For decades the industry worked to build secure products: products which can withstand attacks usually by reducing vulnerabilities and exposures.
However, what happens when that fails and an attack is successful in spite of the work done to secure the product? I propose that we require both secure products AND defensible products; products which not only resist attacks but successfully defended when attacks bypass protection.
4 Qualities of Defensible Products
- Visibility – the visibility necessary to detect unauthorized use and malicious attacks
- Transparency – the transparency into the product’s operations to conduct a proper investigation and response after detection
- Controls – the controls necessary to remediate a threat after detection and investigation
- Resilience – a product returns to an working state quickly after remediation (or remain operational during an attack)