Question: What is the difference between security and resilience?
Tim Wade, Technical Director, CTO Team at Vectra: In practice, enterprise security has emphasized preventative measures as a means of defense, often overinvesting in such measures well past the point of diminishing returns. Such emphasis gives rise to the "defender’s dilemma": An attacker need only be correct once, but a defender must be correct every time. This is correct in a primarily preventative posture, and unfortunately the slow-motion train wreck of ransomware campaign after ransomware campaign demonstrates that all too well.
The modern focus on resilience, on the other hand, doesn’t lose sight of the leading edge of an adversary’s initial compromise, even as the focus shifts elsewhere toward eliminating the probable impact of the full attack chain. Instead of overreliance on preventative controls, resilience-based security objectives look holistically at the full suite of available security controls to disproportionately increase the expense of effort, material, and time an adversary must invest to progress forward with an attack, while reducing the probability that such an attack will end with material disruption.
A resilient security architecture is one where defenders maintain visibility across their enterprise; attacks are detected early, contained, and expelled before attackers realize their objectives; and recovery from any incidental damage is rapid. It’s an approach more adaptable to the dynamic business factors of today’s enterprise – digital and cloud transformation, as an example – and generally more cost-effective. Effective visibility, detection, and response are all hallmarks of resilience and is an approach most likely to favorably manage enterprise risk in a world of vanishing perimeters, mobile assets, and accelerating cloud adoption.