Yesterday at IANS, Greg Shipley gave a great keynote that focused on a lot of things we do today in InfoSec that aren't necessarily as effective as they should be. Greg called for a change in our behavior as a community to address the gaps we have.
I didn't constrain what I meant by "offense" other to suggest that it could include "active countermeasures," but what is obvious is that people immediately throw up walls around being "offensive" without spending much time defining what it actually means.
I've written and spoken about this before, but it's a rather contentious issue. It gets shelved pretty quickly by most but it really shouldn't in my opinion.
In a follow-on discussion after the keynote, Marcus Ranum, Richard Bejtlich, Rocky DeStefano and I were standing around shooting the, uh, stuff, when I brought this up again.
We had a really interesting dialog wherein we explored what "offensive computing" meant to each of us and it was clear that simply playing defense alone would never allow us to do anything more than spend money and hope.
I'm being intentionally vague, obtuse and non-specific when it comes to defining what I mean by "offensive," but we're at a point in time where at a minimum we have the technology and capability to add a little "offense" to our defense.There's not been a war yet that has been won with defense alone, so why do we expect we can win this one by simply piling on more barbed wire when the enemy is dropping smart bombs? This is the definition of insanity and a behavior that we don't talk about changing.
"Don't spend money on AV because it's not effective" is an interesting behavioral change from the perspective of how you invest. Don't lay down and take it up the assets by only playing defense is another.
You want a change in behavior? How about not playing the victim?
What are your thoughts on "offensive computing?"
/Hoff