As anyone who's ever been on the wrong side of a data breach can attest, security is not a game. First of all, the stakes are real. But also unlike a game, there are no set rules or boundaries. Even if there were, attackers aren't exactly known for their fair play.
That said, we do tend to discuss security using gaming terms. There is an offense with attackers and there is defense. The goal of the defenders is to stop the attackers, to prevent them from accessing or causing damage to our assets. This is done through defensive tactics just like the attackers apply offensive tactics.
The biggest problem is we don't always know the parameters of the game we're playing with attackers until it's too late. We don't know who our opponents are.We don't know their capabilities or their goals. Is it a stealthy, silent robbery or a quick smash and grab for data that attackers can quickly encrypt and ransom? Are we their target of hate or are we simply a moment of opportunity for them?
As a result, we're pressured to develop tactics that can somehow be equally effective against a diverse and rapidly growing variety of potential attacks. Worse, our defenses also have to take into account the operational needs of the business. Not only do we need to stop attacks, we also need to ensure our security measures don't also slow or stop any services.
An attacker has no such limitations. As such, the first thing any game plan for our security efforts has to take into account is that attackers and defenders aren't playing by the same rules. The playing field is anything but level.
An attacker only has to be effective against one specific aspect of our defense - by any means possible - in order to be successful. As a defender, meanwhile, we have to be effective against all manner of potential attacks. And we have to operate under limitations, restrictions, and regulations.
With the game so stacked against us, what does a winning strategy for defenders look like?