This is a follow-up to my post Response for Daily Dave. I realized I had a similar exchange three years ago, summarized in my post Response to Daily Dave Thread. Since I don't seem to be making much progress in this debate, I decided to render it in two slides.
First, I think everyone is familiar with the Defender's Dilemma.
The intruder only needs to exploit one of the victims in order to compromise the enterprise.
You might argue that this isn't true for some networks, but in most places if you gain a foothold it's quickly game over elsewhere.
What Dave and company don't seem to appreciate is that there is a similar problem for attackers. I call it the Intruder's Dilemma.
The defender only needs to detect one of the indicators of the intruder’s presence in order to initiate incident response within the enterprise.
What's interesting about this reality is that it applies to a single system or to a collection of systems. Even if the intruder only compromises a single system, the variety of indicators available make it possible to detect the attacker. Knowing where and when to look, and what to look for, becomes the challenge. However, as the scope of the incident expands to other systems, the probability of discovery increases. So, perversely, the bigger the incident, the more likely someone is going to notice.
Whether or not you can actually detect the intruder's presence depends on the amount of visibility you can achieve, and that is often outside the control of the security team because the security team doesn't own computing assets. However, this point of view can help you argue why you need the visibility to detect and respond to intrusions, even though you can't prevent them.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.