There really is an Advanced Persistent Threat in your organization - its the fact that your infosec people don't understand the assets they are protecting. I will know you are serious about dealing with APT not when you go to conferences about it, institute processes, blog or buy more tools, I will know you are serious when your infosec organization is comprised of domain experts in the assets you are supposed to be protecting, not more gee whiz network security widgets. This APT is
Good APT analysis by Scott Crawford and Nick Selby on threatpost, but unfortunately their conclusions miss the main point the APT is in your infosec org. First they rightly say - "One thing we believe will not help: more of the same."
For sure, but will a real change happen? Probably not. Infosec as an organization is not in any position to deal with the issue, because the secret of security is that its not about security, its about assets, to wit:
the adversary may have the resources to back not only expertise in tactics, but such things as fundamental research which can be called upon as the need arises
But all is not lost they continue:
This also helps shift the focus where it needs to be. We have been far too lax, for far too long, in the way we think about how to counter threats of any kind.
Very doubtful, vast majority of infosec people come from network ops background. When confronted with a problem they run back to their comfort zone - the network. But this is a big problem because
It's high time we began setting our security goals to align with defense of what we hold dearest.
What almost every company hold dearest is NOT their network (but that's where infosec spends all its time/money), what they hold dearest is customers, users, identity, transactions, apps and data. Those don't get any focus from infosec, its a people problem, regardless of the threat infosec has the wrong background training, skills and focus to provide security to the enterprise. Expect more of the same until this changes.
If your infosec organization has an alignment to your assets - meaning roughly similar percentages of experts in domains like customers, users, identity, transactions, apps and databases, then you can say you are working on protecting assets. Most companies have a large ERP system like SAP or Peoplesoft, this contains the crown jewels. How many people does your infosec org have dedicated to securing these systems? Does your infosec group align its budget to the assets the business invests in or does it buy the things people talk about at conferences? Here's my advice - find a representative use case or transaction one that keeps your company in business. Trace it from end to end, starting with the customers and ending with your back end systems. Does your infosec org have deep domain expertise in each and every of the major areas that the use case transaction touches? If not, fix this organizational APT first.