Pre‑Mortem Security Architecture
Key Points
- A security architect must understand both how a system works and anticipate all possible failure scenarios, essentially thinking like a hacker.
- The “pre‑mortem” approach flips traditional post‑mortem analysis by assuming a system has already failed and working backwards to prevent those failures before attackers exploit them.
- Ethical hackers use this mindset to simulate attacks, uncover vulnerabilities, and help organizations strengthen defenses.
- IBM’s X‑Force is divided into three units: Intel (researching threat actor activities), Incident Response (handling and recovering from breaches), and Red (conducting adversary simulations).
- Patrick, the interviewee, serves as the Global Head of Adversary Simulation at IBM X‑Force, leading a Red‑team that acts as professional hackers to expose and remediate security weaknesses.
Sections
- Pre‑Mortem Thinking for Security Architects - The speaker describes how security architects must imagine system failures by reverse‑engineering attacks—using a “pre‑mortem” mindset and hacker’s perspective—to design mitigations before threats materialize.
- Red vs Blue & Hat Hackers - The speakers explain the military‑originated Red‑Team/Blue‑Team model for adversarial simulations and contrast white‑hat (authorized) and black‑hat (unauthorized) hackers, highlighting their roles and motivations.
- Testing Systems with Adversary Simulation - The speaker outlines how a Global Head of Adversary Simulation uses ethical hackers to rigorously assess and secure systems before production, while previewing a multi‑part video series on the role’s responsibilities and career path.
Full Transcript
# Pre‑Mortem Security Architecture **Source:** [https://www.youtube.com/watch?v=WYkbKzDfgqo](https://www.youtube.com/watch?v=WYkbKzDfgqo) **Duration:** 00:07:10 ## Summary - A security architect must understand both how a system works and anticipate all possible failure scenarios, essentially thinking like a hacker. - The “pre‑mortem” approach flips traditional post‑mortem analysis by assuming a system has already failed and working backwards to prevent those failures before attackers exploit them. - Ethical hackers use this mindset to simulate attacks, uncover vulnerabilities, and help organizations strengthen defenses. - IBM’s X‑Force is divided into three units: Intel (researching threat actor activities), Incident Response (handling and recovering from breaches), and Red (conducting adversary simulations). - Patrick, the interviewee, serves as the Global Head of Adversary Simulation at IBM X‑Force, leading a Red‑team that acts as professional hackers to expose and remediate security weaknesses. ## Sections - [00:00:00](https://www.youtube.com/watch?v=WYkbKzDfgqo&t=0s) **Pre‑Mortem Thinking for Security Architects** - The speaker describes how security architects must imagine system failures by reverse‑engineering attacks—using a “pre‑mortem” mindset and hacker’s perspective—to design mitigations before threats materialize. - [00:03:04](https://www.youtube.com/watch?v=WYkbKzDfgqo&t=184s) **Red vs Blue & Hat Hackers** - The speakers explain the military‑originated Red‑Team/Blue‑Team model for adversarial simulations and contrast white‑hat (authorized) and black‑hat (unauthorized) hackers, highlighting their roles and motivations. - [00:06:08](https://www.youtube.com/watch?v=WYkbKzDfgqo&t=368s) **Testing Systems with Adversary Simulation** - The speaker outlines how a Global Head of Adversary Simulation uses ethical hackers to rigorously assess and secure systems before production, while previewing a multi‑part video series on the role’s responsibilities and career path. ## Full Transcript
A colleague of mine once said that a normal
IT architect envisions how a system will work,
whereas a security architect envisions
how a system will fail.
Really turns out that a security architect has to do both.
They have to figure out how the system will work,
so that they can figure out what all the different failure cases
might derive from that.
Well, you may have heard of a postmortem
where an analysis is done after a project is completed in order
to extract lessons that can be learned
and applied to future projects. Well,
how about the idea of a "pre-mortem",
where we start with the idea that the system
we're now designing has already failed,
and now backtrack to figure out why,
then build in the mitigations
so that all of this stuff doesn't happen
before the bad guys actually attack.
A skilled security architect would use their knowledge,
their experience, their imagination
to envision how a system might fail.
In other words, they have to think like a hacker.
Yeah, that's exactly right.
And Patrick, that's essentially what you do for a living, right?
That's exactly You're an ethical hacker. I am indeed.
Okay, well, so what we're going to be doing
in this series, we've got three videos.
We're going to take a look at what it means
to be an ethical hacker, what
does the job involve
and how can I get a career in this particular space.
So Patrick, you work for IBM's X-Force.
What ... what is that organization about? What do they do?
Sure. X-Force is made up of three primary sections. Uh ...
The first one I would start with is Intel.
These are the folks that uh ... do lots of research
and investigation to figure out what type of things are ...
are real bad guys out there doing.
