Companies can protect their important assets and make sure that enterprise-wide policies and structures are in place to minimize risk, but attackers are still out there. They are increasingly well funded and sophisticated, supported by a well-developed marketplace for malware and other tools for infiltrating networks, and using innovative tactics such as multistep attacks, misdirection, and stealthier malware, all designed to defeat corporate defenses.¹ As a result, companies’ cybersecurity approach has to move from passive to active defense.

Passive defense means putting in place protections to keep attackers away from sensitive information assets. In a passive defense model, companies use security operations centers (SOCs) to monitor and manage their defense mechanisms. In military terms, the Maginot Line—the Second World War fortifications along the French/German border—was a passive defense strategy.

Active defense means engaging attackers long before they might succeed in causing a breach. The Royal Air Force embraced active defense when it used the new technology of radar to identify Luftwaffe raids while the German planes were still over the English Channel. The alerts enabled the RAF to dispatch aircraft to disrupt these attacks before they reached British cities.

The basic passive defense capabilities that a traditional SOC offers are utterly essential, but companies also have to turn on their radar; they have to create active ...