Traditional rules of engagement suggest a winner and a loser at the end of a conflict. Of course, in the modern era, having seen the stalemate in Korea and Vietnam, we know that sometimes there's a third option that rests between "win" and "lose." Sometimes compromise is the best path forward. In other cases, you simply need to redefine the game to a more favorable outlook that allows you to see things for what they are. As the late, great Grandmaster Helio Gracie once said in his advanced age: he may not beat you, but you'll definitely never beat him. Sometimes surviving attack is a far greater victory than any other option.
In infosec, this is our problem today. Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%). This outdated mindset is also rather naive in that it assumes that your defensive capabilities can outweigh any adversary, as if our IT budgets are bottomless.
Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving. This shift in thinking allows us to now balance defensive measures against their realistic benefit, while also raising the importance of detecting attacks and initiating timely and appropriate response. The goal should be minimizing the impact of an attack while allowing operations to continue despite degraded conditions.
It is time to accept the inevitable reality: it's not "if" but "when" an attack will succeed. As such, to think that we can defend against all attacks is to ignore the modern realities of the threat landscape. It is thus time to shift our thinking to a new paradigm in which optimized survival is the new goal (optimized in terms of limiting losses).
Nice post. Curious if there was a specific motivation?
My 2 bits: above surviving, security can be a fun and rewarding career. It just takes some extra discipline to formalize and mature services, measure, learn from and set expectations with biz/IT owners.
Good stuff.
Its kinda the fuzzy logic applied in mathematics mixed with Buddha's meditations.
I like your point view, being in the IT department isn't as easy as others think.
@Jared - Thanks - yeah, it was based on a brief twitter exchange recently.
@Ice-Breaker - Glad you liked it - I like your characterization there, too! :)
I agree - surviving and limiting your losses is the goal. Isn't that's what life is all about? ;-)
People has a misconception about "perfect security" - there is no such thing. The question is; how do you make sure that you protect yourself from the security threats that will truly make an impact? Risk analysis can only do so much - because it's often the risks that you didn't see that will materialize and cause the biggest bang.
So we security professionals are forced into a defensive (fighting off what comes our way) instead of a proactive position like you mention above. Great post!
@Carsten -
Thanks for the comments. One point... I'm not overly concerned about threat enumeration... sure, threat modeling is important and valuable, but I think it's more useful to look at detection and recovery, acknowledging that defensive measures will hit the point of diminished returns very quickly these days. If you watch your data or systems and known when it's being touched, then action accordingly, then I think you'll be more successful. Or maybe not. ;) At any rate, that's, imo, the essence of survivability that nobody seems to understand.
cheers,
-ben
Ask Pete Herzog if he believes in perfect security. I hear he likes to debunk the myth that it can't be achieved. Otherwise RAV's would never score 100%.