Outside in: too often cybersecurity looks the wrong way

Traditional cybersecurity measures are insufficient for modern threats mainly because they focus too much inside an insured’s perimeter and not enough on attacker behaviour outside of the network.

So said Ryan Dodd, SVP of cyber risk management Intangic, which helps large enterprises and insurers understand the actual price of cyber risk. 

According to Dodd, most enterprise cybersecurity watches “inside the house”, while threats increasingly start and evolve “outside the walls”. Without visibility into external attacker behaviour patterns, you cannot reliably predict, price, or prevent today’s breaches, said Dodd. 

Dodd was speaking at Intelligent Insurer’s Cyber Risk & Insurance Innovation Europe event in London on Tuesday (February 3). 

According to a recent Marsh survey of 6,000 global companies and thousands of breaches, attacker behaviour, not company size, is the true primary predictor of a breach. Companies with evidence of specific attacker behaviours are 2.5x more likely to be breached. 

About 60% of breaches start with stolen credentials, exploited perimeter vulnerabilities and phishing or social engineering attacks. These do not depend on how “good” an enterprise’s EDR/MDR/XDR stack is. If an attacker logs in with valid credentials or exploits an un-monitored external asset, they often look like a normal user. 

“It had nothing to do with how good they thought their cyber security was,” said Dodd. “What did it have to do with they stole credentials, they exploited perimeter vulnerabilities, and they did it [through] social engineering, phishing attack.”

Attackers operate from anonymous, encrypted infrastructure on the dark web, not from obvious IPs or domains. Standard perimeter and endpoint tools cannot see the dark web. Traditional tools and questionnaires have no visibility into where credentials are being traded, who is scanning and staging attacks against you and your vendor or patterns of coordinated attacker behaviour. 

Even more alarmingly, attackers can now launch mass, automated, AI‑assisted attacks extremely cheaply. They only need to be right once, said Dodd; defenders must be right every time.

Without continuous outside‑in monitoring of attacker behaviour, you are always reacting late, after they are inside, the Intangic SVP said. 

In essence, prevention means seeing and acting on attacker preparation – credentials, scanning, exploit attempts, dark‑web coordination – before it turns into a detected incident inside an enterprise's network. 

Dodd said that an outside-in approach “gives you at a very high ROI, the ability to identify risk before it happens, so that your Security Operations Centre can do a takedown, can add additional services, so that we're effectively providing you that view from across the perimeter to allow you to take risk before that person gets through”.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.