I couldn't disagree more. Defenders and attackers are alike in many ways. I disagree with the post as well.
Mature security teams for example use Bloodhound which uses neo4j to visualize attack paths in AD. Defenders (good ones) don't think in lists.
> "The defender’s job isn’t defense."
Yes, it is. Obviously!
> "It’s a side show, and a distraction from the main business of whatever else the defenders are trying to do"
I'm sorry, but what else are defenders trying to do that isn't defense? are all defenders completely incompetent then?
> "By contrast, an attacker’s entire job is to attack the system."
Yes, and there are people in mature security teams whose entire job is to search for and stop (not just react to alerts) attackers.
> "Attackers win for the same reason that Microsoft is better at publishing operating systems than Cisco, because ciscos operating systems are a means to an end. Microsoft’s are the end"
I think you have an incorrect perception of what security teams do. It is both a matter of strategy and resources. There are security teams whose budget is in the 100's of millions of dollars and who employ some of the brightest cybersecurity strategists and professionals. You rarely (if ever) hear their names in relation to a breach or compromise. There are also much less capable security teams who do well against most attackers, but will inevitably get pwned by an APT, except the good defenders catch the apt's before they cause significant damage.
At well protected organizations, attackers lose 99.9% of the time (probably higher, I'm guessing here). Attackers simply need to win once to succeed, while defenders need to succeed 100% of the time.
I'm one of the people behind Fix Inventory. What scares a lot of developers away from graph-based tools is the graph query language. It has a steep learning curve, and unless you write queries every day, it's really cumbersome to learn.
We simplified that with our own search syntax that has all the benefits of the graph, but simplified a few concepts like graph traversal.
> I'm sorry, but what else are defenders trying to do that isn't defense? are all defenders completely incompetent then?
You've misunderstood me. Defenders aren't the "cyber security team employed by AT&T to keep customer data secure". The Defenders are AT&T, who would rather spend their cyber security budget on just about anything else that could actually generate a profit. The cyber security team that AT&T hires might have the sole job of building the most robust defense system imagined, but even if they do, their efforts will be continuously stymied and reduced because true, complete, robust security will get in the way of actually doing the things the AT&T wants to do.
Or to put another way, a company that spends all their money on perfect cyber security is as useful as the proverbial perfectly secure computer encased in concrete and buried a mile underground with no power or network connections.
But that's false equivalency. The attackers also work for organizations. It is a bit rare for individuals to hack companies these days. APTs are teams, sometimes they are employed by intelligence or military units of countries, other times they are employed by a criminal organization and yet other times they are loosely formed organizations between individuals with a financial or political goal, like hacktivists as an example. But they have hierarchy, motive, goals, even a work schedule and paid vacations and bonuses.
Even for individual hackers, there are individual good hackers (commonly called "whitehat" although I deride that term) doing bug bounties and finding CVEs.
The main differences between attackers and the attacked are intent, resources and which side you're on. The NSA and CIA are the good guys from my perspective, but they are the bad guys for defenders working in Russian or Chinese government cyber defense teams.
> But that's false equivalency. The attackers also work for organizations.
You've missed my point or I wasn't clear enough. It doesn't matter that they're part of a larger organization. That organization's goal is attacking, or at one step removed, selling/using the resources gained from attacking. Defenders are never in an organization whose business is the Defending.
Or lets use your CIA example, and for the sake of argument, lets pretend there are no other counties in the world other than the USA, Russia and China. In a world where there are no Russian or Chinese Attackers, the CIA would not spend money on defense against Russian and Chinese attackers. But in a world where there are no defenders in Russia and China, the CIA would still spend money on attacking and exfiltrating data from Russia and China. They would just be vastly more successful at it.
Or as a different analogy, mining companies mine because they want to sell the ore and gold in the mountains. But we still call them "minim companies" because thats their job. And they are often opposed by environmental groups working to defend the mountain. In a world where there were no mining companies, no one would be organizing an environmental group to defend the mines because there's no gain to spending time and resources standing around and guarding mountains and ore that no one is trying to get access to. But in a world where there are no environmental groups, there would still be mining companies.
> I'm sorry, but what else are defenders trying to do that isn't defense?
