Raytheon’s John DeSimone on building the offensive line

For decades, enterprise security strategies centered on implementing strong defenses against attacks. But John DeSimone has built an offensive line—and he says it’s time for more cybersecurity practitioners to take that approach.

“From an evolution standpoint, I think security needs to move to active defense, to an offensive posture. It allows you to be faster and more agile. It’s going to cut down response times; it’s about how fast you can mitigate. And that’s very cost effective,” says DeSimone.

He adds: “It’s where security has to move. It’s the way the technology needs to move, and that’s the way the country has to move.”

DeSimone is president of Cybersecurity, Intelligence & Services at Raytheon Intelligence & Space. As one of the four business segments of the defense and aerospace company Raytheon Technologies, Cybersecurity, Intelligence & Services works to secure the U.S. government, other nation states, and private entities.

With 30-plus years of experience in technology and the technology services industry, DeSimone has seen how information systems have rapidly advanced in those decades.

He says he has also seen how cybersecurity strategy can lag behind, with too many organizations sticking with a reactive cybersecurity program rather than adopting proactive tactics that are proving to strengthen an organization’s overall security posture.

Don’t wait to develop your offense

In fact, DeSimone says too many organizations don’t even consider implementing preventative tactics until they are facing active attacks, contending with highly publicized threats or, even worse, trying to recover in the aftermath of a successful breach.

But he warns that organizations shouldn’t wait to evolve their cybersecurity policies to include an offensive element.

“I think that’s where the market and the industry need to go,” DeSimone says.

Organizations seem to be heeding that advice, with more moving to the proactive security strategies that DeSimone champions.

Consider the findings from a recent Cyberrisk Alliance (CRA) research study based on responses from 252 U.S. executives. CRA found that although companies have historically taken a respond-and-recover approach to security, 54% now have a proactive risk management approach—featuring the ability to identify, protect, and detect based on the NIST cybersecurity framework. Some indicated even more capabilities, with 19% saying they have a real-time risk management approach.

DeSimone believes it’s time, saying he knows firsthand the value of having both offensive and defensive functions working together.

“We have an offensive group and a defense group, and our mindset is having the offense inform the defense,” DeSimone says. “We strive to be experts on both sides, to learn and understand how each side can inform the other to be better.”

Moving beyond traditional best practices

As such, DeSimone says he knows the importance of a good defensive position, stressing that offensive elements are additions to—not replacements for—them.

Indeed, he says the foundational cybersecurity best practices that have long helped protect organizations remain critical components of any successful security operation. He stresses that organizations, of course, should have basic security components, such as well-articulated enterprise security policies. They should have completed risk assessments that allow them to prioritize threats, another traditional bedrock element in a solid enterprise cybersecurity program.

But at the same time, DeSimone says, those traditional components are no longer enough and promotes the need for teams to evolve such approaches.

As such, DeSimone says organizations should now also have in place a zero trust architecture with microsegmentation “that allows you to do the data collection and auditing of activity that’s going on in your enterprise in the smallest possible segments you can.”

And then they should layer in the proactive elements, he says, “to take malware and turn it off or limit it.”

“It’s about being able, in real time or as close to real time as you can get, to evaluate your systems and your logs and respond,” he explains. “It’s about being able to do penetration testing and vulnerability assessments in real time, where you’re looking for holes as well as abnormal behavior, where once you do find those, you can take a more offensive posture.”

Consider the advantages of a proactive approach in the case of malware, he says. A reactive strategy historically required taking servers offline and wiping them, after the damage has been inflicted; a proactive approach means “you basically attack the malware itself to stop it in its tracks.”

Foundations of offensive security

DeSimone points out that offensive practices require lots of data and good analysis.

“You need the information on your systems, as granular as you can,” he says.

More specifically, he explains that security teams need both good data and real-time analysis as well as automation capabilities to instantaneously distinguish between normal network traffic and acceptable user activities and those that are suspicious and, thus, indicative of malware and other nefarious actions—even as the enterprise is going through its constant changes and evolutions.

“That’s why the more granular data you get, the more detailed information you have, the more you can do proactive defense and proactive auditing,” DeSimone says, noting that organizations can evolve their capabilities even further by creating classification levels around documents. “All those together helps you see what’s normal, and you can see when something goes off track.”

At the same time, DeSimone says security teams need to up their capacity to search and find vulnerabilities and gaps that need attention. (To do this, he says his organization uses its own DejaVM, a proprietary tool that enables the creation of digital twins of systems to more safely do vulnerability work and pen testing before patching and remediating in the actual systems.)

Still, DeSimone says that’s not enough, saying security teams should be doing their own proactive vulnerability research and should also be sharing more information with each other (a practice that he notes more and more are doing).

Avoiding potential pitfalls

DeSimone acknowledges that many organizations aren’t mature enough to adopt such approaches and that others aren’t large enough to do so, and as a result would struggle with implementing such proactive approaches.

Meanwhile, he also says that those organizations that are evolved enough to adopt proactive security tactics face other struggles, such as establishing policies around rules of engagement and understanding the limits for going after malware.

“It’s not really clear what the boundaries are,” DeSimone says, explaining that security teams should be able to do what they deem necessary within their own IT space but notes that “when you go outside your enterprise, that’s where it gets more complicated. So when you go after malware, you have to make sure you’re not doing something you’re not allowed to do.”