Mission Secure Blog “Known Good” vs “Known Bad”: Choosing a Starting Point for OT Cybersecurity

There are many ways to separate cybersecurity solutions into categories. For example, you can separate them based on where they take action (network vs endpoint), where they reside (cloud vs on prem), or how they're deployed (hardware-defined vs software-defined). Another useful distinction is to look at whether security tools take a “known-good” or “known-bad” approach to identifying potential threats. The known-bad approach is based on malware signatures, threat intelligence feeds, known attack patterns, and other common indicators of malicious activity. When something (network traffic, user behavior, application activity, etc.) matches a predefined set of malicious or unsafe conditions, it's considered a possible threat. This approach is fundamentally reactive. The known-good approach, on the other hand, is fundamentally proactive. This approach starts by defining the expected behavior of users, devices, and applications, and treating any deviation from normal as a potential threat. Any effective cybersecurity strategy will incorporate elements of both approaches. But when implementing policies (for example, policies that define when to generate alerts or block activity), organizations usually need to choose whether they are taking action based on known good or known bad activity. In most cases, especially in OT and ICS environments, the known-good approach to cybersecurity is simpler to implement and more effective at protecting critical systems.