Applying Aristotle’s ‘First Principles’ to revolutionise cybersecurity
Article by Virsec A/NZ regional director Robert Nobilo.
‘First Principles’ is a concept that emerged during the time of Aristotle. He used this approach to break down a complicated problem into its most basic elements and reassemble it from the ground up, using only the irrefutable truths that remain.
Fast forward 2,000 years, and Paypal Co-founder Peter Thiel and Netflix CEO Reed Hastings are among a group of industry leaders who use the ‘first principles’ decision-making strategy to build companies that disrupt and improve entire industries.
Today, we can also apply ‘first principles’ to the challenge of cybersecurity. Unfortunately, traditional security approaches that were once effective in preventing basic cyber-attacks are no match for today’s sophisticated adversaries. As the techniques of hackers continue to evolve and become more complex, our approach to security needs an overhaul as well.
First, let’s take a look at why traditional security approaches are outdated and ineffective.
Why traditional security approaches just don’t cut it nowadays
Digital transformation, cloud connectivity and remote work have enabled companies to be more competitive, generate revenue and increase productivity. However, with this connectivity and an expanded attack surface comes increased risk. Cyber threats are also evolving.
A surge in supply chain attacks like Log4j, SolarWinds, PrintNightmare and Kaseya all continue to exploit vulnerabilities in this software, impacting millions of users downstream while costing billions of dollars to contain and remediate. These attacks take advantage of hyperconnectivity and application vulnerabilities as gateways to bypass traditional security solutions such as endpoint detection and response (EDR), allowing the adversary to control the software and launch malicious activity in a matter of seconds.
Despite prioritising security and investing in upgrades, CISOs and organisations are falling further behind. Conventional security approaches aren’t effective because they focus from the outside in—chasing evolving threats and plugging porous perimeters. This abstracted approach has proven to create an endless game of cyber whack-a-mole: a never-ending race between the security team and the attacker. An attacker needs mere milliseconds to cause harm, not minutes and certainly not days, weeks or months. Consequently, the attacker wins far more often than they should.
Traditional antivirus tools (AV) and web application firewalls (WAF) require signatures and policies based on known attacks to attempt to protect software, so they are no match for stealthy attacks whose tactics and techniques evolve constantly. Meanwhile, Endpoint protection platforms and EDR tools that rely on machine learning algorithms to signal an attack also can’t keep up with evolving attacker techniques, often laden with false positives.
Application patching is no longer practical or even possible to execute before a vulnerability is exploited due to the sheer volume of emerging vulnerabilities. Traditional security approaches also assume that users have complete awareness of all the applications within their environment, as well as a constant understanding of which ones are affected by certain vulnerabilities. This is often not the case, especially with unknown, zero-day attacks.
All of these traditional approaches require continuous human intervention to deal with tuning, updating, learning, noise reduction and maintenance. Clearly, this is tedious and impractical, meaning business operations suffer due to bottlenecks and overhead.
The breakthrough security approach: Deterministic Protection
For years, the cybersecurity industry has subscribed to the paradigm of detect, respond, remediate. This model effectively attempts to follow the attacker and react to various malicious activities, using that knowledge to predict what may happen in the future. As evidenced by successful attacks, this model has proven antiquated and unsustainable.
By applying ‘First Principles’, we can discover several fundamental truths about cyber-attacks and how they occur.
The ultimate truth is that every cyber-attack has one thing in common: code. All attacks are executed by planting malicious code – therefore, by focusing on the code specifically and not the attacker, we have a better chance of blocking any cyber-attack.
Following the cause— as opposed to the effect—has led to the development of a breakthrough type of automated security software called Deterministic Protection, which essentially protects from the ‘inside out’. By understanding exactly what every piece of software is supposed to behave like, Deterministic Protection can immediately thwart any deviation from the norm, just like the body’s immune system routinely fights off the infection without us even knowing.
Deterministic Protection is the only approach that eradicates even the most dangerous threats—known and unknown—in real-time before they can cause any harm.
This breakthrough completely disrupts conventional security approaches – by fully mapping and understanding what your software is predetermined to do and immediately stopping what it is not. Deterministic Protection can stop the attacks that bypass conventional tools, blocking adversaries before they can exploit a software vulnerability to gain a foothold, so they never have a chance to install malware or exfiltrate data.
This unique approach gives organisations full protection, whether applications sit on-premises or in container, cloud, or hybrid environments, giving them full control over when they decide to patch or update their software. No more tedious tail-chasing!
So why are businesses still investing in traditional security tools that don’t function effectively?
Why Deterministic Protection is the mindset shift the security industry needs
The security industry has reached an inflection point where the amount of money being spent on security is no longer actually offering better protection. Bad actors continue to innovate, and incremental response simply lacks the sophistication to keep up with this innovation.
Security practitioners are exhausted at the failed promise of ‘protection’ when many vendors merely offer alerts after an attack. As we can see from Log4j, PrintNightmare and other recent headline-making attacks, this approach is not working.
Today’s cyber security needs a first principles way of thinking to solve the problem. We must move toward a deterministic approach to security.