Iman Ghanizada

Working on something new · Los Angeles

Iman Ghanizada

Defense-in-Breadth

Iman Ghanizada · 2024

Cybersecurity as an industry has been in a nascent phase.

For thirty years we've played cat and mouse, accumulating tools and processes to keep up with attackers and evolving computing infrastructure. Yet with each new tool, we fall further behind, unable to prevent the next breach that only becomes more catastrophic. In this time, the entire fabric of society has evolved. Our infrastructure, financial institutions, healthcare, all industries, everything that underpins democracy is dependent on our digital systems.

We've always been told that cybersecurity is paramount for organizations. In fact, we've seen how debilitating it is when organizations are exposed to major cybersecurity attacks. Disruptions, reputational harm, loss of IP, national security risks, disinformation, regulatory fines and setbacks, all which have justified tremendous investments in cybersecurity to mitigate risk and enable global sectors to operate safely.

Yet, over time we've also seen organizations bounce back from virtually all cybersecurity incidents. This leads to a bigger investment in cybersecurity budgets, but at most, this just delays another future cyber incident. We take this resiliency for granted, as the risks will be far greater tomorrow.

Today, a breached database means stolen credit cards. Tomorrow, imperceptible changes by AI agents could poison entire systems beyond reasonable recovery. In the coming years we will be shifting institutions underpinning society to be controlled, developed and maintained by artificially intelligent systems with deepening levels of autonomy. The risks are no longer about losing social security numbers and bouncing back from regulatory fines. A CrowdStrike-style incident with global consequences that will stem not from human error but from compromised AI systems will become common, and that may be the least worrisome scenario for humanity's future.

Practice time is over for cybersecurity practitioners and the tools we have at our disposal must bias us towards empirically understanding risk and preventing it from materializing altogether, because tomorrow our systems will have monumental control over our lives.

Needles are now just more hay

The entire cybersecurity profession and industry is represented in the image below.

A Venn diagram of two overlapping circles labeled THREAT and VULNERABILITY, with RISK at their intersection.
Risk lives where threat meets vulnerability.

The types of problems that cybersecurity teams work on, team structures, and products/tooling are segmented by either being focused on vulnerabilities (state-based) or threats (event-based). In the most simple terms, preventive security vs reactive security. Every single security control or product fits in either of the categories above: you either prevent an attack or you react to a potential attacker.

We use the term defense-in-depth as a way to describe how adding layers of security controls can mitigate adversarial activity. This strategy worked very well pre-cloud, but the tech stack is evolving too fast causing deep alert fatigue. Moreover, it's a good business strategy to sell more alerts because it gives security buyers the ammunition to negotiate budgets with the C-suite, but focusing on alerts has been a losing strategy and will be a catastrophic strategy tomorrow.

The truth is, if you analyze the last decade of cybersecurity attacks from both high-skilled attackers (nation-state, APTs) and lower-skilled attackers, the majority of intrusions were not highly sophisticated intrusions but rather an exploitation of people, of complexity, and of known vulnerabilities. If most cybersecurity intrusions occur by walking through the front door, it may be time to reconsider the fundamental priorities of our industry.

Shifting from Alerts Back to Research

Up until the early 2000s we were in the golden age of cybersecurity. The innate curiosity that computer security engineers had just tinkering with this technology, figuring out all the edges, is what led to the development of the modern world. All technologies that have enabled the modern world: banking, commerce, communications, all of this was a result of key innovations in cybersecurity that unlocked these use cases that transformed our lives. This was our superpower, yet today we're trapped behind screens drowning in alerts, our tools fragment our vision of emerging risk, and our knowledge dies in organizational silos.

Defense-in-Depth gave us layered security but also segmented all of us into deep data silos. One of the greatest opportunities for LLMs and modern AI capabilities is the ability to do dynamic semantic modeling of disparate sources of data. By stitching together data points in unique data domains, pulling timelines together, we'll be better able to understand how attacks unfold in reality, as dynamic as they are, and build capabilities to mitigate them before they unravel.

Defense-in-Breadth as an approach to modernize risk management

Defense-in-Breadth gives us omnipresent semantic understanding to empirically understand risk, not just threats or vulnerabilities. When security practitioners can instantly access and correlate organizational knowledge, we move from chasing alerts to preventing intrusions altogether, equipping defenders with the ability to think and operate across graphs.

Artificial intelligence will unlock a tremendous amount of use cases that will require deeper surveillance of corporate infrastructure, but inevitably, corporate culture will evolve to adapt policies to the emerging risk landscape. This is the time to think about novel solutions, using computer vision, correlating GPU driver data with endpoint data, using LLMs and agents to rethink preventive security and risk management.

Tools like Wiz have done a fantastic job of correlating disparate events via toxic combinations and such, but it's time to think about risk holistically beyond a single attack surface.

This is an open CTA for builders to invent the next generation of preventive security tooling. Good luck. The world needs you.

— Iman