I have not done a philosophical security blog post for a long time – and now I was suddenly inspired to write one while installing – rather, replacing with an HD version – security cameras at my house.
Given the house we have, I can imagine a physical security setup where every possible entrance (including second floor windows) and every camera is in the view of at least one security camera. That will take between 12 and 16 cameras. Coupling this with tamper-proof camera enclosures and protected cables, as well as smartly placed indoor cameras and a couple of hidden devices, one can … waste a lot of money.
Am I doing this? No, I don’t! I just want coverage of common ingress points [into the house] and a degree of assurance that a casual “attacker” (i.e. burglar) will be caught on camera at least once and the images would then be available to the police.
My focus here is a commodity attack, not a targeted one. Making a regular house resistant to dedicated burglar is an impossible affair, and the law of diminishing returns kicks hard – and early (I also have a dog — and not just any dog …)
In any case, why all this? I hear that many organizations developed a sudden, vendor-marketing-infused interest to fight advanced and targeted attacks. But guess what? More than a few of said organizations actually aren’t that good at fighting basic, commodity attacks – and they are NOT improving.
So, it is a free country and it is [in most industries] legal to really suck at infosec / “cyber.” However, I find it highly illogical and, in fact, wasteful, to attempt stopping or detecting an advanced attacker before you managed to succeed with a common one.
Along the same vein, I worry about people who are “concerned about targeted attacks” but lack any ability to tell that “yes, this attack IS in fact targeted” and , moreover, lack moderately effective defenses against opportunistic attacks in the first place.
So, yes, advanced attacks ARE real. Persistent threats ARE real. 0h-day-wielding state-sponsored superhackers ARE real. But, by god, why focus there if you can barely detect a more traditional intrusion, one that utilizes mid-1990s style tools, exploits and tactics!?
Focus on improving your security maturity – not on randomly picking high-maturity tools (like NFT) and practices (like hunting) and then declaring success! Before you buy another “anti-advanced-anything” box, THINK – are you handling the basics well already and, if YES, what is the best direction for improvement from your current position?
Blog posts tagged “philosophical”:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Totally agree… I’ve spent a lot of time evangelizing the fact that you can’t buy advanced security. You must build your way there through people, process, technology, and practice. I love that you took the time to lay it out for people. I use the home security analogy a lot, as well. You don’t need to stop all the burglars, just deter the ones that are opportunistic.
PS – the blog comment Website field doesn’t accept .io as a valid domain. 😉
Tim from Evident.io
@Tim In full agreement that “one cannot buy advanced security” and one has to GROW it. I sooo wish more people knew it. The “we need a box for that” crowd is so overpowering ….
I am totally on the same page with you. I wrote a very similar post just a couple days ago.
You wouldn’t install security cameras if you didn’t also plan on locking your door. Attackers, physical or cyber, will always try to spend the least amount of money and time to get the highest reward.
@Adam Exactly — and many of those organization have a) THE most expensive camera and b) frequently unlocked side door.