Former U.S. defense secretary Donald Rumsfeld might well have been speaking to chief security officers when he made a head-scratching statement that immediately entered the realm of famous quotations: “There are known knowns. There are things that we know we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns.”
Word salad though it may be, this quote turns out to be a good description of the daunting challenges CSOs face. CSOs do know about many cybersecurity threats, and can confidently mount defenses against them. They also understand the nature, if not the specifics, of many “unknown” threats – everything from outside attackers exploiting zero-day bugs to disgruntled employees stealing or corrupting proprietary information. Then, of course, there are the true “unknown unknowns” – entirely new and unexpected forms of cyberassaults that could materialize at any moment.
A starting point for every cybersecurity discussion is the sobering reality that no defense against even known threats can guarantee 100 percent security. Still, there are many ways in which CSOs and their teams can increase their odds of success, even when cyberattacks deviate from known and expected patterns.
Whether threats fall into the known or unknown category, the defenses against them break into three core areas: education, security controls, and incident response.
Employee awareness. In many ways, an educated employee base represents the foundation of any cyberdefense program. Organizations can hire top-notch security professionals and deploy cutting security technologies, but can still suffer breaches if employees unwittingly click on a link in a phishing email or visit a risky website. In many ways, solid cybersecurity builds from the ground up, with well-educated and cautious employees forming a critical line of defense.
The right technology. CSOs can deploy a wide range of security controls — from firewalls and spam filtering systems to sophisticated behavioral analytics solutions — to protect an organization. These latter systems can flag deviations from known usage and traffic patterns, and may even incorporate machine-learning techniques to continuously improve their effectiveness. Such solutions can often protect organizations against new forms of threats – or can at least warn the security team that some suspicious activity warrants further investigation.
Breach management. Incident response comes into play when a cyberbreach has occurred – whether from a known or unknown attack vector. On one level, the nature of the breach is immaterial. The organization victimized still needs to isolate, contain and eliminate the threat, determine what assets may have been compromised, and inform employees, customers, regulatory agencies, and others about any personal or corporate data that was exposed.
A critical element of any incident response process, however, involves performing computer forensics to identify how the breach succeeded, and to close that vulnerability to future attacks. Among other things, successful forensics requires access to extensive and comprehensive log records. Far too many companies still fail to keep adequate usage and traffic logs, making it near impossible to analyze and defend against new types of threats even after they’ve occurred.
“Unknown unknowns” will always be out there in the cybersecurity world. But there are many steps organizations can take to protect themselves against both known and unknown cyberthreats.
Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.