Is Defense Winning?

Computer security professionals have been working weekends and through vacations for over 50 years yet haven’t changed that too many advantages still heavily favor attackers and not defenders. Sure, defenders have made countless gains but not relative to those made by attackers.

Until last year, with the publication of the US National Cybersecurity Strategy, it was never even an actual goal to improve defense at the largest scale and least cost, to shift those advantages. This is great progress but means little if we can’t measure if defense is indeed gaining relative advantages over attack. Our metrics have been stuck at the level of individual controls or enterprises.

This talk is the first step towards a framework of indicators to track if defense is winning, across Threat, Vulnerability, and Impact. Many of these indicators – such as changes to Mean Time to Detect – are already reported. Others – such an estimate of the Mean Time Between Catastrophes – need to be developed.

Those with data, such as security vendors reporting metrics for their annual reports, can map their findings to that framework. Analysts – from reinsurance companies, to academia, to the White House—can track defenders’ overall gains over attackers. If defenders want to ever shift the balance, so our children’s children aren’t suffering as we have, we must shift the balance and in measurable (and measured) ways.

By:
Jason Healey | Senior Research Scholar, Columbia University

Full Abstract and Presentation Materials:
https://www.blackhat.com/us-24/briefings/schedule/#is-defense-winning-40663Black HatRead More