Yeah. So they might be looking at the dark web and stuff
like that in order to figure out what ...
what's happening and alert people, right?
Exactly.
The next one would be IR.
This is also known as incident response.
These are the folks that you call if you have a breach in your network
and you need some help figuring out what happened,
how do we get the bad guys out of there.
They're your 911 for an incident.
Got you. And they can help you post incident as well as pre incident, sort
of planning for what a disaster might be and what might occur, right?
Exactly. Okay.
All right. And then the third group?
The third group is Red. So that's where I work.
These are the folks that you call
if you want to figure out "How is a hacker
going to break into my network?"
So these are our professional hackers that will then come in and ...
and help you see where are my vulnerabilities and how are the bad guys
going to exploit those. Gotcha, gotcha.
And ... and with that group then that's, as you said, where you are.
So tell us, what's your title?
Sure. My title is the Global Head of Adversary Simulation. Uh ...
I run a group of these hackers.
That sounds pretty cool.
So another way of thinking about that is it's essentially a RED team operator.
That's exactly Okay,
so now that I've mentioned this idea of teams,
let's talk about what these teams are. So,
we've got teams on here
and we've got Red teams.
and we got Blue teams. What's the difference?
Sure. So our Red team is our ... our pretend bad guys.
These are acting as our adversary.
They're the ones who are testing our defenses.
The Blue team is our defensive team.
So they're the ones who are responding and making sure, hey,
the bad guys can't get in. Gotcha.
And ... and those terms kind of come from military background.
Is that right? That's exactly right.
The military coined these terms uh ... quite a long time ago
to ... to sort of begin the idea of, hey,
we need to make sure we have a pretend bad guy
so we get a good, thorough test of our ... our defensive capabilities.
So it's that adversarial simulation.
You've got the defense guys and you've got the attack
guys. And you're running exercises,
hopefully before the bad guys get around to doing it. That's exactly Yeah,
so we've got teams, we've got colors,
we've got hats. Uh,
we like to use this term informally
to refer to different types of hackers.
And there are good hackers and bad hackers.
And so we refer to them as what kinds?
So we've got our white hat and our black hat hackers.
Yeah. And what's the main difference between those?
The ...the primary difference would be permission.
So the white hats are the ones that you call
and ask to break into your network.
The black hats are the ones who are doing it without permission.
Yeah. And I would say a big difference amongst those is
these guys get paid
and these guys steal.
So that's one distinction.
But if you start looking at career earnings, well,
the possibility is you get a nice collection at one point in time
and then you go to jail. Uh
... whereas this career path
you keep earning and keep earning and keep earning and you stay out of jail.
So maybe this is the better long-term career decision.
Yeah, there's a lot of possibility for career progression at this.
I think if you go down the path of black hat,
sort of, captain, like you said, probably end up in jail.
Yeah. So, Patrick, you're an ethical hacker.
What goes into that? Well, let's dissect this a little bit.
Sure. It's a topic you can imagine is, uh, is quite big.
And there's lots of ways that you can think about it,
but one way we could approach
it is to think of it in this, in this pyramid
of the pieces of a ... a testing program
when it comes to ethical hacking.
At the bottom of that pyramid, we might put vulnerability scanning.
This is your more automated type of testing, where
we're looking at ... at the big picture, trying to capture as much data as possible
and understanding where all the vulnerabilities are. Right on
top of that, we might put penetration testing.
This is where you're starting to bring in your ... your
skilled testers to look at specific systems,
maybe web applications or hardware,
and they're going to be able to test those things and understand,
you know, are they exploitable?
What's the impact of those exploits?
And give you the information about how to fix those things.
A lot of this stuff is automated using tools and things like that, right?
I'd say it's right down the middle.
So, supported by tools, but with a skilled person behind them. Okay. Gotcha.
And then the top of the pyramid?
That's where you're going to put your Red team
in. So this is where we're pretending to be a true adversary. Think,
you know, everything from ... from nation state to ransomware operators.
How do they work? And are they going to be able to break in?
What's the effect of those types of things?
Yeah. And this is where you, as Global Head of Adversary Simulation,
you and your team are going to exist in this space, right?
That's exactly Yeah. So,
these are the kinds of things that you would want to do
to put your system through its paces.
You wouldn't take a system
and just put it into production without ever testing it, right? Well,
you wouldn't put a system without testing it for security.
Look for all its vulnerabilities.
Bring in skilled, ethical hackers, like Patrick
and his team, in order to figure out
whether you have covered all the bases here or not.
So, what we've done so far in this video
is we basically looked at what's involved in the role.
And in the next video, we'll take a look at a little more deeper
dive into what's involved in the job.
What are some of the tasks that go into this?
And then the ... the third video in this series,
we'll take a look at how you can go
about getting a career in this space.
So, like and subscribe so that you're aware
when future videos come out in the series.