Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is a bit tortured but the point is valid – and very relevant for outcome based cyber security. Here is a quick definition:
- Known-knowns – things we know we know.
- Known-unknowns – we know there are things we do not know.
- Unknown-unknowns – things we don’t know we don’t know.
- Unknown-knowns – that which we intentionally refuse to acknowledge that we know.
There are a lot of known knowns in cyber security. CVEs are one of the original known knowns – these are known vulnerabilities and exploits that can be used as an adversarial tactic against your organization. There are also known indicators of compromise that can tell whether you have been compromised, DNS blacklists to keep you away from trouble, etc.
The good thing about a known-knowns in cyber security is that it is possible to mitigate them before exploitation. A vulnerability only becomes actively dangerous when exploited – before that it is only a potential danger. Most cyber-attacks leverage known-knowns –the known vulnerabilities outlined in the Top 10 Routinely Exploited Vulnerabilities from the CISA and FBI (from May 2020) or the OWASP Top 10 Web Application Security Risks.
Proactive cyber security is focused on protecting an organization before an attack. Another way to put it is that proactive security is about using security intelligence (known-knowns) to find issues hidden in your organization. The goal is to expose an organization’s security vulnerabilities and weaknesses (known-unknowns), transform them into known-knowns and mitigate them before they can be exploited. To be successful at proactive security organizations need to focus on security outcomes. Outcome based proactive security means focusing on an actionable mitigation action plan to fix the problems before they can be exploited by an adversary.
The last of permutation (the one Rumsfeld left out) – unknown knowns – is also extremely relevant to cyber security. One cause is alert fatigue – when an organization “knows” about an issue but does nothing to mitigate it because it is lost in the noise. Another cause is when the organization cannot immediately mitigate for operational or business reasons and then forgets to track and follow up. That is why when moving to an outcome focus, it is critical to ensure prioritization, actionability and trackability.
Orchestra group is focused on actionable, proactive security outcomes. In a previous blog I discussed how Harmony IoT provides proactive airspace security. Harmony-Purple is focused on outcome-based proactive network security. It has patented, unique technology – but that shouldn’t be the focus. Its job is to use the best techniques available to find an organization’s known-unknowns and turn them into known-knowns. The outcome is an actionable step-by-step plan on how to immediately increase your organization’s security.
P.S. Regarding unknown-unknowns – those are what we call “zero-day” attacks that leverage previously unknown or undisclosed vulnerabilities. In reality unless you are being attacked by a nation state, the chances of being attacked via a “zero-day” is close to zero.