APT - Advanced Persistent Threat has been the nervous topic for a long time now in Information Security. While there is a metric ton of misinformation and confusion about what constitutes an Advanced Persistent Threat, the thrust seems to be that once you're a target, you're a victim.
Given that I'm a pragmatist it shouldn't surprise you that my position on defense against APT is that anyone who tells you they can 'stop' APT and using absolutes is either delusional or trying to sell you something (or a bit of both).
The fact of the matter is this - Advanced Persistent Threats are real. They're a threat to business through intellectual property theft, through espionage and infiltration of our government secrets and defenses, and potentially a compromise of our infrastructure.
Not that it's a secret or anything - but you, me, and everyone seeking to protect something of value is thinking about defense against APTs.
You may be thinking to yourself - "Self, does this mean that since we can't effectively 'stop' APT that we've given up?" Absolutely not. What you, me, and everyone else vested in Information Security needs to learn to live with is that the 'bad guys' are likely already inside the castle, and we don't always have nice labels on them to identify them. This is where my post from yesterday falls right in line as well...
If we can't 'stop' the APT, what then? I think the answer isn't if we we can stop APT, it's all about the response.
I've been harping on the notion that enterprises need to have more visibility into their operations, and we've discussed this at length in the hallways at conferences. Situational awareness is absolutely key.
If you were at HP DISCOVER you heard Bill Veghte, our chief strategist, talk about a concept called "forensic foresight"... more on that later too. Bottom line is that you need to see everything, have fantastic analytics tying all of your operations silos together, and then build response capabilities that are able to respond to all types of threats and events.
Sure, that's easier said than done. In fact, this is so far from simple that I'm dedicating a series of blogs with input from real-world responders across the IT and business silos... this is a huge topic that needs a bright spotlight.
I think we need to get away from absolutes like 'secure'. Seriously, who actually feels "secure"? I can say that given my defenses I feel confident of my security posture for a certain time/attack. What I mean by that is that I expect my defenses to deter a specific level of attacker for a relative period of time. There is a formula for this, again it's not absolute, but I think it works nicely.
If I am defending an asset worth $1B USD then I can probably devise an experience-based formula that says if I spent .5% ($5,000,000 USD) I could expect to deter a determined attacker (who is actively engaged in trying to break in) for 10 hours.
Now, I totally made that up and it may make zero sense in your environment but I hope you get the idea I'm trying to convey. You're never going to say that for any percentage of that asset value you'll actually be able to 'stop' the attacker, period. You're simply going to be able to detect, deter and respond in such a manner that will keep that protected asset safe to a level your organization is comfortable with.
I strongly believe that when we look back at ourselves as an industry in 10 years we will remember a turning point where we stopped thinking in absolutes and started thinking in realistic relatives.
You can't 'stop' an attacker absolutely, but you absolutely can devise a strategy given your level of acceptable risk which allows you to detect, deter, and respond in an acceptable manner.
This is the new reality of Information Security. Get with it, or get left behind scratching your head.
Cross-posted from Following the White Rabbit