COMMENTARY: We rarely hear the phrase “they don’t build ’em like that anymore” applied to software. And for an obvious reason: software has never enjoyed a glowing reputation for quality, nor reliability.
For everyday users, this manifests as quirky, inexplicable glitches that vanish as mysteriously as they appear. But cybersecurity professionals understand all too well that software unreliability — or rather, vulnerability — perfectly sets the stage for attackers to achieve their objectives.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Despite these well-known dynamics, cybersecurity remains largely stuck in a “deer-in-the-headlights” response mode, overly reliant on reactive, after-the-fact measures to address the ever-increasing volume and severity of exploits. For the fifth consecutive year, software
vulnerability exploitation has emerged as the most common initial attack vector, surpassing both phishing and credential compromise.
The cybersecurity status quo: A cycle of reaction and crisis
Today we have a cyclical cybersecurity approach, continuously alternating between routine scanning and reactive crisis management. For the first part of this cycle, we have the familiar, exhausting grind of vulnerability scanning and patching, where security teams are constantly racing against an endless backlog. The second part: the always-on, frenetic scramble to detect and then respond to attacks already in progress.
This latter phase has become increasingly complicated by an overwhelming flood of telemetry data from sensors scattered throughout computing infrastructures, creating noisy chaos that obscures genuine threats.
Within this cycle, cybersecurity incidents resemble fires, with teams cast as perpetual firefighters. Just as with actual fires, we rarely understand the true extent of damage from a cyber breach until the flames are fully extinguished and the smoke clears — always after the fact, and always too late.
Detect-and-Respond: No match for software exploits
Traditional detect-and-respond cybersecurity strategies consistently fall short against modern
AI-based attacks leveraging software exploits. According to recent Mandiant research, global median dwell time — the interval between an initial intrusion and its eventual detection — was 11 days in 2024, more than enough time considering that attackers typically need just 5–7 days to accomplish their objectives. For non-ransomware intrusions, the opportunity for attackers to inflict damage is even greater, with more than 25% of attacks having dwell times ranging from one to six months.
Clearly, our goal must become real-time prevention rather than merely reactive detection and response.
Ten years ago, cybersecurity researcher Carl Landwehr proposed applying building-code logic to cybersecurity. He said that building codes emerged not to justify more firefighting capabilities, but rather to prevent fires altogether. His memorable phrase perfectly captured cybersecurity's persistent error: "hiring firefighters without paying adequate attention to a building industry continually creating new firetraps."
Landwehr’s analogy resonates even more today, urging a fundamental shift in our cybersecurity approach. Rather than continuously chasing attackers after breaches occur, we must embed robust, standardized security mechanisms directly into software and infrastructure. These safety mechanisms should operate invisibly, reliably, and automatically — integrated structurally rather than superficially added later.
Actionable change: shift-down security
It’s possible to foster effective change through deeper collaboration between platform engineering and security engineering. Rather than exclusively burdening developers with endless, increasingly time-consuming scanning, patching, and other “shift-left” security demands, organizations should adopt a more holistic approach.
A new model, "Shift-Down Security," integrates security controls directly within computing platform software, making security an essential foundational component rather than an afterthought.
Central to Shift-Down Security: the concept of "paved roads,” which are standardized, secure-by-default pathways enforced directly by runtime security guardrails. Crucially, these guardrails enforce precisely defined invariants — clear, structured rules that delineate normal operations from suspicious or malicious actions. Examples include attackers attempting to execute applications or scripts within a container that weren’t part of the container’s image, attempting to bind a shell interpreter’s I/O streams to a network socket, or attempting to execute OS commands from deserialized Python objects.
When attackers attempt to execute known exploit-based attack chains, invariant-based enforcement immediately recognizes deviations from established patterns, interrupting attacks instantly and decisively. By embedding proactive, invariant-based safeguards into underlying computing infrastructure, organizations can create inherently secure platforms that eliminate entire classes of exploit-based attacks, shifting cybersecurity from reactive firefighting toward real-time, proactive threat prevention.
This invariant-driven enforcement dramatically enhances protection effectiveness by promising to stop attackers in real-time. It also significantly improves alert clarity and reduces noise. Rather than overwhelming SOC teams with ambiguous, noisy telemetry, security analysts receive clear, high-fidelity alerts indicating precisely when and how a real attack has been thwarted. As a result, SOC analysts become less burdened, less prone to burnout, and more effective in managing genuine threats.
Some may ask, "How is this concept of 'Shift-Down Security' different from existing tools like SELinux?" The answer: modern attacks require runtime guardrails capable of spanning application, container, and node/host runtime environments comprehensively. SELinux, while valuable, primarily covers only certain aspects of the Node/Host-level runtime.
We need analogous Shift-Down Security guardrails that offer broader and deeper coverage, extending protection from applications down through containerized workloads to the underlying node infrastructure. This holistic enforcement approach has become essential to protecting against modern, AI-speed attack chains that cross multiple boundaries within computing platforms.
Getting closer to secure-by-default protection isn’t merely a matter of industry pledges or optimistic intentions. The first critical steps involve embedding reliable, real-time guardrails directly into computing platforms. Only then can we truly see and stop attackers as soon as their actions arise, rather than merely sounding yet another alarm after the damage has already occurred.
Bob Tinker, co-founder and CEO, BlueRockSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
