Today, Richard Bejtlich at TaoSecurity posted his ten recurring themes that he observed from recent conferences. They are:

  1. Permanent compromise is the norm, so accept it.
  2. We can not stop intruders, only raise their costs.
  3. Anyone of sufficient size and asset value is being targeted.
  4. Less Enterprise Protection, more Enterprise Defense.
  5. Less Prevention, more Detection, Response, Disruption.
  6. Less Vulnerability Management, more System Integrity Analysis.
  7. Less Totality, more Sampling.
  8. Less Blacklisting, more Whitelisting.
  9. Use Infrequency / Rarity to our advantage.
  10. Use Blue and Red Teams to measure and validate.

I agree on the themes that he brings up for companies already invested in security. But I think we are struggling to get word out to companies outside our circles. Big conferences like RSA and Blackhat continue to grow bigger, and more security issues are getting into mainstream media, but I think many don’t take it seriously still.