The hacker typed furiously, cracking the encryption manually. The suddenly she had an idea: "CTRL+ALT+F2+x", she typed, then shouted "We're in! We have complete control of the mainframe".

In the movies, security breaches are binary affairs. One second the attacker is faced with insurmountable NSA grade encryption, the next they have complete control of everything. Of course, in real life, security breaches are much more boring. A real life security breach, whether by an external attacker or a disgruntled insider unfolds gradually, over weeks, months or even years.

The difference between fictional attacks and real attacks is important because the way we understand an attack influences how we spend money to defend against it. For instantaneous, winner-takes-all attacks, we will probably focus all our money on security controls and enforcement and expect that we must succeed 100% of the time or lose everything. In real life, we apply defense-in-depth and invest as much in monitoring and incident response as we do in front end controls. We expect that breaches will happen, but we hope to limit their scope and impact.

An unfolding security breach is a bit like someone attempting to traverse an obstacle course. Our job is to lay out obstacles and traps. The aim is twofold: obstacles are intended to slow the attacker down, but also to divert the attacker to less lucrative or more risky attacks where they are more likely to fail and be noticed. If you look at security breaches as an obstacle course, you arrive at two important insights. Firstly, there is no way to guarantee that no one can traverse any part of the obstacle course, it's a matter of when, not if. Secondly, you should put as much effort into stopping an attack-in-progress as preventing one from happening in the first place.

We must accept that attackers will be able to overcome security controls and we must also understand that the attack will unfold over time, gradually getting more and more dangerous to our business. The first compromise may be minor: breaking into a single user account, discovering an internal IP address, stealing a list of employee phone numbers. An attacker will build upon each compromise, using it to expand his reach and control of our infrastructure. At each step there are opportunities for us to discover the breach, if only we are watching. At each step, the attacker faces increased risk of discovery. If we have good defense-in-depth then we've removed the easy and low risk attack vectors and left mostly risky and difficult ones.

A secure company is not one that cannot be breached. Those do not exist. A secure company is one that can minimise, contain and mitigate the impact of breaches. A big part of "being secure", perhaps the biggest part, is what you do to deal with a breach in progress, recognising that you can't stop them all. To that goal, companies should invest more in logging, monitoring, auditing, incident response and forensics.