This is too good not to share. (By Dave Blazek, (CC BY-ND 3.0 US)) Hat-tip to Gabe Basset for a great find.
Recently I had an interesting conversation around incident response (IR) and preparedness for incidents. For some reason conversation centred around attack trees and how they can be used to better the information security posture of the company. My take on it is that attack trees are great for the security mindset that puts prevention first, second, and third and detection and response equal distant fourth. They’re not so good in the world where non-agent failure happens and your response to it defines how much damage the organisation wears in the end.
A short time ago I saw another one of those commonly held InfoSec wisdoms that states that as your organisation’s information security matures so your budget changes from mostly spending on prevention technologies to detection and response technologies. In other words, “we’re not mature so we are spending 90% on prevention and the remaining 10% on detection and response”. The immaturity is in the approach, not the capability. Majority of the budget on prevention You spend a lot of time and money on controls to keep the bad actors out.