How Sun Tzu's wisdom can rewrite the rules of cybersecurity
Nov 23, 2021
"The greatest victory is that which requires no battle." —Sun Tzu
These millennia-old words of ancient Chinese military strategist Sun Tzu — to whom The Art of War is attributed — are still very relevant today. The best defense is to avoid an attack in the first place. With the right architecture and approach, it's possible to shield your environment from the cybersecurity arms race so that when the attacker strikes, you simply aren't there.
Practice Attack Avoidance
Attack avoidance is one of the three critical aspects of enterprise security, along with prevention, which ensures that networks and systems are hardened against attacks, and detection, which identifies anomalies and provides a means to respond to attacks. Attack avoidance is often overlooked or subsumed in the larger zero-trust conversation but addressing it in the first stage of risk management brings immense benefit.
The best way to foil an attack is to make sure the attack never happens. In Sun Tzu's time, that meant prioritizing information to gain the upper hand both strategically and tactically. In modern cyber defense, that translates into harnessing the full power of data, automation, and policy.
The simplest way to avoid an attack is to minimize the attack surface. To accomplish this, you need to:
- Eliminate your external attack surface by migrating to cloud-delivered zero-trust access with an outbound-only access model.
- Reduce internal attack surface by leveraging zero-trust user-to-app segmentation for private apps.
- Minimize individual endpoint attack surface by protecting end-user Internet traffic.
- Reduce the data attack surface with software-as-a-service (SaaS) controls such as a cloud access security broker (CASB), data loss prevention (DLP), and other solutions.
The great thing about zero trust is that every device, application, and user is distinct. Finding your way into one device doesn't get you into the rest of the environment, because nothing trusts anything else completely. If we can make those individual attack surfaces stealthy, we can up our security game even further.
You Cannot Attack What You Cannot See
Traditional VPN gateways depend on an open inbound listener that can be discovered and engaged by anyone on the internet. Connecting an endpoint to a network exposes the entire network — and the endpoints connecting to it — to potential damage from ransomware or internal threats. Removing the inbound listener eliminates the attacker's foothold and connecting users to applications protects both the network itself and the devices from which users are connecting.
The old castle-and-moat method of protection is no longer a viable security model. This model enclosed your business with walls and barriers — but once someone got in, they had free rein inside the castle. In this new model, no one knows where your estate or business is, and even when you escort visitors/employees into your estate, they only have access to the parts of your estate that you show them. The rest of your technology estate is completely hidden from view.
From development to risk assessment, reducing the attack surface with modern technology choices will help your organization better protect itself and allow you to remove parts of your estate from the arms race entirely.
As Sun Tzu also said, "For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill."
Cybersecurity Is Good for Business
Security is often discussed in negative terms — data breaches, regulatory fines, and business disruption. However, the advantages are seldom highlighted. Here are a few to consider:
- Retain customers and show commitment. Creating a culture that prioritizes data security and privacy shows a high level of corporate social responsibility. Companies that are careless with personal details and suffer a breach are often subjected to tremendous backlash from consumers and business partners. Conversely, taking the initiative to prevent security breaches enhances an organization's reputation.
- Compliance leads to business opportunities. Most businesses rely on a network of partner organizations. As collaborations extend to the cloud and hybrid networks, demonstrating security compliance becomes a requirement for doing business. With the growing number of data breaches, companies are taking a hard look at the security practices of potential partners as a precondition to doing business.
- Innovation trumps inactivity. Companies prioritize growth-driving innovation. Agile cybersecurity policies can enable companies to continue their groundbreaking work without interruption, fueling revenue and profits. However, in a study conducted by Cisco, 71% of executives said cybersecurity concerns impeded innovation at their companies. Among respondents, 39% said they had halted mission-critical initiatives because of cybersecurity issues. These responses highlight how enterprise security weaknesses can hamstring an organization's ability to innovate precisely when it's most critical.
With a simple change in perspective, business leaders can address security in terms of what it means to business opportunities, allowing for a more grounded, less fear-based discussion when it comes time to set enterprise security strategies.
This article originally appeared on Dark Reading