Article Options

The Castle Has No Walls - Introducing Defensibility as an Enterprise Security Goal

Wh1t3Rabbit| March 8, 2013 - last edited March 15, 2013
6 Comments

It's time to retire the "castle" analogy when it comes to talking about how real Information Security should behave. I still hear it used a lot, and if you walked around the show floor at RSA 2013 you noticed there is still a tremendous amount of focus and vendor push around 'keeping the bad guys out.' I'm not saying there aren't a few companies that are focused on detecting the bad guys once they're already in, but it's rare to see because it's tougher. Mandiant, FireEye and a few others are on this crusade and are getting lots of press... so it's time to retire the castle analogy because quite frankly, the castle that is today's enterprise, has no walls.

 

Why all of a sudden start talking about retiring an analogy? I think it's important to have this happen industry-wide because we as a profession need to shift the way we think. If we can agree that the analogy is bad, and the thinking around it is outdated, perhaps the thinking will be pervasive into enterprise behaviors and things will start to change.

 

I've been talking a lot lately (and will be doing more of it) about modernizing your security programs to be 'defensible.' Defensible is an interesting word because it builds upon the thinking that security has used over the years, but doesn't strive for absolutes. 'Secure' still unfortunately is the target of many CISOs and even worse company leadership like the CEO or board of directors. We collectively know from experience that 'secure' is a mythical unicorn and doesn't actually exist... So the leap in logic is that we move to something that's defensible.

 

The idea is simple and the dictionary defines "defensible" as "able to be defended"...simple enough, right? The basic idea is that you aren't striving for an absolute, but rather for a position (or posture) that is able to defended even when it's infiltrated. Let's analyze further.

 

There are a few basic things we need to understand when it comes to being 'defensible:'

 

  1. Defensible does not mean secure
  2. There are more things to defend than there are resources to defend with
  3. Sometimes your defenses can become your weakness
  4. Defensibility requires deep understanding of what you're defending
  5. Defensibility focuses on what, why, how, when and from whom

Over the next few blog entries, I'm going to explore this idea of being defensible, in some greater detail. If you've got your own ideas of defensibility - or are doing this right now - please write, tweet, chat or call as I'd like to hear from you and get your thoughts, examples and ideas. Sharing is caring folks, so let's start thinking as a community, and start thinking smarter. Let's think defensibly.

 

Note: There is some interesting prior work on this, and I encourage you to read "Defensible Space Theory" from architect and city planner Oscar Newman... it's the same concept applied to living space.

 

Seeds of this thought process came, in part, from Mr. Josh Corman (amongst others) whom I've had many discussions with over time. Apologies for those not explicitly listed who deserve credit.

Labels: defensible enterprise| Enterprise security
Labels:
Comments
Richard Steven Hack(anon) | ‎03-08-2013 05:36 PM
Options
I agree with this approach. To my mind, "security" is defined as "the ability to HANDLE threats" - not just try to prevent them.
Geoff Brunkhorst(anon) | ‎03-11-2013 09:28 AM
Options

I'd add one more thing to your defensibility list:  

 

- Defensibility requires constant attention and practise on HOW to respond to an event/incident/breach.

 

It's key when you take the tack of:  I'm not 100% secure, therefore I must be able to detect and respond quickly to limit the loss.  

Rocky DeStefano(anon) | ‎03-17-2013 11:16 PM
Options

About a year ago I posted some of my thoughts on "Defensibility" at least at a high level. 

http://www.visiblerisk.com/blog/2012/4/18/the-defensible-enterprise.html

 

Sinon Luong(anon) | ‎03-20-2013 06:03 AM
Options

Is it just me or is the list beginning to read like plan-do-check-act approach to defending your enterprise. All you need on the list now is:

 

Defensibility requires constant review and improvement programme.

 

 

Mike Fornal(anon) | ‎03-21-2013 11:05 AM
Options

Raf,

I agree that defensible is a great mind set and something that more CISOs and board members should strive for which  in turn will help a company to make themselves resilient which in my opinion is the main goal.

 

 

Thanks,

@fornalm

TestWithUs(anon) | ‎05-22-2013 05:32 AM
Options

SWIFT Interview questions on

http://testwithus.blogspot.in/p/swift.html

 

For selenium solution visit

http://testwithus.blogspot.in/p/blog-page.html

 

 

For QTP interview questions

 

http://testwithus.blogspot.in/p/qtp-questions.html

 

 

www.searchyourpolicy.com

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author(s)


Twitter Stream
Follow Us
Community Announcements
50 Must Read IT Blogs