IPSE DIXIT

There are only two types of companies: those that have been hacked, and those that will be.

Robert S. Mueller, III
Director Federal Bureau of Investigation
RSA Cyber Security Conference 2012
[ http://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies ]

Information security can no longer prevent advanced targeted attacks.

Too much information security spending has focused on the prevention of attacks and not enough has gone into security monitoring and response capabilities.

Invest in your incident response capabilities. Define and staff a process to quickly understand the scope and impact of a detected breach.

Neil MacDonald
Distinguished Analyst and Gartner Fellow Emeritus in Gartner Research
Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence ( 30 May 2013 )
[ http://www.gartner.com/technology/reprints.do?id=1-1FU5IQL&ct=130531&st=sb ]

When combining the results from all four AV engines, less than 40% of the binaries were detected.

Moheeb Abu Rajab, Lucas Ballard, Noe Lutz, Panayiotis Mavrommatis, Niels Provos
Johns Hopkins University Researchers & Staff Engineers at Google
20th Annual Network & Distributed System Security Symposium 2013
[ http://www.internetsociety.org/doc/camp-content-agnostic-malware-protection ]