Overlapping technology helps discover problems that a standalone approach may have missed. For example, in September 2010, INTA began testing three new types of firewalls, including a Palo Alto next-generation firewall. On the first day, that firewall flagged three Mariposa botnet infections running on internal PCs, despite the fact that INTA had deployed antivirus engines on all of its PCs and used intrusion detection and prevention systems on its enterprise networks.
The security team traced the problem to three PCs, running Windows 2000, used to manage warehouse inventory. While the PCs didn't store sensitive information, the infection was still troubling. How had Mariposa infiltrated the enterprise, and why were these PCs still running the old Microsoft operating system? Ultimately, the security team discovered that it had supplied three brand new PCs to replace those old warehouse PCs, but warehouse managers diverted the new PCs to become their new desktops. Meanwhile, the Windows 2000 machines remained in place, essentially off of the security grid.
The lesson: Never assume that just because a security tool isn't flagging a problem, that a problem doesn't exist and someone isn't trying to exploit it. Of course, behaviorally speaking, we tend to do the opposite – we overestimate the likelihood of good outcomes and underestimate the likelihood of bad ones. Behavioral scientists even have a name for this tendency, optimism bias, or the positivity illusion.
How can people combat this tendency? The answer, generally speaking, is to use more automated mechanisms that reduce the need for subjective interpretation. In security terms, it also includes layering defenses to help build a better, automated picture of what's actually happening on the network.
So this 2011 security resolution might sound like back to basics, but it stands to demonstrably improve enterprise security: Never stop testing new defenses and finding better ways to "layer up." Because staying ahead of attackers is going to take resolve.