The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.
“Reactive or Proactive?”
As technology professionals, and astute human beings I believe that we always strive to be proactive (at least I hope so), honestly in today’s world to say you have a reactive strategy to security is almost taboo. We see this in all aspects of IT, the sysadmin (operations team) and developer role have been collapsed into a DevOps (Links to an external site.) or SRE (Site Reliability Engineering) (Links to an external site.) role with a focus on instrumentation, analysis, automation, and self-healing. We are seeing these DevOps philosophies make their way into the security realm despite the cloak and dagger InfoSec folks. Relying on reactive strategies where action only occurs following an incident has become almost unacceptable. Yes, we still have incident response plans, but the plan is to proactively thwart incidents avoiding having to enact the dreaded incident response plan. We instrument, monitor and automate to avoid reactive response. From an evolutionary perspective, the automation takes the longest. Some might say that if you are actively hunting for threats you have a proactive approach, but I would say that if you don’t automate analysis and response you still have a reactive process. (Contributor, 2017)
Instrumentation, monitoring, thresholding and automating response is a technique we try to use to avoid the reactive fire drill. When we think about what it takes to build a proactive system, it requires commitment. To build a system which continuously learns is not easy, it requires massive data sets, anomaly detection, and automated response. In the area of security Machined Learning (ML), Deep Learning (DL) and Artificial Intelligence (AI) will play a critical role in the transition from reactive to a proactive response which can aggregate and analyze variables on multiple vectors and infer intent. (Lomonaco, 2017)
When we look at security we can see attacks which have identifiable variables and thresholds managed proactively, an example is DDoS attack mitigation. For instance, a cloud provider known as OVH has built a robust DDoS attack mitigation strategy. This strategy depends on instrumentation, real-time traffic monitoring and analysis, anomaly detection and automated response.
The real-time analysis identifies the attack traffic, this traffic is redirected to the VAC while legit traffic flows to the target server. As systems continue to mature we will see more complex behavioral patterns analyzed in realtime, and inference engines will make decisions about how to proactively respond. The market is moving very fast right now.
Side Note: If you have not watched the Joe Rogan interview with Elon Musk, you should. Musk’s discussion on how AI will become an extension of the cortex and limbic system once we solve the data rate problem is awesome.
Contributor. (2017, July 24). The Shifting Data Protection Paradigm: Proactive vs. Reactive. Retrieved September 19, 2018, from https://devops.com/shifting-data-protection-paradigm-proactive-vs-reactive/
HelpSystems. (2016, August 19). Is Your IT Systems Management Reactive or Proactive? Retrieved September 19, 2018, from https://www.helpsystems.com/blog/your-it-systems-management-reactive-or-proactive
Lomonaco, V. (2017, October 04). Why Continual Learning is the key towards Machine Intelligence. Retrieved September 19, 2018, from https://medium.com/@vlomonaco/why-continuous-learning-is-the-key-towards-machine-intelligence-1851cb57c308
Scott, as I think about my day-to-day and our legacy security practices which some might consider “proactive”, tend to be more routine maintenance activities than “proactive” action based on instrumentation and metrics which provide identification of anomalous behavior and use inference to proactively mitigate a threat. An example is our security patching process which we use:
Using the Common Vulnerability Scoring System (CVSS) (Links to an external site.) we have a process for patching the threat, but what if this is a zero-day exploit? The only path to a proactive approach is baselining normal behavior, instrumentation, anomaly detections, inference and some action (automated proactive response).
I like Andrew’s automobile analogy, I just struggle with calling an oil change a proactive security practices. The use of audit tools like Lynis (Links to an external site.) and vulnerability audit tools like OpenVAS (Links to an external site.) may be akin to the oil change, but when I think proactive I think about a collision avoidance system or an autonomous vehicle, these systems are able to take input in realtime and make proactive decisions.
FWIW, I have yet to see a situation where cyber insurance has prompted an organization to improve their security posture. Adding insurance just changes the organizational risk equation, IMO not in favor of improved security, although I suppose it does help with the regulation and enforcement of a baseline.
Scott, I think you make a great point about defining proactive and reactive. I agree with your definitions, I think where I struggle is the variance in acceptable “proactive” approaches. As we learned this week, much of this is dependant on best practices and best effort which defined by relative measures within a given industry. With just about every industry today gathering and storing personal data I think it may be time to have a basic requirement for a proactive approach, hunting down that which you can’t see, when you don’t know what you are looking for requires a level of sophistication that many industries have not adopted. Regulations like GDPR are imposing certain requirements regarding privacy on just about every industry.
I think of term life insurance as a reactive plan. I have a reactive plan should the unpredictable happen, because anything can happen, but hopefully I am being proactive enough to avoid needing term life insurance. 🙂
Monique, good point on the ineffectiveness of reactive practice when it comes to APT (Advanced Persistent Threats). In the world of APTs we can’t react fast enough, because while we’re busy reacting the attackers are continuing their crusade. We’ve seen attacks like the attack that took place against Code Spaces’ (Goldman, 2014) where a DDoS attack enacted a reactive mitigation plan, while the Code Spaces’ was busy reacting to the DDoS attack the attackers were busy gaining control of Code Spaces’ AWS EC2 control panel. The attacker essentially ransomed all Code Spaces’ digital assets and put them out of business.
Goldman, J. (2014, June 23). Code Spaces Destroyed by Cyber Attack. Retrieved September 23, 2018, from https://www.esecurityplanet.com/network-security/code-spaces-destroyed-by-cyber-attack.html
David, great reactive Mr. Mom reference. Those of us with children know that playing catch-up with a reactive approach is a recipe for disaster.
I would bet those with a reactive approach also do so with a “220, 221. Whatever it takes. Honey if you call and I’m not home I’ll be at the gym or the gun club.” approach.