The Slow Advance

The shoe hit the floorboard with a dull thud, the kind of sound that doesn’t just mark the end of a life but signals a shift in the air. I’d been watching that spider for 12 minutes. It hadn’t moved. It was a master of the long game, perched in the corner of my vision, waiting for me to forget it existed. That’s the thing about predators-the small ones and the ones behind keyboards. They don’t twitch. They don’t rush. They exist in the gaps between our breaths.

I am sitting here now, looking at the smudge on my left sneaker, thinking about the 22 different ways a network gets breached. We talk about speed. We talk about rapid response like it’s a virtue, but speed is actually a defensive delusion. The guy who eventually gets into your database didn’t sprint there. He walked slowly, pausing every 2 steps to make sure nobody heard his breathing. He’s been in your environment for 162 days. He knows your daughter’s name from an unencrypted PDF of a soccer roster. He knows your CFO likes 12-year-old scotch because of a gift receipt in an inbox.

Staring at the Bumper

This is the asymmetry that keeps me awake at 2 AM. My business-your business-operates on the 92-day rhythm of the fiscal quarter. We have milestones and deliverables. We have budget meetings where someone asks why we need to spend $40002 on a SOC when nothing happened last month. Meanwhile, the attacker has a timeline that stretches across 2 years. They don’t have a boss asking for a PowerPoint update on their penetration progress every Tuesday. They just have the objective.

“Most people crash because they look at the bumper in front of them, whereas a pro looks at the horizon. You’re staring at the 2 feet in front of your face, while the danger started 2 miles back.”

“

That’s the corporate security dilemma. We’re staring at the bumper-the immediate alert, the daily log-while the attacker is looking at the horizon of our entire corporate existence. The attacker only has to be right once. That’s the cliché, isn’t it? But we ignore the weight of that. We have to be right 1000000002 times a day. Every packet, every login, every email has to be evaluated with total accuracy.

Celebrating Human Error

The attacker can fail 42 times and it doesn’t matter. They just wait. They watch the financial calendar. They know when the audit is. They know when the IT staff is stretched thin during the holiday break. They are corporate, too, in their own way. They have hierarchies and specialized departments. They just don’t have the burden of quarterly growth to distract them from their one true goal: your destruction.

I understand that sounds bleak. I tend to be a bit of a pessimist after I’ve had to kill something in my own office, even if it’s just a spider. I’m looking at the smudge and thinking about the 122 hours I spent last year trying to fix a configuration error I made myself. I’m not perfect. You aren’t perfect. But the system demands that we act as if we are, while the attacker celebrates our humanity.

The Polo Shirt and the Spreadsheet

Imagine a guy named Alexei or Zhang or Steve sitting in a lukewarm office in the year 2022. He’s not wearing a hoodie. He’s wearing a polo shirt. He’s got a spreadsheet. On that spreadsheet, your company is just a row. He’s not trying to hack you today. He’s just trying to see if the credential he bought for 32 dollars works. It does. He logs in. He does… nothing. He doesn’t dump the database. He doesn’t encrypt the drives. He just sets up a forwarding rule for the CEO’s assistant. Then he goes to lunch.

This is the patience that beats budgets. Your budget for the year was set 12 months ago. You can’t pivot. You can’t hire 22 more analysts because the money isn’t allocated. The attacker doesn’t care about your allocation.

Breaking the Rhythm

He used to make me check my mirrors every 12 seconds. Not 10, not 15. Twelve. He said that the rhythm of observation is the only thing that keeps you from becoming a statistic. If you break the rhythm, you lose the narrative of the road. Most corporate security is a broken rhythm. We check the mirrors when the alarm goes off. We check the mirrors when the auditor walks in the door. But the attacker has been in the blind spot for 312 days, matching our speed, waiting for us to change lanes without looking.

“We celebrate the lack of alerts, not comprehending that a lack of alerts is often just a sign that the attacker is better at their job than your software is at its.”

“

This is why the traditional check-the-box security model fails. It assumes the threat is a moment in time, rather than a persistent shadow. We block 500000002 low-level pings from script kiddies and we put that in a chart. But we didn’t block the one guy who has been reading the board’s private emails for the last 72 days. That guy doesn’t show up on the chart because he isn’t making any noise.

Aligning Defense to Attack

Companies like Spyrus understand that you can’t just set a firewall and walk away. You need someone who is as patient as the attacker. Because if the attacker is willing to wait 192 days to make their move, you need a defender who has been watching for 192 days without blinking. Most internal teams can’t do that. They have meetings. They have performance reviews. They have 2-week vacations where they try to forget that the network exists. The attacker doesn’t take a vacation from your network. They just wait for yours to start.

The Two Days That Mattered

I thought I was being clever by changing the SSH port to something obscure-port 2222. And it did stop the low-level noise. But I forgot to look at the logs for 32 days because I was busy with a new project. When I finally checked, someone had been brute-forcing that obscure port with a very specific list of usernames. They had been at it for 522 hours. They finally got in 2 days before I checked. They used the server to launch attacks on a much larger target-a regional bank. I felt sick. My stomach felt like it had 22 lead weights in it. I had been right for 30 days, and I was wrong for 2. And those 2 days were all that mattered.

We need to stop thinking about security as a series of obstacles we put in front of the attacker and start thinking about it as a conversation we are having with them. If we stop listening because the quarterly report is due, they win.

The Constant Companion

Casey J.-M. once made me drive in reverse for 22 minutes straight in an empty parking lot. He said I needed to understand how the car felt when it wasn’t going the way it was designed to go. Corporate networks aren’t designed to be monitored 102% of the time by humans who need sleep and coffee and validation. Security is an overlay, an unnatural state of constant suspicion. If you don’t have a partner who lives in that state of suspicion for you, you are eventually going to blink.

I’m looking at the smudge again. The smudge is still there. In my world, waiting is a threat. In your world, the people waiting inside your servers are the greatest threat you will ever face. They don’t want your attention. They just want your data, and they are willing to wait 1002 days to get it if that’s what it takes. Don’t let your quarterly mindset give them the opening they need.