“… the answers lie not in patching systems, anti-virus, or user education. These strategies are necessary, but insufficient as they do not always map directly to the threat environment. Compromises by APT actors often do not happen because of some security failure that can be addressed with an easily-branded compliance strategy. They happen because adversaries are sophisticated, have extensive knowledge of their target, and are not discouraged by failure. Compromises, even in properly-secured environments, are inevitable – and the blame lies not with the victim. We must therefore focus efforts on raising the bar, introducing friction in an attack progression, earlier detection of attacks, and the ensuing response.”

— Mike Cloppert, Security Intelligence: Introduction (pt 1)