@Enigma, I've argued that the whole Green/Red zones was an artifact of network topology. Perimeter gateways allowed for putting defenses there. And so the world built a threat model on the silly notion that traffic from inside is trustworthy. We construct threat models around what we can defend against; not around the actual threats.

Back to your 1st point: I like to say, as part of my job, we don't plan ON being breached, but we have to plan FOR being breached.

@jpgoldberg similar to Mike Tyson's sage advice about planning for vs being punched in the mouth... I've found it help to actually be breached; for a great number of reasons. Synthetically and very much literally.

You learn what works, you learn what doesnt work (technically and/or logistically), you get confirmation of the accepted risks/debt that get paid to the piper, you get a whole lot of servings of humble pie, and when the dust settles, you also get a renewed sense of gravity and urgency about the work the security needs done.

And in a lot if cases, the #AssumeBreach mindset isn't a future tense condition - it is a present state undetected reality waiting for the right bidder to buy the access that has been quietly sitting unused in the environment waiting to be monetized.

I do miss the prod environment war games though

https://m.youtube.com/watch?v=IYcGA-AqcWo

@jpgoldberg - ps, thanks for the work you do at 1Password ;)

Been a loyal user since late 2006