Deconstructing Defensible - Defensible is not the Same as Secure

Tuesday, April 02, 2013

Rafal Los


In my previous post, The Castle has no Walls, I introduced the concept of 'defensible' as a goal for enterprises to replace the notion of secure which I fully believe is an outdated and broken descriptor for anything in today's hyper-connected, modern world. This post and the few that follow go through the five basic ideas behind defensibility and why defensible is a state we should be striving for as enterprise security professionals.

This is the first of 5 blog posts explaining the core concepts of 'defensible'.


Defensible is not Secure


While apparently not everyone agrees, the term defensible is a much more appropriate term when describing your enterprise posture. There are a few reasons for this, but at the core of this we must understand that the term 'defensible' is not concrete and does not imply a binary state. Unlike secure, which does imply a binary state (you're either secure or you're not), defensible offers no such promise. Let's be honest though, anyone who truly believes anything is really secure just has to wait a few minutes until they're proven wrong...


This leads me to the major problem I have with the word 'secure' - there is no such state. If we're honest with ourselves and our businesses, we have to admit that there is no such thing as 'secure.' In order to mitigate the problem with the binary state of secure, we add modifiers such as "reasonably secure" or "inadequately secure," but those are not well accepted when the board room demands an assurance of security.


"Defensible" on the other hand, does not give assurance or imply any concrete state. This fits the model of the hyper-connected world we live in where at any given time anything can be broken with enough cycles or scrutiny. Defensible is not a guarantee, or an assurance against hacking or a breach - and I think this is the most important point. While 'secure' is used as an assurance that a breach will not befall our enterprise, defensible is something else entirely, and makes no such guarantees. I can already hear people cringing...


What does Defensible Mean?


So, if defensible doesn't give us a guarantee against being hacked or breached like 'secure' does - what does it imply? What guarantees does 'defensible' provide us?


I think that defensible is even a stronger word than secure if you look at it right. Defensible means that you've positioned the right defenses in the right place, at the right time, for the right reasons to defend against the right adversary. Defensible also means that your environment, infrastructure is built such that it can adapt to failure when/if it happens. Yep, that's a lot of things that have to line up without guaranteeing you won't get breached. Josh Corman has a pyramid model that has "defensible infrastructure" as the base for a strong security program. This is the absolute truth.


Defensible is a stronger concept than security because it has one magic component that 'secure' lacks - the built-in ability to detect, respond, restore from malice.


Whereas 'secure' tends to focus on prevention of a breach, defensible focuses as much on prevention as it does on adjustment, detection, response and restoration of service. Therein lays the magic. You can now tell your CEO or board that while you will continue to allocate resources to prevention, you acknowledge that it's impossible to be 100% secure. You'll now strive to be defensible. Defensible means that you've designed your infrastructure to be able to patch when needed without business disruption, to adapt to adversaries and changing technical and business conditions, and contain a breach-in-progress.


Admittedly, it won't be simple to just tell the Chief Executive of your enterprise that you can't guarantee an absolute level of secure. I also believe that rational people understand this, and if your executives and board are worth their salt, they'll also understand, if you present this properly.


While defensible is not secure. I believe, in fact, that it is better and more appropriate for the enterprise.


In the next post we'll tackle why it's impossible to 'defend everything'... Stay tuned!


Cross Posted from Following the Wh1t3 Rabbit 

Possibly Related Articles:
Enterprise Security
Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.