Active vs. Passive Cyber Security

By Roddy.

There is a lot of confusing – or inconsistent – terminology in cyber security (‘Tactics’ in the MITRE Att@ck framework?). It might look like this piece is introducing even more potential confusion but I think that distinguishing active from passive security is useful.

Cyber security is about lots of things but, ultimately, it is about applying – guided by risk management – security controls to protect information assets from cyber threats. We design secure systems, build them securely, protect them with security technology such as TPMs, firewalls, Intrusion Detection/Prevention devices and SIEMs, and with human-focused controls such as policies, training and physical security. That’s all great. These are valuable tools which, correctly configured and managed, can substantially reduce the risk of a successful cyberattack.

However, most security controls – including the ones mentioned above – are passive: we put them in place, configure them and leave them to do their work. Sure, we update software (or set up automatic updates if we trust the suppliers(!?)) and rules for firewall and ID/PS, but, once applied, these controls are largely left to run. We all know that this leaves risks. All these security controls can fail. For example:

• Latent vulnerabilities hide in the most carefully written code, even in firmware and hardware-encapsulated logic;
• New types of attack and new vectors emerge, undermining the effectiveness of firewalls and ID/PS devices;
• People ignore policies or find ways around procedures;
• Locks and alarms are ineffective if there is no one to spot interference or a breach.

The answer to these deficiencies is active cyber security. What’s this? It is not active cyber defence (attacking the attackers) or other kinds of cyber operations. It is the human-led cyber controls: threat intelligence, security monitoring, incident management, digital forensics, security testing, security reviews (maybe in a Plan, Do, Study, Act cycle). These controls keep humans in the loop, allowing us to spot, with our cyber security skills, failures in the installed security controls. Sure, we use technology within each of these activities but it is the human element which is essential.

Could AI replace most or all of the human involvement? Systems like DarkTrace’s provide supposedly intelligent interpretation of indicators of compromise and potential security events, and update their own rules. But, given what creativity and hallucinations we have seen that some AI systems are capable of, can we fully trust AI in the security context? If the AI is effectively tasked, it will reliably follow instructions, finding anomalies far faster than a person could. But it is constrained by the rules it has been given and cannot ‘think’ outside these and identify new types of anomalies. If it is partly or largely self-learning it can be innovative and evolve its practice, but then we don’t know exactly what it is doing or, most importantly with advanced AI, what its true motivation is? Does it really want to protect our assets or is it more interested in learning more, or in winning an unknown game according to rules we do not know. I’m not picking on AI; I recognise that it can already do some clever things and will very likely do even more of these soon. All technology, whether a humble operating system patch or AI, can be very useful, in cyber security as in almost every domain. But we need active management of the technology by skilled people whose thinking and motivation we can understand.