I read a great post by Phil Venables this morning where he added his “law” to the list of laws that are good frameworks for how things work. Of course he cites Moore’s Law first. I love his contribution to the list: Venables’ Law can be stated as “Attackers have bosses and budgets too”
Always love your perspectives! Question though. What about the XDR space which purports to add value by looking "across" network, endpoint, user and app signals to better detect and respond to attacker activity? Now, XDR vendors sort of come in two flavors - those who are trying to elevate past just EDR (e.g. Crowdstrike) and those who are prevention point agnostic (not wedded to a given network or endpoint vendor brand). But in either case there is still the intent to drive value through network + endpoint + etc etc.?
I really enjoyed this post, Richard. After decades on the tech industry - the hometown of laws - learning about the axioms that permeate cybersecurity is a fascinating tour.
"... a good security approach should increase the cost to the attacker (budgets)...": that's precisely the principle behind preemptive security measures: to create economic disadvantages for criminals when attacking a particular target. We have an academic paper current under review to be published on the matter around BforeAI's Active Defense capabilities in disrupting network traffic to malicious websites hindering the attack much less effective while a takedown submission is processed.
I appreciate laws for what they are: to make visible a set of truths that could be easily missed by the naked eye or even the common sense of professionals in the industry. Laws have exceptions, which don't weaken them in the least, just reinforces the value of the law in itself. Understanding the (potential) exceptions and making strategic decisions around it is a fascinating topic that I have applied over the course of my career - a combo of Dave Snowden's Cynefin, paradox management, and just plain common sense. It can create incredible, outstanding results. And that's exactly how you position these historical and recent bets on acquisitions that would "violate" Stiennon's Laws.
Thanks for sharing this, incredible food for thought.
Always love your perspectives! Question though. What about the XDR space which purports to add value by looking "across" network, endpoint, user and app signals to better detect and respond to attacker activity? Now, XDR vendors sort of come in two flavors - those who are trying to elevate past just EDR (e.g. Crowdstrike) and those who are prevention point agnostic (not wedded to a given network or endpoint vendor brand). But in either case there is still the intent to drive value through network + endpoint + etc etc.?
I really enjoyed this post, Richard. After decades on the tech industry - the hometown of laws - learning about the axioms that permeate cybersecurity is a fascinating tour.
"... a good security approach should increase the cost to the attacker (budgets)...": that's precisely the principle behind preemptive security measures: to create economic disadvantages for criminals when attacking a particular target. We have an academic paper current under review to be published on the matter around BforeAI's Active Defense capabilities in disrupting network traffic to malicious websites hindering the attack much less effective while a takedown submission is processed.
I appreciate laws for what they are: to make visible a set of truths that could be easily missed by the naked eye or even the common sense of professionals in the industry. Laws have exceptions, which don't weaken them in the least, just reinforces the value of the law in itself. Understanding the (potential) exceptions and making strategic decisions around it is a fascinating topic that I have applied over the course of my career - a combo of Dave Snowden's Cynefin, paradox management, and just plain common sense. It can create incredible, outstanding results. And that's exactly how you position these historical and recent bets on acquisitions that would "violate" Stiennon's Laws.
Thanks for sharing this, incredible food for thought.