In a thought-provoking session at Black Hat 2024, the age-old question of whether defenders are winning the battle against cybercriminals was addressed by Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs. With his extensive background in cybersecurity, including founding initiatives like the Office of the National Cyber Director, Healey presented a framework aimed at evaluating the success of defenders in the ongoing fight against cyber threats.
Healey’s inspiration for developing this framework stemmed from discovering decades-old quotes highlighting the persistent challenge of the attacker advantage in cybersecurity. Despite decades of investment and effort in the field, security practitioners still feel like they are playing catch-up with cyber adversaries. This realization sparked Healey’s determination to assess and improve the effectiveness of defenders in thwarting cyber threats.
While acknowledging that some progress has been made in enhancing cybersecurity defenses, Healey emphasized the need to shift the balance in favor of defenders. One key aspect of this shift involves enhancing the data used to assess the performance of defenders and attackers. Healey’s framework, although unnamed at the time of his discussion with TechTarget Editorial, comprises a set of indicators and data points to measure cybersecurity effectiveness.
Existing data points like mean time to detect have been crucial in evaluating defender performance over the years. However, Healey advocated for the development of additional metrics, such as “mean time between catastrophes,” to provide a more comprehensive picture of cybersecurity resilience. Tracking zero-day activity, impact assessment of cyberattacks, and severity of breaches are also part of the proposed framework to gauge defender-adversary dynamics more accurately.
Healey highlighted the importance of understanding how threat actors adapt to defender actions as a key indicator of cybersecurity effectiveness. By disrupting adversaries effectively, defenders should observe changes in adversary tactics, with adversaries resorting to more complex and costly techniques to evade detection. The goal is to create a dynamic where threat actors are compelled to constantly adjust to defenders’ strategies, ultimately tipping the balance in favor of defenders.
Despite acknowledging the continuous evolution and adaptation in the cybersecurity landscape, Healey emphasized the importance of striving for a defensive advantage. While conceding that defense may never achieve outright victory over cyber threats, the goal is to establish a standard where threat actors are consistently challenged and forced to expend maximum effort to bypass defenses. The dynamic interplay between defenders and adversaries is likened to an evolutionary arms race, emphasizing the need for continuous innovation and vigilance in cybersecurity practices.
In conclusion, Healey’s session at Black Hat 2024 shed light on the complex and ever-evolving nature of cybersecurity defense. By developing a comprehensive framework to assess defender performance and adversary behavior, Healey aims to drive improvements in cybersecurity resilience and tip the scales in favor of defenders. While the battle between defenders and adversaries may never cease, the pursuit of a defensive advantage remains a crucial objective in the ongoing fight against cyber threats.