Over the last few days, there’s been a lot of folks in my twitter feed talking about “active defense.” Since I can’t compress this into 140 characters, I wanted to comment quickly: show me the money. And if you can’t show me the money, show me the data.
First, I’m unsure what’s actually meant by active defense. Do the folks arguing have a rough consensus on what’s in and what’s out? If not, (or more) would be useful. Just so others can follow the argument.
So anyway, my questions:
- Do organizations that engage in Active Defense suffer fewer incidents than those who don’t?
- Do organizations that engage in Active Defense see smaller cost-per-incident when using it than when not? (or in comparison to other orgs?)
- How much does an Active Defense program cost?
- Is that the low cost way to achieve the better outcomes than other ways to get the outcomes from 1 & 2?
I’m sure some of the folks advocating active defense in this age of SEC-mandated incident disclosure can point to incidents, impacts and outcomes.
I look forward to learning more about this important subject.