Negative space is not a common term, but if you spend any time studying company logos or graphic design, you will hear it. "Negative space" is the space between and around objects in design. Talented artists look for opportunities to create additional meaning or hide Easter eggs when creating logos, choosing fonts, and spacing letters in the company name.
One of the more famous examples of negative space is the FedEx logo. The logo's design team realized that by picking a specific font and letter spacing, they could create an arrow between the letters E and X. An arrow is the perfect symbol for a company that's always in motion delivering products to customers. The story goes that at the first design review, only the CEO immediately saw the arrow and the rest of the team missed it. Maybe, even after all these years, you have missed it as well.
Many see what they expect to see and miss what is staring them in the face. Since they aren't viewing things in a full context, people experience something like the FedEx arrow and other negative-space objects as a blind spot. Once someone points out the negative space, peoples' blind spots usually disappear so that they can see the whole picture.
Cybersecurity vs. the Blind Spots
Cybersecurity is rife with blind spots, but the consequences have more serious impacts than missing a hidden marketing message. In cybersecurity, there is a constant war to find the next attack, whether from financially driven hackers or adversarial nation-states, before it's too late. To counter these attacks, many companies do what they think they are supposed to do: build up a library of known attacks, also called signatures. Then they compare network traffic or event logs to these signatures to try to match previous events to what is happening now on the network.
This approach was somewhat successful initially, but hackers quickly varied their attacks to avoid matching known signatures. The cybersecurity industry responded with pattern matching and complicated attempts to interpolate between what happened and determining whether the attack closely resembles anything they've seen before. It's a statistical rolling of the dice, sometimes using tools like neural networks and the like.
Pursuing larger and larger signature and rule sets comes with ballooning costs and runtime inefficiencies. Marketing tries to spin this as a good thing, pitching the biggest, largest, or most complex database (or data lake) of past known signatures with a "bigger is better" value proposition. Weekly updates lend even more false assurance that you are constantly protected.
Zero-Days Undermine the "Bigger is Better" Approach
The problem is that this approach has a blind spot, which is that the bad guys are using adversarial artificial intelligence (AI) to develop attacks that don't match historical signatures in any way and won't be detected with signature or signature-variant approaches.
These novel attacks are exemplified by the SolarWinds attack in late 2020 and other "zero-day" attacks, so called because they are not known before they are put on the threat list. Cybersecurity vendor FireEye said it could not effectively alert on the SolarWinds attack because the hackers "used a novel combination of techniques not witnessed by us or our partners in the past." Therefore, the attack was able to bypass its defenses.
So, how do you find something if you don't know what it, or something close to it, looks like?
Just like the FedEx logo, the answer is staring you in the face. The solution is to change how you are seeing everything you are looking at.
In cybersecurity, this means in order to identify threats you've never seen before, you must change how you are looking for threats. Rather than looking for what you think is an attack, examine everything that is not normal behavior. If you elevate what isn't normal, you will examine all anomalies, including attacks that you have and haven't seen before.
Just like in real life, sometimes seeing an arrow you don't expect will point you in the right direction.