Gartner Blog Network

Sand Castles and Advanced Persistent Threats

by Neil MacDonald  |  July 11, 2011  |  Comments Off on Sand Castles and Advanced Persistent Threats

I’ve been absent from blogging for 2 weeks – first we had the Gartner Information Security Summit in DC and then I took some time off for a much-needed vacation.

We spent some time at Hilton Head Island in South Carolina. They’ve got a pretty amazing flat beach where the difference between high tide and low tide can be about 300 feet of beach. We’d use this to have a daily sand building exercise before the tide would come in.


The first day we tried a traditional design – a big, thick wall around the inner castle (a lot like the one above – I didn’t bring my cell phone down to the beach for a pic). It lasted about 20 minutes before a large wave breached the wall. Once that happened, subsequent waves took no time in leveling the rest.

The next day we tried two walls by adding a second, smaller inner wall around the castle inside. That added maybe all of 2 minutes of survival time. Once the outer wall was breached, the inner wall stopped a wave or two, then it fell.

By the third day, we tried a different mindset. Assume the castle will be breached. So we tried a radically different approach. We designed a castle that gets the breached water back out through a system of moats and canals. Sure, there were walls as well – lots of them, but gone was the dependence on one or two walls.

The result? Well, the tide ultimately won – this is vacation after all — but we lasted a good 50 minutes before the castle was leveled.

As I battled the tide, I couldn’t help but think about our increasingly futile attempt to keep the bad guys out (you can see why I needed the vacation!)

For example,

Are you overly dependent on one or two layers of (fire)walls to keep the bad guys out?

Have you changed your mindset in how you approach information security? Assume you will be breached. You probably already have been, you just don’t know it yet. It’s time to change our thinking in information security.

The best protection = prevention + detection. We tend to be overly dependent on the prevention side to keep the bad guys (tide) out, but have invested little in detecting when an advanced intrusion has occurred.and minimizing the dwell time of attackers.

Strategies like Systematic Workload Reprovisioning aren’t a silver bullet, but do offer new approaches to information systems design to minimize the dwell time of advanced persistent threats.

Food for thought.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: beyond-anti-virus  next-generation-security-infrastructure  security-of-applications-and-data  

Tags: apts  beyond-anti-virus  defense-in-depth  information-security  next-generation-security-infrastructure  security-summit-na  systematic-workload-reprovisioning  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.