Reactive to Proactive: 7 Principles Of Intelligence-Driven Defense

Black Hat Asia keynote speaker and Net Square CEO Saumil Shah says bug bounty programs and reactive security techniques arent enough to protect your business.

BLACK HAT ASIA - SINGAPORE - Bugs are around, theyre going to be around forever. Thats fine, admitted Net Square CEO Saumil Shah in his keynote The Seven Axioms of Security at Black Hat Asia 2017. This isnt because all software is buggy, he noted, but because todays technology is complex.
Shah described how each of todays systems has a nearly infinite amount of space that cybercriminals can traverse with any manner of non-architectural means.
If you think youre going to catch them in all these combinations and permutations, you seriously need to rethink your battle, he noted.
For more than a decade and a half, the industry has primarily used a reactive approach to security, Shah explained. Businesses tried to buy back bugs after exploits, which led to the creation of bug bounty programs. These have become so high-stakes they are starting to backfire, Shah said, using the term bug purchase programs. Theres no end to the cost when businesses are willing to pay millions.
We wait for things to happen and then we react, he said of todays security teams. The industry of defending has now become largely compliance-driven. Products are marketed as solutions that reduce risk but in reality operate on three principles: rules, signatures, and updates. These are still reactive, said Shah, and they arent enough.
Existing defense measures do not match hacker tactics anymore, he continued. Attackers dont follow standards and certifications. They do whatever they please.
Its time for leaders to become less reactive, and more proactive, in their approach to security, Shah explained. This is no easy feat, he said, because businesses leaders rarely give security teams the budgets they need and usually dont understand their priorities.
To point his listeners in the right direction, Shah illustrated his call to action with seven principles security teams should adopt with the goal of intelligence-driven defense in mind:
The CISOs job is to defend:
CISOs should be defending and keeping systems clean. Compliance is not part of their role. Truthfully, says Shah, compliance takes up the majority of the CISOs time. It would be more effective to split the role of the CISO into two positions: a security-focused officer who prioritizes defense, and a chief compliance officer who handles the cost of doing business.
Intelligence begins with data collection:
There is no price you can put on historical data, said Shah. If data can be correlated, he explained, businesses should collect and save it. Start with a security data warehouse and gather data from sources of security intelligence. This may come from third-party vendors but ideally should come from the organization. Its time that organizations who have the muscle grow their own security in-house to suit the needs of their organization, Shah emphasized. No one product is going to fit the bill.
Test realistically:
Systems can exist in secure and hacked states at the same time, Shah explained. Youll only know whats going on if you test, and you should test systems under real-life circumstances.
Keep metrics:
Make a list of what is quantifiable in your process and keep metrics for them. Metrics demonstrate success and failure; they can also justify budget. You need facts to defend your strategy, Shah explained.
Learn from users:
We cant apply the same security measures to all end users - who range from hopeless (those who tweet photos of their debit cards) to rock stars (those whom we can learn from) - Shah explained. Security leaders should identify users who are uninformed but willing to improve, and guide them to be more productive.
The best defense is unexpected:
Is your infosec team doing something creative every day? Shah asked.
Progress should be visible:
While defenses themselves should be unexpected to attackers, its important to make protective measures visible to the business. Improve users security knowledge and record money saved.
If you can demonstrate money savings through defense, thats money earned, he emphasized. It enables you to control your budget.
Related Content:
Customized Malware: Confronting an Invisible Threat
The Business of Security: How your Organization Is Changing Beneath You
Insider Threat Fear Greater Than Ever, Survey Shows

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Reactive to Proactive: 7 Principles Of Intelligence-Driven Defense