“Which one do I do?”
That’s a common question Steve Akers, Clearwater Corporate CISO and CTO for Managed Security Services, says he gets when people think about proactive and reactive cybersecurity strategies.
The answer is both. It’s a hybrid approach.
But what exactly is hybrid resiliency? That’s what Akers and Dave Bailey, Vice President of Consulting Services at Clearwater, spoke about recently during February’s Cyber Briefing, a virtual monthly meeting hosted by Clearwater that discusses current events and trending news for healthcare privacy, cybersecurity, IT audits, and compliance.
As cybersecurity has evolved, Akers says there has always been a balance between reactive and proactive cyber strategies. Traditionally, that was a perimeter-based approach grounded in physical security like firewalls. But, over time, the modern attack surface has expanded, and that approach is no longer effective.
Today’s evolving attack surface now includes everything from IT to OT, the cloud and more, requiring both proactive and reactive measures to ward off potential attacks-and to be able to respond when one occurs.
Reactive vs. Proactive Security
What sets reactive and proactive security apart?
Reactive security is in response to a cyber event. It’s what happens after you’ve incurred a cyberattack or breach.
With reactive security, you know what’s happened, so you instantly move into incident response, for example, forcing password resets. This is where your teams look closely at your events and logs to analyze what happened and how to stop it.
“Reactive serves a purpose,” Akers says. “It’s helping to manage the threat and damage focus.”
And, if done correctly, he added, you learn things to prevent similar attacks from taking hold organizationally.
But reactive security should never be a standalone strategy.
The modern threat landscape is just too large for one approach. If your organization constantly operates in reactive mode, your teams will get bogged down in one area while new issues constantly appear elsewhere.
“It’s too hard of an activity to take on,” Akers says, adding that, ultimately, teams never get enough time for strategic thinking and planning.
“It’s an excellent point,” Bailey says. “The reality that we are living in today is that in the past, I think there was an evolution where time was not necessarily a factor in how you could be either reactive or proactive. I think today we are recognizing that with the threat landscape, that timeframe is condensed. The threats, landscape, and how extensive and destructive the attacks can be affects your ability to either be proactive and get in front of it or to be able to react to it. We are seeing it in the number of disruptive acts inside the healthcare industry, with organizations being down for weeks on end. I think it’s time everyone focuses on a balance between reacting to the incident and getting in front of it to minimize the impacts.”
In many cases, he says, teams are in a constant state of being reactive and get burned out. They can’t react to everything. It’s getting too big. So, having some other options, like a proactive strategy, is important.
So, what’s proactive security?
Proactive security takes steps to pre-emptively predict and identify potential cyber issues before they happen. For example, penetration testing, threat hunting, awareness training, anomaly detection, and machine learning.
“It’s about prevention focus,” Akers says.
If done correctly, a proactive security strategy should reduce event impact and attacker dwell times.
And, looking at the landscape across the board, this is where most organizations make the largest technical investments. This approach yields many benefits, such as reducing responder burnout, improving compliance, detecting potential breaches, and finding security gaps before attackers can exploit them.
It can also uncover a common and sometimes overlooked security issue-the human factor.
“Right now, it’s the human beings-your employees, workforce, the folks running your business-that threat actors are ultimately trying to take advantage of,” Bailey explains. “And I don’t mean weakness negatively. I mean weakness in the sense of how the threat actor starts my attack. They’re asking, “can I use things like phishing and social engineering and things to take advantage of how you conduct your business to drop that malware or have someone open that link and have me start that attack?””
The Evolution: A Hybrid Approach
Neither strategy is wholly effective alone.
Akers says that modern threats require a modern approach to cybersecurity, so you must implement proactive and reactive measures.
Sometimes that’s a delicate balance, but investments in both are necessary.
So, how do you keep the scales balanced? You focus on the outcomes you want to achieve to drive strategy and growth.
Ask: What must we do for proactive and reactive to meet those goals?
To do so, take into consideration the limitations of your organization, such as:
- Technical capabilities
- Staff skill set, time, other responsibilities
“Threats and attackers are changing almost every day,” Akers says, “you have to evolve with them.”
And, just like the evolution of cybersecurity, this process will take time. You don’t have to do everything in one day. In healthcare, reasonable and appropriate progress is the measuring stick for long-term resiliency.
