Because I'm all about the "good enough."

Saturday, February 9, 2013

All up in your bitness.

We knew it would happen: another security vendor gets hit: this time Bit9, which was admirably quick to disclose after it got in touch with its affected customers (and that's the order it should have happened in, folks). We also knew this would follow: the piling-on (I think Bromium wins the ambulance-chasing award this time around). Which is only fair, in that everyone is tempted to pile on every time there's a failure that is linked to a competitor.

But there's a big gap between those who are all pointing and laughing and those who sympathize. It falls along very clear lines: those who have spent time in defense and those who only know offense; those who enjoy pointing out flaws and claiming to have the answers, and those who have had to clean up after the proof that there are no complete answers.

Guess what? If your "solution" needs to be 100% implemented to be successful, then it's never going to solve the problem. Because in the real world, there's no such thing as 100%.

Security is an unrelenting business, one that you can never prove is done adequately. You'll never be finished, and you can never know if you can even take a break. And it's never fully appreciated by the people who make a living based on that reality: the vulnerability finders and the "solution" providers.

You may walk into an enterprise as a consultant, and you may be focused on addressing one particular problem (let's say, implementing monitoring). You may just assess the current situation, prescribe some controls, wish the customer luck, and be on your way to the next gig. Or you might even stick around to see that one project to its "completion" -- in which case, you'll be there for months or years. But unless you spend a year in the captain's chair, trying to cover every possible contingency with fallible humans, limited budget and "helpful" researchers coming up with new ways that your systems are attackable, you don't understand a thing about real defense.

If you are playing just one position, you don't understand the whole game.

Defense is frustrating; it's boring; it's tedious. It's not sexy when you are sitting in a boardroom with an auditor, or when you are looking at a list of scanner findings and trying to manage the year-long projects to fix them. You need an accountant's attention to detail, the skills of a master social engineer, the diagnostic skills of a doctor, and the patience of a saint. In short, you need to know everything that every possible attacker does, and you need to block all of it, all the time, immediately, using resources that you will never completely control.

So if you're one of the ones scolding a breach victim, you're just displaying your own ignorance of the reality of security in front of those who know better. Think about that for a while, before you're tempted to pile on.