Last week my compliance vs. security Venn diagram caught a lot of traction on Twitter with a mention by @stevewerby. Nice to get this kind of attention however the best part was @taosecurity chiming in with a related diagram covering a Security Effectiveness Model he posted around the same time. It essentially depicts the overlap between what is defended versus what is attacked as explained in the third paragraph below. On the right is a thumbnail of it but be sure to check out the full image here.
After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.
Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label “Defensive Plan”; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as “Threat Actions”; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label “Live Defenses”.
I call the Defensive Plan “Correct” when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat’s interests. I call it “Incorrect” when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.
Today’s post pic is from TaoSecurity.blogspot.com. See ya!