The Castle Has No Walls - Introducing Defensibility as an Enterprise Security Goal

Tuesday, March 19, 2013

Rafal Los


It's time to retire the "castle" analogy when it comes to talking about how real Information Security should behave. I still hear it used a lot, and if you walked around the show floor at RSA 2013 you noticed there is still a tremendous amount of focus and vendor push around 'keeping the bad guys out.' I'm not saying there aren't a few companies that are focused on detecting the bad guys once they're already in, but it's rare to see because it's tougher. Mandiant, FireEye and a few others are on this crusade and are getting lots of press... so it's time to retire the castle analogy because quite frankly, the castle that is today's enterprise, has no walls.

Why all of a sudden start talking about retiring an analogy? I think it's important to have this happen industry-wide because we as a profession need to shift the way we think. If we can agree that the analogy is bad, and the thinking around it is outdated, perhaps the thinking will be pervasive into enterprise behaviors and things will start to change.


I've been talking a lot lately (and will be doing more of it) about modernizing your security programs to be 'defensible.' Defensible is an interesting word because it builds upon the thinking that security has used over the years, but doesn't strive for absolutes. 'Secure' still unfortunately is the target of many CISOs and even worse company leadership like the CEO or board of directors. We collectively know from experience that 'secure' is a mythical unicorn and doesn't actually exist... So the leap in logic is that we move to something that's defensible.


The idea is simple and the dictionary defines "defensible" as "able to be defended"...simple enough, right? The basic idea is that you aren't striving for an absolute, but rather for a position (or posture) that is able to defended even when it's infiltrated. Let's analyze further.


There are a few basic things we need to understand when it comes to being 'defensible:'


  1. Defensible does not mean secure
  2. There are more things to defend than there are resources to defend with
  3. Sometimes your defenses can become your weakness
  4. Defensibility requires deep understanding of what you're defending
  5. Defensibility focuses on what, why, how, when and from whom

Over the next few blog entries, I'm going to explore this idea of being defensible, in some greater detail. If you've got your own ideas of defensibility - or are doing this right now - please write, tweet, chat or call as I'd like to hear from you and get your thoughts, examples and ideas. Sharing is caring folks, so let's start thinking as a community, and start thinking smarter. Let's think defensibly.


Note: There is some interesting prior work on this, and I encourage you to read "Defensible Space Theory" from architect and city planner Oscar Newman... it's the same concept applied to living space.


Seeds of this thought process came, in part, from Mr. Josh Corman (amongst others) whom I've had many discussions with over time. Apologies for those not explicitly listed who deserve credit.


Cross Posted From Following the Wh1t3 Rabbit 

Possibly Related Articles:
Enterprise Security
Consulting Hardware Industrial Control Systems Information Security Reseller/Integrator Service Provider Software
Enterprise Security CISO
Post Rating I Like this!
Christopher Gibson Great thought!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.