A Better Defense in Depth Implementation
There’s been a lot of conversation lately around how effective our current implementations of defense in depth (DiD) are. There have even been some suggestions that DiD is a broken model, and needs to be replaced. But I believe in the value of DiD. It is essential to an effective security program.
Defense in depth is required, and can be used to create an effective security program that meets your organizational needs. But it can only do so if the layers are implemented carefully and appropriately to the environment. In order to receive optimal return on investment we should (1) identify which areas contain our most sensitive information and implement security measures appropriately, we must (2) design security measures that are independent of one another, so that when one fails others continue to work, and (3) ensure that we’re able to react to threats even if they successfully breach our defenses and disable our systems.
Be more precise. In many organizations when a security measure it applied, it is implemented across all areas. In our flat network environments it’s much easier for us to just go with the “secure everything” philosophy. But by painting with such a wide brush we cause ourselves some significant long-term issues. Optimally, we have network segmentation and can properly assign risk to each area. For those organizations who are subject to PCI-DSS, we already live in this type of a world.
By not applying defenses with more precision, we drive the price of our implementations way up. Instead of being able to purchase only the seats/volume/servers that we need to mitigate the actual risk, we are paying the additional costs to apply the defense throughout the entire enterprise. This can extend the time to receive our return on investment (or even worse, eliminate the ROI altogether). The money and time spent implementing a solution in those areas which do not need it comes at the opportunity cost of the next item on our project list.
Resources are always scarce, and by better segmenting our defenses to only the scope required, we can protect our resources, and ensure we are applying them appropriately. In the short term, we invest more time in figuring out the real scope of the defenses needed, but in the long term we save on licensing, administration and hardware costs.
In an effective DiD implementation different layers have unique failure modes. That means that it should not be possible to defeat multiple layers of defenses with one single attack. This is an especially big concern if the countermeasures are similar in technology, or offered as a part of an all-in-one solution.
It should not be possible to defeat multiple layers of defenses with one single attack
As an example, consider web application security. We have an IPS system, a firewall and a web application firewall (WAF) protecting the end application. At first glance these three levels will satisfy or even exceed most definitions and requirements for DiD. But if the organization implemented all three of these technologies as a part of one unified solution, all three of them are susceptible to a single attack. With all three sitting on one hardware device, if an adversary is able to gain access to that one device either, physically or logically, he can disable all three defensive measures simultaneously.
The most effective DiD will require that these systems have no interdependencies, so that when one fails we can count on the others to continue protecting. By ensuring that their failure modes are unique we not only continue to receive partial protection if one of the measures is defeated, we also should get notified and have time to work on fixing the dysfunctional system before all layers are breached.
Supporting systems such as power supplies, internet connections or cooling units should be taken into consideration as well. If all your layers of defense are on the same generator or battery backup they may all be vulnerable to the same single event. Instead we should implement wholly separate support systems as often as possible.
As the defenders we have the ability to deal with threats at four increasingly severe levels.
Prevent > Detect > Mitigate > Recover
Preventing an attack keeps our systems clean. Detection allows us to defeat an attack when we’ve been exploited, but are still completely functional. Mitigation occurs when our systems have had functionality reduced, but are still operational. Recovery is the last step, and takes place when systems are completely knocked out.
An effective DiD model will not only contain multiple defenses to protect the network, but will include strategies for reacting to attacks at each of these levels. The program should include appropriate preventative safeguards, monitoring systems to let us know when our preventions have failed, and finally should have tools to restore functionality within an acceptable timeframe if a system is partially or completely incapacitated.
As malicious actors have proven time and time again, our current security programs are insufficient to provide adequate protection. Defense in depth has come under fire as a result. But it’s not the DiD model that has failed us, it’s our own incomplete implementations. The good news is we can do better. Now it’s up to us to start doing so.
Connect with Robb on Google+