The highlight of Secure 360 conference for me was when Jay Jacobs dropped this gem of an update of his updated Shannon's maxim. Shannon's maxim "the enemy knows the system" is a guiding precept in security architecture.
Jay updated this for today's "cyber" security environment in a highly accurate way:
The enemy knows the system, and the allies do not.
This distinction is critical, due to complexity, time and skills, organization struggle to build an asset inventory of their systems, much less understand their own components. And what about runtime behaviors when those discrete components are plugged together? This is in the "too hard" pile for most organizations.
The question is, as always, what can we do about it? If you have valuable assets, you are not likely to disincent adversaries to not want to try and learn about your system, if you have stuff worth stealing you should assume the enemy knows the system. Instead you can focus on your assets so that you actually understand them as well or better than you adversaries. Its not a glamour cops and robbers detail, but focusing on core business assets is a better way to prioritize your resources, it should get you out of Jacobs' quandry and at least able to play Shannon's game.
So the threat to deal with is not external, its internal ignorance. Here is what I wrote about proactively dealing with security in light of these "new" threats called APT
If your infosec organization has an alignment to your assets - meaning roughly similar percentages of experts in domains like customers, users, identity, transactions, apps and databases, then you can say you are working on protecting assets. Most companies have a large ERP system like SAP or Peoplesoft, this contains the crown jewels. How many people does your infosec org have dedicated to securing these systems? Does your infosec group align its budget to the assets the business invests in or does it buy the things people talk about at conferences? Here's my advice - find a representative use case or transaction one that keeps your company in business. Trace it from end to end, starting with the customers and ending with your back end systems. Does your infosec org have deep domain expertise in each and every of the major areas that the use case transaction touches? If not, fix this organizational APT first.