It's time to retire the "castle" analogy when it comes to talking about how real Information Security should behave. I still hear it used a lot, and if you walked around the show floor at RSA 2013 you noticed there is still a tremendous amount of focus and vendor push around 'keeping the bad guys out.' I'm not saying there aren't a few companies that are focused on detecting the bad guys once they're already in, but it's rare to see because it's tougher. Mandiant, FireEye and a few others are on this crusade and are getting lots of press... so it's time to retire the castle analogy because quite frankly, the castle that is today's enterprise, has no walls.
Why all of a sudden start talking about retiring an analogy? I think it's important to have this happen industry-wide because we as a profession need to shift the way we think. If we can agree that the analogy is bad, and the thinking around it is outdated, perhaps the thinking will be pervasive into enterprise behaviors and things will start to change.
I've been talking a lot lately (and will be doing more of it) about modernizing your security programs to be 'defensible.' Defensible is an interesting word because it builds upon the thinking that security has used over the years, but doesn't strive for absolutes. 'Secure' still unfortunately is the target of many CISOs and even worse company leadership like the CEO or board of directors. We collectively know from experience that 'secure' is a mythical unicorn and doesn't actually exist... So the leap in logic is that we move to something that's defensible.
The idea is simple and the dictionary defines "defensible" as "able to be defended"...simple enough, right? The basic idea is that you aren't striving for an absolute, but rather for a position (or posture) that is able to defended even when it's infiltrated. Let's analyze further.
There are a few basic things we need to understand when it comes to being 'defensible:'
- Defensible does not mean secure
- There are more things to defend than there are resources to defend with
- Sometimes your defenses can become your weakness
- Defensibility requires deep understanding of what you're defending
- Defensibility focuses on what, why, how, when and from whom
Over the next few blog entries, I'm going to explore this idea of being defensible, in some greater detail. If you've got your own ideas of defensibility - or are doing this right now - please write, tweet, chat or call as I'd like to hear from you and get your thoughts, examples and ideas. Sharing is caring folks, so let's start thinking as a community, and start thinking smarter. Let's think defensibly.
Note: There is some interesting prior work on this, and I encourage you to read "Defensible Space Theory" from architect and city planner Oscar Newman... it's the same concept applied to living space.
Seeds of this thought process came, in part, from Mr. Josh Corman (amongst others) whom I've had many discussions with over time. Apologies for those not explicitly listed who deserve credit.