Blog

Cybersecurity: Reaction vs. Prediction vs. Preparation

Ted Gruenloh
CEO @ Nomic Networks
July 28, 2023

The way I see it, there are three main categories in the security strategy landscape today; reactive, predictive, and preparative. And it’s not a “one or the other” approach – it’s all or nothing, and the lines between each category are blurred.

Reactive – Old-school (But still relevant)

This is your classic security approach; looking for the “known bad.” It includes your threat intelligence (TI), your patching (and all the CIS Controls around it), and every means by which you’d know when new threats come into town, such as CVEs, MITRE ATT&CK, and OWASP Top Ten. In this camp, you’d see bad IP lists, country blocking, and rule-based tools. You’d also see stellar data backups and recovery options. Without question, these remain critical pieces of the security puzzle when dealing with ransomware, malware, and inbound exploits, and simply cannot be forgotten.

An antivirus would fall squarely on the reactive side, as would threat feeds and network traffic monitoring. Nomic specializes in a few of these tools, along with variations to make them less expensive and more powerful.

For example, our Outpost sits on the outermost edge of the network, beyond the firewall. It’s fed and updated with data from our network of CINS Threat Intelligence feeds, which draws its data from our network of Nomic devices around the globe. Using a mixture of both private and public feeds, the Outpost autonomously detects and blocks malicious traffic before it penetrates the edge.

Informed by the known bad, Network CloakingTM can make your network invisible to external threat actors. Once we’ve determined a network is up to no good, we drop all communication to and from it. This causes your network to all but disappear to prying eyes – as if you never existed at all.

Despite the critical nature of reactive security, it also has limitations that make it only a part of the holistic security puzzle.

Proactive – ML, AI, and Human Intervention

We’re living in a world where threat actors are no longer out in the open; they are constantly sneaking past our defenses and creating the need for sophisticated tools that can catch them in the act. To be proactive and attempt to stay ahead of the bad guys, organizations must lean on Artificial Intelligence (AI) and Machine Learning (ML).

AI and ML go a long way in discovering hidden exploits based on their malicious behavior alone. Able to ingest petabytes of data, they’re some of the only tools that can – at least at scale. And they’re indispensable. As long as there are threat actors out there obfuscating their presence on the network and bypassing traditional signature-based defenses, we need what they do to bring all-around security effectiveness to life.

The catch is that ML and AI sometimes needs a little guidance … That can come in the form of security analysts that monitor and document false positives along the way, steering the ML algorithms and making them more effective in each specific network environment.

Nomic leans into this area, albeit with a little more balance. AI tooling can be prohibitively expensive, so our Network Detection and Response is a clever mix of reactive and proactive tools, actively monitored by autonomous solutions and a team of analysts. Meanwhile, Insight shows you what’s happening between your endpoints and your firewall and synthesizes that data into concise Network Flows. Those flows are enriched with threat intel and other metrics, with artificial intelligence and machine learning built on top to enhance your view of the network in ways that signature-based monitoring just can’t.

Prepping – The Zero-Trust Model

The third and final piece is preparation. What’s on your network? This is asset discovery, penetration testing, vulnerability assessment, and the like. You need to know what you’re defending and how it needs to be done. You need the scope of the security task ahead of you, and this inventory should be done on a continual basis. Each IoT device, supply-chain partner and new piece of software introduces new risks, and it’s important to stay ahead.

This is also the stage for checking configurations and verifying accounts and access control. In short, run down the CIS Controls and make sure you’re covered. Any security hardening falls into this category and should be done first.

This stage embodies the zero-trust approach and encapsulates how you prevent an attack by making sure all the obvious access points are locked down.

The obvious conclusion: All 3 Are Necessary

Keep in mind all three strategies are required. The reactive security of the past needs to meld with the predictive security of the present while underpinning it all is the foundation of preparation that lays as much of the groundwork as possible.

No one is throwing away their reactive antivirus because they have predictive EDR. Instead, they both share space on the endpoint and catch what the other can’t. And nobody is foregoing data backups because they’ve done all the CIS Controls. It’s obviously a multi-layered approach – defense-in-depth, right? – and Nomic helps you with all three stages so you can be fully covered.

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.