Today jerichoattrition wrote a provocative blog post called “Putting an end to ‘strike back’ / ‘active defense’ debate…” The magic phrase offered is this:

Ending the Debate In One Easy Line

If a company can’t do defense correctly, why do you think they can do offense right?

That simple, that logical.

Security experts are fond of saying security is a process not a destination. Continuous improvement is the aim, like balancing a bicycle, rather than aiming for a specific event and calling it done.

It is similar to keeping healthy or fit. As soon as you achieve a goal you set another and continue with your measurements and training.

But what if we could find a secret formula to settle our debates about security once and for all? What if we could utter one magical phrase to make everyone see things the way we see them — our vision of security as the final destination. Would anyone want that?

Sounds like a Twilight Zone episode to me. Someone wishes everyone would stop debating and just agree. Then, as soon as this dream comes true, the protagonist realizes a giant mistake has been made.

The camera pulls back and we see a man running frantically through the street, begging someone, anyone to debate or disagree. Instead, surrounded by smiling faces all he hears is “I agree!”

I agree! I agree!

Do we really want that? What is simple or logical about saying good offense depends on good defense? This debate is far from over and that’s a good thing…

Jericho’s post does not explain away the fact that the two can be, and often are, mutually exclusive. The very foundation of a deterrence policy, for example, is an offense so effective that defensive capability becomes less relevant.

I’m tempted to point out the many sports teams with good offense and bad defense.

Instead, sticking with IT, a large enterprise that struggles to upgrade defenses still can have an effective offensive team. An offensive team in fact may be built faster/better/stronger to focus back on the enterprise itself to help pinpoint and improve slower/worse/weaker defenses.

Defense often is saddled with dependencies, depreciation issues, complexity, politics, etc.. Meanwhile an offensive team can quickly come directly into modern and advanced capabilities. In other words, building a highly effective offensive team is sometimes a strategic investment that can push an ineffective defensive team ahead.

A mismatch, with a better offensive team, means flaws can be found with visibility into risk posture, blasting through obstacles that held back better defense investments. This imbalance should be no stretch of imagination. It’s common and has been happening for many years. Think of it as a football team that pits its lagging defense against its own top-ranked offensive line to pinpoint holes and improve defensive capabilities. Companies are hiring top red-team talent even when their blue-teams aren’t top tier.

Back to the point of active defense, a highly-effective offensive team that is better than a defensive team simply could switch focus towards targets outside. That is why it is easy to see how a company that can’t do defense right can do offense right.

The blog post also tries to warn us of a lack of solid definition for “active defense.”

…note that recon is not ‘defense’. By port scanning, pinging, or tracerouting the remote system that attacked you, it does not help you defend your network. It is the first stage of an active response. Strictly based on the terminology of “active defense”, activity such as changing a configuration or creating real-time decoys to increase the cost of attack. Even today’s news, covering an entire talk on the legal risks of “active defense”, does not even define the term.

Recon is a part of defense, “it is the first stage”, but it is not alone a defense. Agreed. But why are we worried that the definition isn’t easy? That seems normal to me. Or why worry that a definition isn’t found in one talk?

After reading the post I see more room for debate, more uncertainty and fear without solid explanation or supporting argument. Here are just four examples from where debate can easily continue:

If you can easily and positively attribute, they shouldn’t have breached your defenses. You have no business attacking them when you were negligent on defense 101.

Containment is more complicated than this view. Attribution may come later, as part of a decision process for limiting damage. Whether easy and positive attribution could be found within 1 minute or 1 day they would be post breach. Not every breach can be anticipated, which is why a common phrase responders use is “always prepared, never ready”.

If you think you can positively attribute, you cannot, you are out of your element.

Again, overly simplistic view. Attribution is hard for some, easier for others. Hiding is effective for some, impossible for others. Most important is that practice makes attribution more accurate and there are many public cases of positive/successful attribution.

Even if you can miraculously attribute the human at the keyboard, regardless of how many hops back, you cannot positively attribute who hired them to hack you.

This is a decision-point rather than a dis-incentive. Responders can positively attribute deeper than just front line attacks. Anti-mob and anti-terror efforts reach source all the time. We can be just as effective.

If you attribute the person, and not the motive, by hacking back, you violated the law just as they did.

I have to point out here that legal advice from a non-lawyer is specious. Meet with a lawyer if you want to know when and how you will violate the law. As David Willson has written on this blog and presented many times, active defense is not a crime.

Graham Sutherland wrote a provocative blog post titled “The anti-virus age is over.” I hear this a lot and I often argue against it, as I did recently in a Twitter thread with @jeremiahg and @adamjodonnell.

I noticed Graham argues against his own title. His blog concludes:

Now don’t get me wrong, AV still has its place in the security world

Is an age over if there is still a place in the security world? I say no.

Cory Doctorow apparently does not come to the same conclusion, and instead used Sutherland’s opening argument in his Boing Boing post called “When advanced black-hat hacking goes automatic, script kiddies turn into ninjas” to promote a fictional story of his own.

[The anti-virus age is over] was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook).

I confess I haven’t read much by Doctorow since he ranted against American Airlines data collection practices. At that time I wrote the following response to his predicament:

I have always observed that wise travelers provide no more than the information that is directly relevant to the question being asked — the “most accurate” answer — which has neither too little nor too much detail. It’s a fine balance, but part of the usual business of crossing International boundaries, obviously compounded by different cultural views of what constitutes suspicious or risky behavior.

Although I hate to question Doctorow’s risk management vision again, it seems to me the anti-virus age will be over when we no longer see any place for anti-virus.

The age isn’t over because our defense against polymorphic threats does not mean we should completely remove black-lists for non-polymorphic threats. Sutherland concedes this in the final text of his blog.

To put it another way, should we stop using seat-belts because we can get sick from bird-flu? Obviously not.

I tried to make this risk distinction in my 2012 RSA Conference presentation “Message in a Bottle: Finding Hope in a Sea of Security Breach Data.” Here is how I laid out the age of seatbelts (sorry about the RSA template colors):

This view of history suggests to me that anti-virus software will become more integrated into the cost of our systems (like seat-belts became de-facto for cars and eventually a law). It will become less visible as it becomes integral.

So where are we headed? Analytic ability with data collection is what comes next, like air-bags were added to seatbelts. But the seatbelt analogy doesn’t really work with intelligent, adaptive threats, as I also illustrated in my 2012 RSA Conference presentation (based on “Dr. John Snow’s map-based spatial analysis and algorithm” for germ theory).

To follow Snow’s footsteps our discretionary spend will shift towards data collection, anomaly detection and advanced response capabilities (e.g. big data security analysis). We will get better at finding and responding with new tools, while still using computer anti-virus and other old tools.