- Luck favors the prepared.
- Prepare for breaches through better visibility and forensic tools.
In Western cultures, Friday the 13th is considered a particularly unlucky day. The superstition is of relatively recent vintage, though it seems to derive from the separate but long-standing considerations that 13 is an unlucky number and Friday is an unlucky day. Security folks are not a particularly superstitious lot, but I think we can all agree that we can use all the luck we can get. However, any discussion about luck brings to my mind a famous quote that is usually remembered as “Luck favors the prepared (actually, the quote by Louis Pasteur is “Chance favors the prepared mind”).
Honestly, you do not hear security pros carping about their bad luck after a breach. That being said, in spite of the best preparation, luck or chance can certainly play a part. Think of something as commonplace as a phishing attack. You could have updated host protection in place and still find it ineffective; and you could provide employees with security awareness training, but still find that whether or not they open a particular e-mail and click on a particular link is actually pretty random. Still, that is not really a conversation that CISOs want to have when they are fighting for security budget. However, it does emphasize the need for robust forensics and remediation tools and expertise, as well as deep real-time visibility into (and analysis of) traffic across your network.
The place you really do not want chance to play a part in your security posture is how and when you discover a breach after it has occurred. The worst way is a call from the FBI (they have been tracking IP leaving your networks and arriving at a known bad actor). The best way is by flagging anomalous behavior on your networks, quickly and in an automated fashion, and tracking that behavior back to a root cause. The difference in these two scenarios is not luck; it is preparation.