From personal experience I can definitively say that there is no such thing as 100% cyber security. As we can see from the ever growing number of cyber attacks , every organization has some weaknesses that cyber attackers can exploit. It is just a question of whether attackers can find them.
Cyber attackers think holistically in graphs, not lists. Attacks are not single shot straight-forward activities, attackers look for any weakness that can give them a foothold, or the ability to advance. They don’t care if the weakness is caused by a missed patch, a misconfiguration, or a weak password. It is all fair game. They don’t care if the initial breach is on the target device, or some other system. What sometimes looks to the untrained eye like random activity can be attackers moving about looking for a foothold that brings them a step closer towards obtaining their target – something they can exploit or steal. In the adversarial cyber defense world, the best you can do is to make your systems and network as resilient to cyber-attacks as possible.
Resilience relies on the ability to anticipate and withstand cyber risk, so the path to resilience is through detailed cyber risk assessment and actionable, timely cyber risk management. I am going to make another strong, unequivocal statement – cyber risk analysis and management is completely dependent on an understanding of how attackers attack in general, and specifically how attack techniques and methods can be used to threaten your organization. That understanding then needs to be translated into an operational resilience roadmap of the most cost-effective actions to lower your cyber risk. Just like attackers, this can’t be a one-time quick fix – it needs to be an on-going effort of continuous improvement.
Even if you have an army of cyber analysts and defenders at your disposal – you’ll need tools and processes to make the most of your existing cyber controls or find the most effective new controls. I’ll make another unequivocal statement here – the only effective tools are those that provide a scenario based, adversarial, risk management based on threat intelligence. Cyber security management is shifting to a risk management discipline – i.e. optimizing cyber security by minimizing risk and maximizing resilience in line with business’ risk appetite.
In following posts we at Orchestra will describe how a digital cyber twin (and its associated AI reasoning) combines the art of attack, the science of defense and the business of IT to provide organizations with unparalleled holistic cyber risk and resilience operational insights and roadmaps.