Deloitte is a multinational professional services firm that “provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries.” In 2017, Gartner ranked Deloitte security consulting number one globally for the fifth year in a row. By all accounts, Deloitte is a well-respected company that definitely has their act together.
It could happen to you.
I feel bad for those guys at Deloitte. They had many experts on staff and certainly, they had funds for security. If they got hacked, then nobody is safe. The root problem is that the cost of attacking is approaching zero, while the cost of defending increases without bound. I spoke about this at an ISACA conference this year. What is going on is a natural progression of how we manage information technology and how we think about security. If IT continues to grow through accretion and security professionals keep focusing on detection, then things will get worse.
Some things we can detect, but spending resources trying to find mysterious “unknown unknowns” is not necessarily a wise investment for most organizations. While some organizations may have many expert cybersecurity analysts pouring through petabytes of random data, looking for that next big discovery, can you or me afford that? Instead, we should prevent the things we know about (patches for everyone!) and then focus on increasing the cost of attack. The most effective way to do that is to interact with the attacker. This is what I call the interactive defense. Interactive defense does not need to be difficult, cumbersome, or expensive. It does, however, require a shift in thinking. Do not think only about what your adversary might do to you-you need to also think about what you can do to the adversary.
Give some thought about this interactive defense idea. If you had a tool that would interact with, or actively combat, the adversary, wouldn’t you want such an intelligent agent fighting for you?
A security program that will fight malicious hackers while I sleep? Yes, I will take one of those.