Special Guests: Wendy Nather, Iftach Amit, David Mortman, Dan Crowley, RSnake "We have a firewall". "All of our systems use Anti-Virus software" "We've implemented the latest web application firewalls and intrusion prevent systems" "We have a patching cycle, weekly maintenance windows and a 30-day patch turn-around" These are things we've all heard before. These are things I often hear right before we are about to start a penetration testing. Depending on how you define success, these things do little to stop attackers. What are we doing wrong when it comes to defense? What is the number one thing that organizations miss when it comes to defense? Should we even bother, and just know that a certain percentage of attackers will be successful? Can't we just do the easy and cheap security "things" and get by as long as we don't get owned as badly as our competition?