The Failure of Attack-Centric Cybersecurity: A Veteran’s Perspective
As a 20-year veteran of the cybersecurity industry–a career spanning both legitimate penetration testing and a former life as a blackhat–I’ve seen first-hand how the industry’s obsession with attack-centric security has not only failed to protect businesses but has actively hindered progress toward meaningful protection. If we truly want to elevate cybersecurity to the next level, then it’s time for a paradigm shift. We must stop focusing solely on transactional evaluations of attacks and instead embrace a broader, more dynamic approach that prioritizes external entity behavior.
The Obsession with Attack-centric Security
Attack-centric security is the dominant mindset in our industry. It’s the idea that cybersecurity is a binary transaction: something is good or bad, allowed or blocked, safe or malicious. Most tools today–firewalls, endpoint detection and response (EDR), intrusion detection systems (IDS), and even SIEM platforms–are built around this simplistic, reactive model. An event happens, it gets evaluated, and a decision is made. This approach is deeply ingrained in the products vendors sell, the frameworks organizations adopt, and the training SOC teams receive.
The thinking goes like this: if we can detect attacks faster, block exploits more effectively, and identify malware with greater precision, we’ll achieve security. But here’s the uncomfortable truth: this approach has never worked, it doesn’t work now, and it won’t work in the future. Why? Because it fundamentally misunderstands the nature of the problem.
Why Attack-centric Security Fails
The purpose of cybersecurity is not to win a series of battles against attackers. It is to protect the business. And the business doesn’t care whether we blocked 98 percent of malware or stopped 7 out of 10 phishing attempts. The business cares about continuity, resilience, and minimizing the impact of breaches. By focusing on individual attacks, we’re failing to address the bigger picture: the sum of interactions.
Attackers don’t operate in isolation. They probe, adapt, and evolve. They perform reconnaissance, test defenses, and pivot when one attack vector fails. Yet, attack-centric security treats each event as a standalone occurrence.
- A phishing email is blocked. Success.
- A vulnerability scan is detected. Success.
But what about the attacker behind those events? What about the patterns they’re leaving behind, the signs of their evolving strategy, the overarching campaign they’re waging against your organization? Focusing on individual attacks blinds us to the larger threat.
If the binary, attack-centric approach worked, we’d have solved cybersecurity decades ago. Think about it. We’ve been blocking “obvious” exploits, patching vulnerabilities, and deploying stronger detection tools for years. Yet, breaches continue to happen, often at staggering scales. Why? Because attackers don’t need to succeed on their first attempt. They don’t even need to succeed with their first 100 attempts. They just need to find one gap in your armor.
Here’s the problem: attack-centric security is inherently reactive. It waits for something to happen, evaluates it, and then decides how to respond. By the time you’ve identified an attack, the attacker has likely already moved to the next phase of their operation. And if your defenses are only designed to evaluate discrete events, you’ll never see the full picture of an attacker’s behavior.
The Key: Focusing on the External Entity
To truly protect businesses, we need to shift our focus away from individual attacks and toward the external entity–the attacker. This means moving beyond transactional evaluations of “good” versus “bad” and instead analyzing the sum of their interactions with your environment. The goal isn’t to determine whether a single event is an attack. The goal is to understand whether an entity is building toward an attack.
By focusing on the external entity, we can:
- Detect Reconnaissance Early Attackers rarely strike without preparation. They gather information, map your environment, and test your defenses. By monitoring patterns of behavior–failed logins, unusual queries, repeated scans of specific endpoints–we can identify attackers long before they execute their payload.
- Understand Adaptation and Pivoting When one attack vector fails, attackers don’t give up. They pivot. They try a different exploit, a different endpoint, a different technique. A single failed attack might not seem significant, but multiple failed attempts across different systems indicate persistence, and persistence is a hallmark of a serious threat.
- Identify Campaigns, not Incidents Attackers often operate in campaigns, targeting multiple organizations or systems as part of a larger strategy. By analyzing their behavior across multiple interactions, we can identify patterns that point to a broader campaign, allowing us to defend proactively rather than reactively.
- SOC Operators and Threat Hunters get it SOC operators and threat hunters live in the trenches. They see the patterns, the persistence, and the evolution of attackers. They understand that the current approach–relying on tools that evaluate isolated events–doesn’t work. They know that the real challenge is to identify attackers before they strike, to see the bigger picture, to move beyond “this was an attack” and toward “this will be an attack.”
But the tools they’re given don’t support this approach. Vendors continue to sell solutions that focus on transactional evaluations, on detecting and blocking individual attacks. The problem isn’t that SOC teams lack the skills or knowledge. The problem is that the tools they’re given are fundamentally misaligned with the task at hand.
A Call to Action for Vendors
If vendors want to help organizations truly protect their businesses, they need to rethink their approach. The focus should be on building tools that enable SOC teams to monitor and analyze the sum of interactions, not just individual events. This means investing in:
- Behavioral Analysis: Tools that identify patterns of behavior over time, across multiple systems, and in different contexts.
- Entity Tracking: Solutions that focus on the attacker as an entity, rather than treating each event as a standalone occurrence.
- Proactive Defense: Capabilities that allow teams to predict and prevent attacks based on early-stage reconnaissance and probing.
This isn’t about abandoning traditional detection and response. It’s about augmenting those capabilities with a broader, more dynamic approach that prioritizes the attacker’s behavior over individual attacks.
The Future of Cybersecurity
Cybersecurity isn’t about winning a series of battles. It’s about protecting the castle, and that requires understanding the enemy at the gates, not just the arrows they shoot. The industry’s obsession with attack-centric security has failed–and will continue to fail–because it focuses on the wrong thing. It’s time for a change.
By shifting our focus to the external entity, we can move beyond reactive, transactional security and toward a proactive, strategic approach that truly protects the business. Attackers aren’t going to stop adapting. Neither should we.
