Crossing Into a New Phase of How We View IT Security

I believe the evidence is now sufficient to say that we have crossed into a new phase of how IT Security is viewed in a broader perspective.  To be clear, I am not saying that the new phase is about recognizing that the adversary and the attacks that they build have evolved – that is well documented.  The new phase is about a pragmatic discourse about how IT security must accept fundamental change to effectively address the evolving threats at a much broader level.  This new phase  is all about embracing a much harsher reality than the previous phase, because at its core, this new phase is about accepting that we cannot effectively shield endpoint computers and servers from every attack.  This new phase goes beyond analysts and strategists to the people on the front line of the daily battle.

Don’t dismiss the emotional transition centered around admitting – and accepting – that we simply cannot build enough walls or create a good enough shield to completely protect machines from attack.  It is human nature to seek protection first, and then come to terms with dealing with the consequences of when that protection fails only when it is clear that it will fail.  Walls bring protection, but they also imbue a false sense of security that people will cling to even when the evidence begins to build that the wall is no longer sufficient.

Many sources fueled this line of thinking.  The vendors all raced to sell the perfect shield and therefore the tide of messaging around prevention was overwhelming.  Executives were far more comfortable talking about protection than incident response, forensics, and remediation.  The rapidly growing number of attacks artificially inflated the antivirus detection rates in security reporting, creating a false sense of security.  Rank and file users were still generally under more pedestrian attacks and therefore felt no perceptible change in the greater threat landscape.

There have long been insightful thinkers and those on the front line protecting the information targeted by the Advanced Persistent Threat who have attempted to raise the level of discourse over the past several years.  The evolving threats have reached a point of saturation that the pain has become more widespread.  This new reality has forced organizations to get past the emotional attachment to a 100% shield and we now have a critical mass large enough to drive the broader discourse.

So what are the general themes of this discourse and the new phase of IT Security?  Here is my summary:

Old Phase Thinking	New Phase Thinking
Build as many walls as possible to prevent anything from getting to the machine	You cannot prevent everything, so you must be able to detect successful attacks
Assume the machine is clean unless I am told differently	Assume every machine is compromised
Re-image as a matter of policy	Remediate and fight through
Detection reports say I am more secure because I detect more attacks every month	Detection reports show more attacks being detected because there are more attacks to detect

Several new articles came out in the past several weeks about assuming that your machine has been attacked – one such article by Andrew Jaquith can be found here.  I hear the shift in many of the presentations at conferences such as the Gartner Security Conference in late June.  It is a healthy discourse, and the right step toward a better set of thinking toward meeting the evolving threats.  It also creates a much healthier set of expectations for all concerned.  IT security can balance prevention and detection and look into technologies that help them detect successful attacks.  Executives will be aware that there is no 100% shield and therefore understand the associated organizational risk.  All of this opens a far more pragmatic approach to the realities of today.  Or as Roger Grimes puts it in a recent article in Infoworld: “Accept that your company’s IT system have been compromised — then get to work defending them”.