"Last month I listed things security practitioners are doing that are unreasonable. Then I went through some things that are reasonable. In reading the many comments I received, I realized the message still isn't getting through to some. In the spirit of understanding and moving ahead in the new era of security, let's talk about some additional things that are not reasonable, as well as where we are headed as security practitioners.
"Layered defense is not reasonable.
"Go to any security site and you will read paper after paper about layered defense and how it's a great approach. I agree with the theory in the academic sense. It's harder to break into a vault that has four locks rather than one. But in reality, what if those four locks are made out of paper?
"This is exactly how classic layed defense works unreasonable thing were doing in the enterprise using classic layered defense. How? First of all, we're telling leadership that we have "layered defense" in place. Well that sounds really nice until we look at exactly what we're doing. Let's start with patch management, a process proven over the years to be next to impossible. Go into *any* large organization, and I assure you not all hosts are current on OS and application patches, such as those from Adobe. Most likely, more than 40 percent are behind even with the most expensive tools and the most diligent of patching practices. How can you patch effectively if your vulnerability scanners can't even come up with accurate information on the patch levels on your hosts?"
