“If you’ve been around infosec industry for a while, you might be familiar with an old adage:
defender has to get most (if not all) things right to meet his goals, while attacker has to get a few things right and he wins.
This is unfair, but the closer you look, the more asymmetries unfold: for example, what exactly does “get things right” mean? It’s an interesting mental exercise, so let’s do it together.
When we discuss “setting things up properly” and “getting things right” in a security context, we lack a proper “definition of done” for large-scale security systems and their subcomponents (security controls). Mostly because our decisions are betting against unknown unknowns. We go all the way to turn them into known unknowns by addressing two extremes of the spectrum and filling space in-between: from external risk to internal posture.
- Moving from the outside, we analyse known threats and think of our ways to protect against them.
- Moving from the inside, we look at attack surface, failure scenarios and in best cases ponder “what will we do about it?” before picking applicable standard and set of best practices.
Efforts meet somewhere in the middle, and if you’re doing it right - you already have a proper understanding of business risks related to security, made a set of risk management decisions, and are now staring at long lists of “do this and do that” coming from compliance requirements and best industry standards mapped onto your unique architecture and set of constraints.
Unfortunately, it does not lead you to a definite answer - “did I get things right”? Security failures after humongous budgets spent on security hint us that getting things right is either very hard or totally impossible.”
This was the first part of the CTO blog post by Eugene Pilyankevich. Get to the real kicker story here:
I think the idea that “getting things right is very hard” has something to do with... or follow @9gunpi and @CossackLabs for more data security insights.