Pivoting From Cyber Security to Cyber Defense — Part 2

It’s been a little over a year since exclaiming that Cyber Security is dead. In that year, we have seen broader acceptance of terms like Defense and Resiliency. We have even seen attempts to pass laws that are the cyber equivalent of the “castle doctrine” for home defense. All that aside, one term that is starting to show up in this space is Orchestration. In practice, tools that support AI, machine learning, or analytics are turning to the term Orchestration to address what happens next. Applying the OODA loop (Observe, Orient, Decide, Act) is an easy way to look at this — if SIEM, AI, machine learning, big data, etc. are about Observe and Orient, then Orchestration is about Decide and Act.

Yes, that’s right — Orchestration. To quote, well, myself from a year ago: “At Fornetix, when we say key orchestration, we mean coordinated, actively-controlled key management.” So today’s blog is more a practical guide to some scenarios on how to use VaultCore to orchestrate keys as part of actively resisting a threat.

As always, let’s start by defining Cyber Defense objectives:

  • Detect: Determine if you are being attacked, determine if a high-value target is being attacked.
  • Deny: Remove availability of an asset or service that an attacker wants.
  • Disrupt: Stop the process of an attack.
  • Mitigate: Render the attack ineffective. This can also happen pre-emptively.
  • Discover: Determine the source of the attack, increase the risk of exposure.

With those effects defined, let’s provide some traceability for VaultCore:


  • Outbound Syslog in CEF format makes it easier to configure SIEMs to detect when VaultCore functions (key management or otherwise are detected)
  • Detection is a place where VaultCore contributes. As noted with Discovery, it is not one product that adequately discovers a threat — it is a plethora of products working together. This demonstrates the importance of interoperability.


  • Move a client to node – Deny client access to keys via positional security and policy
  • Remove access to key material – Positional security as a mandatory access control prevents access
  • Add or remove policy to halt the ability for an attacker to get anything (think data-at-rest applications)
  • Change keys on network infrastructure for IPSEC tunnels, VPNs, etc. 


  • Key rotation operation – Change system’s cryptography to disrupt communications
  • Selective rekeying of systems – Send keys to safe systems and isolate compromised systems
  • KO Start and KO Stop – KMIP extensions that can be used by a plugin to trigger remote function
  • Change keys on network infrastructure for IPSEC, MACsec, VPNs, etc. This is very simple, but very effective use of the VaultCore technology. By simply changing some keys you can isolate systems, allowing for quicker recovery. Instead of changing network configurations you simply put the original keys back.


  • Use of policy to implement least privilege for operations – Specify operations, key types, sizes and attributes to meet needs
  • Cryptographic integrity and attestation – Using sign/verify, MAC, and HASH functions
  • Split/Join key operations to complicate insider threat and APT attacks on critical data
  • Simply having the ability to automate key management for a repeatable effect works wonders in mitigating threats. The ability to change a key like changing a password especially has ramifications in IoT applications where the key plays a dual role identity and authorization


  • CEF logging + secure key store – Minimally double the targets necessary to compromise a system
  • The more systems that have to be compromised, the greater the risk of exposure to a given attacker. In this case VaultCore is contributing to an effect vs the sole provider of the effect. Given that in this case we are talking about discovering who attacked you, short of looking at the person as they were doing it or having a miracle product (snake-oil) that can discover everything on its own, Discovery is a team sport.
  • With these effects in mind, we can start considering a scenario that shows how to deploy VaultCore to create these before-mentioned Cyber Defense effects. In Part 3 of this blog, we will look at what happens when encryption key lifecycle is orchestrated as part of a response to a combination ransomware and APT attack.

As you can see from the list outlined above, taking general concepts or ideas and placing practical technology around them is critical when addressing the move from cyber security to cyber defense. Otherwise, it’s just another buzzword running its course.

To see these concepts in action and learn more about how Fornetix can help your organization, request a demo today.

Note: This entry has been edited to reflect the ‘Key Orchestration’ solution name becoming ‘VaultCore’