‘The trend is to invest in the digital arms race’

Cyber ​​attacks are constantly evolving, so must defense. Unfortunately, organizations’ investments are often static, ‘a bit like driving a car just by looking in the rearview mirror’, says Sander Zeijlemaker. Last week, he received his PhD at Radboud University with research into a more dynamic approach working with simulations. ‘The best-performing solutions do not always prove to be the most obvious.’

ALREADY: Why is the current approach to cybersecurity like looking only in hindsight?

SZ: ‘The digital security of an organization is dynamic and complex. The attacks are always evolving: new methods, new weaknesses. But standards or frameworks for getting the defense in order are based on previous standards. Simulations make it possible to look much faster at what could be done differently. ‘

How does it lead to improvement?

‘When people make a decision on a difficult subject, they imagine how they see the world. They make a decision based on that. But because the world is so complex, we do not always see the side effects of these decisions. An attempt is made to make people aware of this with a simulation. ‘ “If, for example, a security measure is taken, it will have consequences at the hardware level, for suppliers and for the staff, and then suddenly you have a very diverse palette of business issues to understand. You can handle these complex issues with a simulation. ‘

For this approach, all factors must be mapped. Is this possible in the complex case of cybersecurity?

‘Let me put it this way: I think I’ve come a long way with this research. What I always do is sit down with administrators, managers and experts, and then I ask the group: how does your security world work? What concerns and what factors are relevant? This way you get a supported consensus on the issue. Do you know the example of the blind men trying to draw an elephant? ‘

What we have little insight into is in rare situations and in the long run

Please explain.

‘A group of blind men are trying to draw an elephant, but because the elephant is so big, they only feel a part. One marks on the trunk and thinks it is a snake, the other grabs an ear and says ‘I hold something like a dragon’ and another marks on the leg and says: I am standing up next to an apartment building. No one is aware that it is an elephant. Cybersecurity is my elephant. People have a good overview of the short term. What we have little insight into is in rare situations and in the long run. Deteriorating cybersecurity can be a long-term project. Lack of 5 percent every day can last for a long time before significant problems arise. The problem is that they only become visible when the attacker is already inside. ‘

This approach, system dynamics, is already being used in medical research and sustainability?

‘Yes. What I really like is En-ROADS from Climate Interactive, which is to determine the impact of climate policy. If we e.g. agree on climate agreements. But the technology is still hardly used in the field of security. ‘

Organizations will need to keep a good record of their data for this.

‘Sometimes you actually have to adjust or update data points, but those are parameters in the model, so it’s a limited effort. And sometimes you have to do a little backtesting: what does the model predict, is it correct? ‘

And the future is unpredictable.

‘I can not specify which attacks will take place with which techniques and when. What I can do is map the decline in capabilities or the evolution of events. ‘

Can it also be done for something like the latest Log4j vulnerabilities, for example?

‘Characteristic of this is that a lot of hardware and software use Log4j. In a simulation, one can take what it means when such an attack comes that can reach anywhere – there were honeypots that measured 1,000 attacks per second when the vulnerability became known. What does this mean for the organization? How is it affected? I often do sensitivity analysis and then simulate a pattern of a few hundred random attacks. I can set the simulation based on the affected security level. Then you can do if-so simulations to find out what happens when improvements are made in different areas. It will cost money, but will it reduce the number of incidents? ‘

What comes out?

“A very interesting insight is, for example, that the best-functioning solutions do not always turn out to be the most obvious. The tendency is to join the arms race and invest in technology and more people. But it is better to learn from attacks, to understand what you have and to imitate, for example, with pentests. And invest in awareness, not only at an operational level, but also at a decision-making level. What are the implications of our priorities? In this way, simulations can complement the existing methods. ‘

Leave a Comment