Failing Toward Zero: Why Your Security Needs to Fail to Get BetterFailing Toward Zero: Why Your Security Needs to Fail to Get Better
Each security incident should lead to a successive reduction in future incidences of the same type. Organizations that fail toward zero embrace failure and learn from their mistakes.
November 27, 2020
"Hard times create strong people."
"What doesn't kill you makes you stronger."
Maybe you've whispered these mantras to yourself in the aftermath of a personal setback at home or work. We've all heard some take on this expression, but the sentiment is always the same: Failing doesn't feel good in the moment, but it's possible to appreciate failure as a lesson in overcoming adversity. To put it simply, you have to fail in order to get better.
But what if the stakes for failure mean more than another checkmark under the "loss" column?
This is the predicament faced by organizations every day when it comes to cybersecurity. At best, failure means an embarrassing and inconvenient organizational disruption. At worst, it means a catastrophic loss of records and loss of business.
Failure, it would seem, is not an option when it comes to cybersecurity. Or is it?
Author and scholar Nassim Nicholas Taleb can help us answer this question. Taleb has a useful concept called "antifragile," which he uses to describe any person, organization, or entity that benefits from failure. Not only that, as Taleb puts it, the antifragile "loves" randomness, uncertainty, volatility, and errors. Think of it as evolution with a twist. Instead of survival of the fittest, this is survival of the smartest. Whoever can understand and react to environmental stressors best wins.
And let's face it, your cybersecurity will fail at some point. There's no such thing as 100% protection. Cybercriminals need to succeed only once, but organizations need to succeed every time. While it's more than likely that your organization will be the target of a successful cyberattack, a successful cyberattack doesn't necessarily make a catastrophic data breach. If you know your security is going to fail at some point, you can prepare for this eventuality and mitigate its impact on operations. It's at this intersection of antifragility and cybersecurity that we get a model I'm calling "failing toward zero."
Failing toward zero is a state in which each security incident leads to a successive reduction in future incidences of the same type. Organizations that fail toward zero embrace failure and learn from their mistakes. Our data suggests that smart companies are already starting to do this.
The Data Science and Engineering team at Malwarebytes examined all detection data on business endpoints for the past three years. It's no surprise that malware detections on business endpoints went up every single year, from 7,553,354 in 2017 to around 49 million in 2020 — and the year isn't even over yet.
However, the detections we're facing today are different from those we saw just a few years ago. Two of the biggest blockbuster threats of yesteryear — spyware and Trojans — are both down. Since the winter of 2019, spyware detections on business targets dropped 49%, while Trojans dropped 63%. Criminals have since altered tactics in favor of adware and hacktools, a category of riskware that is used to hack into computers and networks. While adware is mostly a nuisance, hacktools can be used to gain access to a system, steal data, and distribute malware. We've seen hacktools detections increase 2,431% since winter 2019.
And it's not that spyware and Trojans have gone away. With the help of technologies like machine learning, we've discovered new strains from these threat categories every day. The truth is that businesses that suffer breaches tend to get better at dealing with them. Yes, they "failed" in the sense that their network security had been breached, but they were failing towards zero.
Now that we have hacktools to contend with, how can we fail toward zero?
The mechanics of failing toward zero vary. Thanks to machine learning, your endpoint protection should be able to "learn" a strain of malware and automatically block threats that behave similarly. There's an equally critical human element as well. You should have an incident response team and put your team and procedures to the test in the following ways:
Deliberately introduce stress into the system and see how your team responds in the face of failure.
Figure out how you will maintain business continuity during and after an attack.
Make sure employees receive adequate training.
Ensure institutional knowledge is properly documented for new team members.
Look at your own data. Are you part of the group that's failing toward zero or are you part of the group that's failing toward infinity?
Beyond this basic blocking and tackling, perhaps the biggest challenge in failing toward zero is just to accept failure as a condition of long-term success. We're programmed to win, especially when so much is at stake. We've developed a mindset opposite of failing toward zero — the "losing is not an option" mindset. Frankly, that mindset is not helpful.
I prefer to think of it like this: If your network is breached and you're able to stop that breach before any damage is done and, most importantly, you know that it's not going to happen again, then you've actually won.
Taleb sometimes calls errors "unknowledge." Being ignorant and lacking knowledge is an error in and of itself. I cannot overstate how important it is to study and act on the data from past attacks. So, take the time to study the shortcomings in your security. Look to the past and study attacks at your business and other businesses as well. Cybercriminals have done the work of finding the failures in your security. Take advantage of that.
To fail toward zero, you've got to see the error in your ways. Or as Taleb might put it, you've got to see the way in your errors.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023