Pivoting From Cyber Security to Cyber Defense

I recently had the chance to respond to a LinkedIn post from Larry Cole about terminology for Cyber Security vs Cyber Defense. The conversation with Larry really hits home regarding what we are all doing with technology and services: defending what we consider valuable. I think we have all been wrong in calling it Cyber Security. It’s time to start saying Cyber Defense and act accordingly.

Let’s consider the impact of the distributed encryption attacks like WannaCry, Petya, NotPetya and all the other variants. They have been using encryption offensively to attack what we consider valuable: the information that we use and technology to create, distribute, and enrich ourselves in both a corporate or personal way.

Before we go too much farther, let’s clarify some definitions for “Security” and “Defense” so we can use that to drive the rest of this post. For fun, let’s also throw in one more word: “Attack.”

  • Security: The state of being free from danger or threat.
  • Defense: The action of defending from or resisting attack.
  • Attack: An aggressive and violent action against a person or place.

If we apply “Cyber” to either definition, we start seeing how a word changes perspective and objectives. Cyber Security speaks to solutions that make you free from danger or threat. Cyber Defense speaks to solutions that actively resist attack.

Before we dive into what active resistance means, let’s look at recent ransomware attacks. Considering how WannaCry, Petya, and NotPetya were deployed, each package had objectives whether financial or otherwise. In terms of the NSA tools released by the Shadow Brokers, they were delivery systems as defined by The Register here.

These tools were developed by the NSA to deliver exploits in SMB1, SMB2, RDP, IMAP payloads that attack systems to destroy, disrupt, or disable targeted systems. WannaCry, Peyta, and NotPetya’s use of encryption as an attack against businesses and individuals are not particularly sophisticated despite being effective. This is made self-evident by the challenges the attackers had in coordinating the release of key material for those who opted to pay the ransom. In the case of NotPetya, it looks like the payment behavior isn’t even a working feature – they need better QA\QC. So what we have is the equivalent of a North Korean warhead on an American Missile.

Even with the less-than-stellar attack payloads, these weapons took advantage of systems and orchestrated an attack that took advantage of how we work – by exploiting flaws in earlier versions of communications protocols like SMB1. This presents a challenge to anti-virus, firewalls, and other technologies that focus on observation and restriction. The cyber security challenge in light of the above creates a scenario where technology’s requirement to deliver “freedom from threat” correlates with “inability to work”. If we can’t work, what’s the point?

But there is hope! The concept of Cyber Defense — Cyber Active Resistance, can be applied with the same construct as the delivery systems used by the recent spike in ransomware attacks.  Just like on the battlefield, Cyber Defense is an act in coordination and resistance. The differences are what technology is used and how the technologies are coordinated to respond to a threat. Just as soldiers have the means to coordinate artillery, machine guns, and grenade launchers to respond to an attack, we need the capacity to coordinate the myriad of cyber security technologies such as firewalls, systems management, identity management, and encryption management to address cyber threats as they occur. At Fornetix, when we say Key Orchestration, we mean coordinated, actively controlled key management. We learned that if you use standard protocols (KMIP, PKCS11,CEF, etc) and deploy them to actively interact with other systems beyond the “Want Key / Have Key” paradigm of encryption key management, you create solutions where you can use encryption key management to actively resist — DEFEND — against an attack by allowing the technology to interact, coordinate, and respond to other systems. Demonstrating that existing security technology can be coordinated like NSA capabilities, Racktop’s Secure Data Protection Platform, VMware VSphere, Seagate’s ClustStor CL220 and even tactical radios can use orchestrated encryption key management for coordinated active resistance of attackers. Cyber Defense extends to coordination of patching strategy, leveraging analytics and machine learning, and even how we assert our identity. Each security technology plays its part and becomes an asset to coordinate to respond to Cyber Attacks as they occur. Coordinated, Orchestrated Defense lets us work with confidence, knowing that the enemy at the gates will be answered.

Ladies and Gentlemen: Cyber Security is dead, long live Cyber Defense.