This is an uncharitably narrow reading of the post to which you're replying, isn't it? Defenders are trying to ship. To make money to make payroll. Create profit centers, not cost centers.
You can say that security is a feature and a load-bearing one, and I'd agree with you, but not everyone who makes decisions will do the same.
You're wrong, defenders are not profit centers. You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets? defenders are like lawyers and hr, they are cost centers whose existence is justified because attackers also exist.
> "You can say that security is a feature and a load-bearing one, and I'd agree with you, but not everyone who makes decisions will do the same."
Maybe it is, but I wouldn't put it that way. Security teams exist because people with bad intent that want to harm you exist. Just like lawyers exist because people who sue you (including the government) exist.
Imagine stating "lawyers don't exist to protect from lawsuits", that's how it sounds to me. If defenders aren't there to defend, then their existence isn't justified.
> "Defenders are trying to ship"
Defenders are there so that when other teams who "ship" attempt to do so, they don't get the application, system, company or wherever you have protected data doesn't get compromised. And this is before and after "shipping" or deployment. Security is a cost of business, whose RoI is measured by the fact that you are doing business without getting hacked, nothing more.
> You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets?
Yes, that's why companies cut cost on security guards as much as they possibly can. From the product-making company standpoint security
is a mostly a cost.
Yes it is mostly a cost. Breaches are also a cost. When the homedepot security team tried to fix the issues that got them pwned, the execs said "we're not a security company, we sell hammers". Box ticking mindsets like that are held by incompetent and short sighted executives. The cost of security is decided by the cost of a potential compromise, it has nothing to do with profit margins. A lot of companies learn this lesson the hard way. Many "snakeoil" security companies exist because of this incompetent line of thinking by executives. It is easier to say you paid some company who made some b.s. claim than to actually fix problems, even if the 3rd party costs more than the cost of fixing problems.
In short, what you and OP commenter describe is incompetency, it should not be taken as the default, those are not defenders, those are mismanaged organizations. We're in 2024, every exec should know better.
> In short, what you and OP commenter describe is incompetency, it should not be taken as the default, those are not defenders, those are mismanaged organizations. We're in 2024, every exec should know better.
Everything in life is a trade off, and no-one is in the business of perfect cyber security defense. Therefore, businesses will *always* trade weaker cyber security defense for better/faster/cheaper/easier/more business in their actual line of business. Just like you do every single day. Do you have ALL traffic on your home network encrypted with mutual serve and client certificate verification? Do you only have your 256 character passwords memorized in your head and not stored in a password manager anywhere or otherwise recored somewhere? Are all of your home systems equipped with strict outbound firewall rules that only allow one time, on demand and confirmed communications with the wider internet? Have you hardened your home network against data exfiltration via DNS queries[1]? If you use 2FA for your accounts, and the objectively weaker password managers to store your passwords, are your 2FA tokens kept on completely separate devices from your password managers? Do you only allow direct console access to any of your systems and have no remote access like SSH enabled? Do you a have every single computer backing up their data into multiple redundant copies, without using the network for data transfer and with at least one if not more of those copies stored off site?
If you answered "No" to any of those questions, you also have chosen the route of "incompetency" and "mismanagement". It's 2024, and every IT person should know better. But of course we do "know better" and choose the objectively weaker options anyway because the stronger options get in the way of actually doing the things we want to use our systems for. You don't choose perfect cyber security defense for your home network because you don't have a home network for the purpose of practicing perfect cyber security defense. So it is with businesses, they don't have their systems for the purpose of practicing perfect cyber security defense either.
"Should" doesn't mean much. People respond to incentives. Can you explain the incentive function that exists today in the real world to prioritize the security cost center above the profit center?
I mean, I work at a company that I'd say does a pretty good job of this--in a regulated industry and after getting burned a few times. But you can still go full-send with VP approval, and the risk becomes part of the cost of doing business.
the problem goes even deeper, execs chase short term profits and stock ticker bumps, that's the root cause in my opinion. You shouldn't prioritize security over the main business and profit, that was not my suggestion, but you should prioritize long term profits and reputation (ability to make even more profits in the long term), which is where security comes into play.
