In the decades since cybersecurity became a key priority for companies and federal government agencies alike, we have witnessed a necessary evolution in information security doctrine and strategies. For years, layered data protection tools – from perimeter defense to identity management – have dominated the cyber protection field by positioning organizations on the defensive against both malign external actors and insider threats. Increasingly though, the data protection and information security industry is pivoting towards an approach that empowers organizations’ critical data to self-protect against a wide spectrum of cyber threats, including ransomware attacks like the one that targeted nearly two dozen Texas communities last month.
In its earliest days, the information security industry built cyber protection solutions guided entirely by the castle and moat approach. The thinking went, if organizations and their IT staffs dug deep moats around their network castles via secure firewalls, they could keep cyber intruders at bay and prevent bad actors from accessing sensitive information.
Over time though, as cyber attacks have consistently breached or circumvented firewalls, IT professionals recognized the castle and moat approach was insufficient on its own. This reckoning is not only due to the increasing complexity of cyber threat vectors themselves, but also the inevitability of human error. The human interface has proven to be one of the weakest links in cybersecurity strategies. In fact, a 2019 study found nearly a third of data breaches involve spear-phishing tactics, and human-based errors have a causal role in more than a fifth of breaches. IT departments must realize – and already have, in many cases – that even the most robust perimeter defenses are only as strong as the human beings responsible for adhering to good cyber hygiene protocols.
As industry thinking evolved to reflect these realities, so did the tools. Organizations, particularly those within the federal government, began to couple firewalls with fresh tools designed to root out threats within the network perimeter. Solutions that identify vulnerabilities across assets and manage those vulnerabilities through regular system updates and application patches proliferated.
Around the same time, solutions aimed at monitoring the activity of those with access to networks and data also entered the cyber protection scene. Companies like ArcSight and Splunk began marketing security information and event management (SIEM) and log analysis products that provide insight into network user behavior. Armed with knowledge of who is accessing systems within their environment, the cadence of that access, and what activities individuals perform while on devices, organizations thought they would be better equipped to detect and respond to anomalies and suspicious behavior. In reality though, user access tracking has proven most helpful in post-mortem situations (i.e. after attacks have already occurred) to identify the specifics of a breach, rather than preventing malicious behavior in the first place.
With the ability to monitor user behavior, organizations recognized a related and even more complex problem set: how to ensure those accessing data and systems really are who they claim to be. Enter identity and personnel management tools, like multi-factor authentication, that help organizations implement a zero trust framework based on the principle of “never trust, always verify.”
Cross-cutting across all these layers of defense, solutions emerged from Palo Alto Networks and others that focused on the security of data in transit in and out of organizations, to both the cloud and outside networks.
As the illustration at the top of this post shows, these tools represent a security posture in retreat. Concentric layers of defense keep getting closer and closer to the asset that matters most: data. But what if that data – the lifeblood of every organization – could proactively protect itself against threats, both external and internal?
The concept of self-protecting data – data that can understand who should have access to it and automatically shield itself from those who should not – is gaining traction and real-world application, as the cyber protection industry explores innovative data encryption and access models, as well as artificial intelligence and machine learning capabilities. Virtru products, for example, allow content creators and network administrators to enforce limitations on data shared both within and outside an organization’s perimeter, preventing certain users from forwarding, copying, or editing information. Primary users can encrypt or even timebomb documents, ensuring only the right viewers have access to information and only for a set period of time.
Another prime example of the self-protection concept in action is Acronis SCS’s Backup 12.5. Using built-in technology called Active Protection, our backup solution automatically detects abnormalities in behavior (like mass data encryption, the trademark of a ransomware incursion), immediately halting and reversing the effects of an attack at the outset and preventing costly downtime or data loss. Best of all, the solution uses AI to learn from every encounter, future-proofing your data against an ever-growing array of threat vectors. For more details on how self-protecting solutions can work in tandem, check out a recent webinar we recorded with Virtru, which explores the topic through the lens of cloud migration.
These self-protecting solutions are just the tip of the proverbial iceberg. We predict many more innovative tools are in store for the industry, particularly as organizations continue to experience the limitations associated with a purely defensive cyber protection posture.
The increasing relevancy and efficacy of self-protecting data does not necessarily relegate defensive tools to the back bench. Firewalls, vulnerability detection and management, SIEM and log analytics, and identity/personnel management all have their place in the larger cyber protection landscape, but they are no longer the only avenues available to organizations. Nor should they be the only tools in use, if organizations want to insulate themselves from further attacks and stay cyber fit.
This necessary shift in doctrinal thinking also demands organizations rethink how they allocate IT and security resources. Solutions traditionally budgeted within operational assurance spending, like backup and recovery tools, may now be a better fit in overall public security and/or cybersecurity spend buckets. By recategorizing budgets this way, organizations are more likely to recognize self-protecting solutions as formidable weapons in their information security arsenals, rather than necessary evils.
The evolution from an outward-in approach to one predicated on an inward-out perspective is not unique to the cybersecurity space. Following 9/11, our nation went through a similar doctrinal shift – in the homeland security and defense fields. What began as an outward-facing effort to prevent further attack with the invasion of Afghanistan has grown to include a more internally-focused and self-protecting model, first with the creation of the Department of Homeland Security and then with increasing awareness of and protection against homegrown and US-based threats (the creation of tools like this intelligence community booklet sheds light on this shift).
Both perimeter-based defenses and inward-focused approaches have remained important within US homeland security doctrine in recent years, yet it has become increasingly clear a strategy focused solely on outward elements is insufficient. Those same doctrinal lessons translate to the cybersecurity field. After all, the constant cyber attacks targeting all levels of our government represent a new warfare domain that – while different than the type of war being waged on foreign shores in the land domain – is no less worthy of strategic thinking or doctrinal scrutiny. In fact, perhaps even more so, considering the sheer expansiveness of the cyber domain and its wide net of victims. IT professionals and cyber policymakers alike would do well to learn from similar doctrinal shifts of the past – and apply the relevant lessons sooner rather than later.