Skip to main content

Why proactive cyber defence is essential

By 13 December 2021No Comments

Raghu Nandakumara at Illumio shares some cyber security lessons from cricket

The Ashes – one of the most storied rivalries across any sport and a history of more than 100 years – has just got underway with the cricketing teams of Australia and England doing battle down under. As the drama develops on the field let’s take look at what cyber security lessons can be gleaned from this wonderful sport.

Cricket has 3 key skill areas – batting, bowling and fielding. The rest of this is going to be focussed on batting. A batter has 2 key responsibilities – to survive for as long as possible and to score as many runs as possible while doing so. As a result, the batter needs to find the correct balance between defence and attack.

But for the best batters, attack and defence merge into 2 sides of the same coin – their perfection of technique, talent and skill allows them to keep all their options open until the very last fraction of a second.

One of the greatest assets in a batter’s repertoire is the ability to leave the ball – unlike baseball, the batter in cricket does not get penalised for intentionally deciding not to attempt a stroke – unless of course it skittles their stumps! And it is with this “leave” that we start drawing our cyber security parallels.

Typically, a batter will leave a ball because they have weighed the risk / reward of attempting to play it and decided that based on their judgement they are more likely to be safe by staying well clear of it. Often this judgement is based on the line of the ball (what direction is the ball heading) and the length of the ball (how much is the ball going to bounce based on where it lands on the pitch).

Now both of these parameters are very valid inputs into the batter’s “should I leave” algorithm, but if that’s all they use the outcome can often look like – not good.

These are all professional cricketers – high class batters. So, what have they done wrong? Firstly, they have decided that these 2 bits of information are enough for them to predict where the ball will go. And from the prediction, they have assumed they can take a firm decision as to whether they should leave or not.

And once they have decided to leave, they have felt that there is no need to get in a position from which they can reverse the decision. But when the ball does something other than predicted (this is cricket after all – the ball can do all kinds of things) they are in no position from which to recover – their defence is breached, and their innings is over.

Now consider the batter that uses the parameters of line and length as useful inputs into their decision-making algorithm, but not the only inputs. Instead, they watch the ball closely, get themselves into a position that would allow them to play the ball should they need to, and make a decision at the last split second – they leave it if they can, but equally they are able to play it safely should the need arise. A far more active approach to defence.

Here’s an example of a batter getting themselves into positions that allow them to play and leave as necessary:

And then of course there are those truly unique batters such as the great West Indian Sir Viv Richards who believed that leaving the ball was a sign of weakness, that he had been given a bat with which to hit the ball and thus he trusted his technique and ability to play the ball every time –

So, what does this all have to do with cyber security and in particular incident detection and response? Well, we can draw parallels that are uncanny.

  • The first batter, the one who assumes behaviour from a small and finite set of predetermined indicators, is like the incident response team who depend on detection and recovery alone. If the attacker behaves as they expect them to, then they are confident that their defence is adequate, and they can safely continue to function. But, if the attacker modifies their approach even slightly, then while they can observe the change in behaviour, like the batter they are in no position to defend themselves; and their thought moves on rapidly from “how do we defend” to “how do we recover?” – just as the batter now must think about how they will do better in their next innings.
  • The second batter is that security organisation who have coupled their visibility / monitoring / detection capabilities with containment controls that allow them to implement a preventative measure that strengthens their defences, whether or not they have even detected something unexpected and possibly malicious is happening. By doing so, the organisation is better placed to withstand a breach – and at the very least ensure that impact need not be collateral.
  • Security organisations that model themselves on Sir Viv are fully invested in preventative controls from the get-go. They realise that limiting access on a least privilege basis is the surest method by which to truly negate the potential impact of a breach – with the attack surface at every level significantly reduced, the malicious actor has far less to work with and by being forced to work harder or alter their approach they significantly increase their chances of giving up or being detected before they have made any significant progress. But having this level of maturity in controls does require both investment and a skillset to match.

So don’t depend on detection alone; at the very least invest in detection + containment, and ideally map out a path to enhancing preventative controls.

And that’s why the art of leaving the ball in cricket and incident detection and response share so many of the same skills.

Raghu Nandakumara is Field CTO at Illumio

Main image courtesy of


All rights reserved Teiss Recruitment Ltd.