I see there’s been some talk recently (more so than normal on the blogs I watch, anyway) about network security, web app security, host-centric security… I feel like a lottery tumbler bouncing around a lot of balls in my head, but nothing popping out down the chute quite yet. So here are some links for future thoughts. Jeremiah Grossman talking about web app vs network security. Hoff talking about host vs network security. The Jericho Forum talking about lots of things, but notably deperimeterization catches my eye. And Michael’s thoughts which have the side effect of wanting to pull out some C&C Music Factory mp3s (and yes, I have a bunch!). I also see Scott has an excellent post about this topic as well. And another from Alex, although once anyone starts talking ephemerally (in terms of relativity to business process which might be the agnostics’ way to offer up an inarguable concept? [see? obviously I’m not seeing something straight! hehe] ) about things like the Circles of Trust, it never really makes much sense to me yet (yet!).
My initial reaction is that I am not sold on “unified” or “one method to rule them all” approaches. I’m with Michael in the link above in most regards: practice moderation and mix all of them in varying levels. Honestly, if one of these approaches was better than the others, it would be obviously apparent by now.
However, there may be some merit in a company focusing their efforts and monies in one method consistently…
I think one approach to these questions might be in looking at the extremes. What would your network or company look like from an infosec point of view if you were host-centric in your approaches? or network-centric? or data-centric? What is given up, what is scalable, what costs the most either up front or on-going? What is possible with the skillsets we have in our company/country/world right now?