In other words, security is necessary for business. Just like how you would want your offices secured from burglars -- because otherwise you can't do business well -- you should want your digital assets secured from hackers, except unlike physical security, it isn't just local malicious actors and competitors after your business but intellectual property thieves, hacktivists, financially motivated cybergangs and more (not just nation state actors).
Failure to give proper priority and funding to cybersecurity, is failure to ensure conditions that make the company profitable and viable in the long term.
It's not, though, that's the thing you aren't picking up. Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
You say that it's about the long term, but within epsilon of nobody has gone out of business or even been seriously impacted by bad security posture. Experian gets wrecked on the regular, but it's not going out of business. Azure springs holes regularly enough that Corey Quinn has an ongoing schtick about it, but Microsoft isn't going out of business, either.
If you want security to be necessary for business, you need to make failing to operate securely a legitimate threat to an organization. Waiting for consumers to act collectively means you'll die of old age before seeing a twitch, so you're really talking about legislation. I would be in favor of this, to be clear--I think we as an industry are bad at cybersecurity, terrible even. But I'm describing what is, not what ought.
Companies go out business because someone from China stole their intellectual property, that isn't uncommon. There are companies like riskiq and bitsight that rank your security posture, which other companies use to decide on giving you their business. If it is between your ransomwared company and the competition, you just lost a business advantage there. Azure and Microsoft are bad example, as is Experian, they don't have much competition. I think the whole ransomware trend has skewed how people think about security. It isn't just outages like the ones caused by ransomware that are a concern, keeping secrets and confidential information from your competition is a big deal. as is the trust of your clients, that you will protect their information.
> Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
I agree, but that isn't what is being done at most places. Every organization should spend as much as their risk tolerance allows them to do so on security. My problem is with spending as little as possible without getting into legal trouble.
> You're wrong, defenders are not profit centers. You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets? defenders are like lawyers and hr, they are cost centers whose existence is justified because attackers also exist.
I didn't say that infosec was a profit center. But they're in tension with profit centers for attention and sway, and by the way--the profit centers are the ones who make money.
I've said it before, I'll say it again: People Respond To Incentives. Lawyers and HR are generally not respected except insofar as they protect companies from visible legal risk, and often not even then. Infosec is so vague as to appear as a tiger rock to people who aren't plugged into it.
> Defenders are there so that when other teams who "ship" attempt to do so, they don't get the application, system, company or wherever you have protected data doesn't get compromised.
Everyone, infosec included, is trying to ship. Shipping is how you make money, make payroll, and keep people employed. You only don't ship when your risk calculus indicates that the cost of not shipping is less than the cost of shipping.
This us-versus-them thing brings us back to "the most secure system in the world is in an unplugged box". But we don't operate businesses off of unplugged boxes. Risk management exists. If this is how you would argue risk management with the median exec I've known, you'd lose. I have skilled infosec friends who've had better success than this through wise process and product choices, though.
Mature security teams for example use Bloodhound which uses neo4j to visualize attack paths in AD. Defenders (good ones) don't think in lists.
> "The defender’s job isn’t defense."
Yes, it is. Obviously!
> "It’s a side show, and a distraction from the main business of whatever else the defenders are trying to do"
I'm sorry, but what else are defenders trying to do that isn't defense? are all defenders completely incompetent then?
> "By contrast, an attacker’s entire job is to attack the system."
Yes, and there are people in mature security teams whose entire job is to search for and stop (not just react to alerts) attackers.
> "Attackers win for the same reason that Microsoft is better at publishing operating systems than Cisco, because ciscos operating systems are a means to an end. Microsoft’s are the end"
I think you have an incorrect perception of what security teams do. It is both a matter of strategy and resources. There are security teams whose budget is in the 100's of millions of dollars and who employ some of the brightest cybersecurity strategists and professionals. You rarely (if ever) hear their names in relation to a breach or compromise. There are also much less capable security teams who do well against most attackers, but will inevitably get pwned by an APT, except the good defenders catch the apt's before they cause significant damage.
At well protected organizations, attackers lose 99.9% of the time (probably higher, I'm guessing here). Attackers simply need to win once to succeed, while defenders need to succeed 100% of the time.