Ben Tomhave has a good post over on his blog
go read it. its short...wont take long, I promise.
In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:
Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).
Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".
Surviving a network attack is not the same as surviving a mortar attack on a FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".
We're getting really good at teaching our clients how to catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.