Pain is inevitable; suffering is optional

August 5, 2015 Sam Curry

“Pain is inevitable; suffering is optional.”

While those words aren’t attributable to the Buddha (as many think), they are still useful for describing the state of security today and the options available.  I have sat in more than a few audiences and read more than a few papers that start with “breaches are inevitable,” and every time I hear it or read it, I am taken aback and usually a little frustrated with the author.  I can accept this with some caveats.  In a typical Enterprise environment, I will accept that “infrastructure compromise is inevitable…” but only if we add a message of hope here with “…but information compromise is not.”  Information compromise is very much evitable.

The first thing we have to remember is that all online conflict, to date and that I know of or have even remotely heard of, is still fundamentally Human-to-Human conflict.  It’s not Machine-to-Human or Machine-to-Machine…yet.  And it won’t be for a good long while.  I know some of you are reading this and going “wait a minute…” and thinking of several examples of malware and bots and the like.  However, let’s not confuse the tools of conflict with the actors who engage in conflict.  Modern warfare, for instance, involves tanks, guns, planes and ships; but when two countries go to war, we talk of the nations and people in question and don’t say “today, 400,000 rifles declared ware on 250,000 rifles.”  In that sense, all the conflict that we really care about is Human-to-Human, it’s just that we employ sophisticated machines as tools; we are not yet fighting Artificial Intelligences with their own reasoning (no matter how sophisticated) or motivations.

There’s probably an axiom here, but in any Human-to-Human conflict where you deploy a mere tool or machine without intelligence or reasoning, you will always end up in a content race.  That is to say that if you take technology and throw it at a Human opponent, the Human opponent will adapt and change their behavior to defeat the technology, necessitating either direct Human intervention or indirect Human intervention in the form of patches, updates, signature files and the like.

If that makes sense, I can say with absolute certainty that the problem facing our industry is that we expect the establishment of technology at a perimeter in the form of network controls (like firewalls, IPS, IDS, WAF, etc.) and endpoint controls (like vulnerability management, patch management, desktop and application firewalls, antivirus, etc.) is doomed to failure.  In a world where technology protects the infrastructure alone, technology alone can never suffice.  The purpose of those controls therefore is to slow the enemy, channel him or her into certain pathways and to provide intelligence for something else.  That means that the perimeter isn’t dead, but it is weaker and is a less glorified component in defense than it has historically been seen.  But it’s still there.  And it still gets breached.

And that hurts.  That’s why pain is inevitable.

The suffering part is truly optional because it involves security departments doing something different.  The realization that we are still in an age of Human-to-Human conflict is important because it demands the inclusion of Humans in the defense. Information breach is only going to be avoided if the focus leaves the tools and instead moves to the people and how they use tools and processes to close the gap and win the race.  A little more on that is needed.


The gap over the last two decades between the proficiency of attackers and the proficiency of defenders has been growing.  The main reason is that we resist hiring good people, training them and equipping them for a state of Human-to-Human conflict.  From the moment an attack makes it into the soft interior of an Enterprise environment, the gun goes off and it becomes a race: mano a mano, hand-to-hand combat between people.  This is non trivial.  If the proficiency of the attackers in thriving and traversing an enterprise environment, mapping, growing, exploring, hiding, exfiltrating are better than the proficiency of the defenders finding, enumerating, controlling and ejecting the opponents, the suffering begins in earnest.

This is the purpose of Advanced Threat technologies.  The goal isn’t to create another generation of technology to get trapped in the content race that is inevitable of any pure technology play to stop a Human attacker; the goal is to change the game and enable Defenders to stand up and win the race against attackers over-and-over again.  It’s to say “yes, there’s pain; but we don’t suffer…in fact, we thrive!”

The post Pain is inevitable; suffering is optional appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
Comment on “It will never happen to me…” by telmar
Comment on “It will never happen to me…” by telmar

Acostumbro cada tarde buscar posts para pasar un buen rato leyendo y de esta...

Next Article
Threats never take a vacation
Threats never take a vacation

It is that time of the year. Kids call it summer vacation, but as an adult,...