Whack-a-mole defense

One of my pet peeves with current defense methodology employed by defenders is the continued approach to a problem set that has shifted to a new paradigm. We treat IT defense like healthcare. Continuing to put all effort compliance based defense of general health checkups that reduces our practice to checking our temperature and blood pressure while we are hemorrhaging. We are bleeding to death and focusing on symptoms verses attacking the root cause. Sole focus on components such as dynamic DNS hostnames or phishing attempts with a Remote Access Tool (RAT) like Poison Ivy, leads to a whack-a-mole approach to defense. Whack - block a C2 IP or domain at the gateway. Whack-filter for malware signatures on a workstation. Whack- harden assets with latest compliance requirements. Monitoring of bad IPs and domains are necessary for preventative healthcare but triaging the hemorrhage falls short and puts defense in jeopardy of bleeding out. Playing defense in this paradigm is reactive. Breaking the vicious cycle of Whack-a-Mole requires changing the approach we use in combating adversaries. To break from this cycle, an organization must utilize threat analysis to proactively anticipate and monitor an adversary. How has an adversary attacked in the past? Which adversaries must I be concerned with? What attributes can I focus on to identify an attack? All these come into play as we then fine tune our existing defenses to specific targets. Identification of our threat data sets closes the GAP for specific adversaries of concern and then includes a true threat based defense posture for our networks. Stepping off of soap box….