It is a curious thing, watching and reading and listening to folks debate the Advanced Persistent Threat (APT). with all the brouhaha, I don’t really believe there is a whole lot of difference in belief between the skeptics and the advocates. What is happening is simply the popularization of a term that has been around in certain circles for quite a while.

I created a poll on ISSA’s Connect social networking site to ask about APT. The most popular response was that APT was real but it didn’t really change anything. I recently went on a road trip talking to enterprise CISOs and security architects, most of whom reflected a similar philosophy. Make no mistake, people recognize the threat actors as different and therefore more worrisome, but most aren’t doing much different. In fact, the de facto spokesperson for APT, Richard Bejtlich, reflected a similar philosophy recently on his TaoSecurity blog when he said,

“I find it odd that I am constantly asked what I think we should do about these intruders. Do blog readers think I have been advocating certain defensive measures for the last 7+ years in this blog and earlier, elsewhere, ignorant of the capability of intruders to act at this level?”

This highlights the “nothing new but the name” argument that skeptics make. But these skeptics are not refuting the notion; they are refuting the name. They simply don’t like it when something old is freshened up and made new. Of course, the advocates bristle at the accusations of this being simply a marketing exercise (there is no denying the upswing in product collateral).

The nuts here are that both advocates and skeptics believe in the threat, but one group likes the name and one doesn’t. Does it change the game for enterprise security? As I’ve said previously, it may change your estimate of likelihood and impact, but the defensive options remain fairly similar.