TAVE Your Way to Hybrid Resiliency
Drawing on experiences in the manufacturing industry, Akers offers an easy-to-remember approach to implementing a hybrid approach effectively. It’s called TAVE:
Traceability: Ability to track from any event back to the point of origin and know who did what/when
Accountability: Ability to impart trust and measure that people, processes, and technologies are executing proper safeguards
Visibility: Ability to see actively what is happening at the moment and adopt controls to address that
Enforceability: Ability to control or apply rules to achieve desired outcomes
A TAVE approach can help you mature cyber strategies to include both reactive and proactive measures, but in a consumable way, not all at once.
Here’s an example of how it might work:
First, outline all of your organization’s threat factors. Ask: What are our attack pathways? For example, people, your network, endpoints, software, etc.
Then, look at those attack pathways from proactive and reactive viewpoints.
From there, across your organization’s threat vectors, think about the greatest risks to your organization. Ask:
- Do we have controls in place to address them?
- Where are they?
- Do they function as intended?
- What would we do if they fail? ,
- Do we have controls that enable traceability, for example, logging?
- Do the logs have what we need?
Thinking about these questions is a proactive approach to cybersecurity.
Next, look at them from a reactive perspective.
For example, you have logs for traceability. When there is an anomaly, your system sends alerts. Those alerts enable you to move forward with reactive measures.
For each attack pathway, look at each area and your control set criteria, and think about TAVE. You don’t have to have an answer for every area, but if you do, that’s likely a good indication that you’ve got a solid security framework in place. TAVE can also help you identify where you have security gaps, so you make plans to address them.
Remember: there is no such thing as only protecting “what’s important.” Threat actors don’t care how they enter your systems and network. You must instead look at it from an attack pathway perspective.
Akers explains that if an attack pathway exists, you should make sure you’re addressing it, regardless of asset value.
From a reactive perspective, understand in detail how your organization would respond to a breach. Ask:
- Who will do what and when?
- If the appropriate response protocol is not used, what will happen?
- What do we do next?
And, maybe most importantly, routinely practice your response protocols. The last thing you want is your team making decisions on the go and under duress. With practice, your team should know exactly what to do before you experience a real-world cyber event.
“If you’ve never had to use your plan, you have absolutely no idea whether that plan can minimize the impact,” Bailey says.
That’s why it’s important to practice and rehearse. It’s likely your organization has made sizable investments in controls, so you want to ensure they work as designed. This won’t eliminate your risk, but done well, it should minimize an event’s impact.
Putting It Into Action
So, how do you put these concepts to work for your organization?
First, identify a baseline of network operations. Understand how your network, people, and processes function. That gives you visibility. Then, once you understand the depth of your visibility, think about how environmental changes can impact your abilities to detect and respond to a cyber event.
From there, implement detection processes into your change management procedures. Ask: How will this affect our baselines of operations?
Then, validate the effectiveness of your implemented controls.
You don’t have to go at this alone. Think in terms of partner collaboration throughout the lifecycle. Ask:
- Which technologies and partners do we have?
- Are we maximizing services and capabilities?
- Are they effective?
- How might a threat actor attempt to attack us?
Focus on areas of high risk and high impact and look for steps to minimize threat impact. And, of course, stay on top of the evolving threat landscape to understand how it influences and determines risk.
NIST CSF Can Help
If you need help building your hybrid reactive/proactive strategies, consider the NIST Cybersecurity Framework. It can help you understand which controls put your organization at least possible risk.
Also, consider working with a trusted third party to evaluate your risk exposure and security posture.
A third party can help evaluate what’s working well, where you have gaps, and what you can do to resolve those issues. Look for a partner who goes beyond standard vulnerability assessments and penetration tests. Seek a partner who can help you address your frameworks, controls, and sub-controls across your entire organization, help you conduct a thorough risk analysis, and offer support for ongoing risk management.
Ultimately, neither proactive nor reactive approaches can exist independently in a modern risk management program.
“You need to spend time and resources on both,” Akers says, reminding that:
- Proactive done properly provides more scalability.
- Reactive provides the best options to minimize damage if an event happens (if you’ve done proactive work to help that).
“A balanced, well thought-out hybrid approach across the many attack vectors will maximize resiliency.”