigating the risks created by human error and those challenging unknown unknowns.
You can have an extensive array of conventional security controls. Yet without a deeper layer to manage the risks that aren’t understood and anticipated, your critical assets are going to remain vulnerable.
So How Do You Build a Second Layer?
Creating a layer of security capable of managing unknown risk requires shedding a purely reactive posture. Instead, it’s necessary to mimic the mindset of attackers and simulate their tactics and techniques, continuously probing for new and unknown vulnerabilities.
A penetration test, or a red team exercise, is one way to accomplish this. Yet manual testing has drawbacks. Namely, such tests are expensive and thus generally episodic in nature. As a result, organizations lack visibility into the ongoing state of their defenses. In cloud and hybrid environments, changes occur at a dizzying pace — and any one of these changes can create a new security gap.
This means that a truly effective approach must also be continuous, or automated.
In 2021, smart organizations need a new approach that uses the attacker’s perspective to find and remediate critical attack paths across on-premises and multi-cloud networks. They need peace of mind to secure their hybrid networks to eventually shield their most critical assets, their “crown jewels”.
When deployed in conjunction with conventional detection and response tools, an attack path management platform helps create a deeper layer of vulnerability and risk management — one with the ability to deter and defend against the most slippery and dangerous cyber adversary of all.
The one we don’t know we don’t know — and therefore can’t prepare for or defend against with conventional tools.
About the author
Shay Siksik has been a cybersecurity evangelist for more than a decade, always with a passion for customer service, process improvement, and information security. Prior to joining XM Cyber, he worked for seven years at Skybox Security, where he reached the position of Global Director of Solutions Architecture, before eventually moving to Cato to run the Security Services. He started his career with the Israel Defense Forces, where he was a Network Security Team Leader for several years.