One way to characterize a cybersecurity strategy is by whether it takes action based on the definition of “known good” activity or “known bad” activity.

The “known bad” approach attempts to identify threats by monitoring activity (network requests, user actions, application behavior, etc.) and watching for anything that matches a predefined set of malicious or unsafe actions.

The “known good” approach starts by defining the expected behavior of users, devices, and applications, and treating any deviation from normal as a potential threat.

Any effective cybersecurity strategy will incorporate elements of both approaches. But when implementing policies (for example, policies that define when to generate alerts or block activity), organizations usually need to choose whether they are taking action based on “known good” or “known bad” activity.

In most cases, especially in OT and ICS environments, the “known good” approach to cybersecurity is actually simpler to implement and more effective at protecting critical systems.

*** This is a Security Bloggers Network syndicated blog from The Mission Secure Blog authored by Mission Secure. Read the original post at: https://www.missionsecure.com/blog/known-good-or-known-bad-choosing-a-starting-point-for-ot-cybersecurity