Defense in Depth: Security Strategy or Security Blanket?

Wednesday, January 26, 2011

Robb Reck

C787d4daae33f0e155e00c614f07b0ee

There is an interesting phenomenon in the sports world surrounding fans and trades. It goes something like this...

Giants Fan 1, "Man, that Albert Pujols is really something else. I sure would like to have him on our team."

Giants Fan 2, "We should offer the Cardinals three of our mediocre players for him."

Giants Fan 1, "That'll never work, they won't give him up for three mediocre players."

Giants Fan 2, "Okay, we'll give them 5 of them... heck give them 7 mediocre players!"

Giants Fan 1, "Yeah... this is starting to sound real good."

The fallacy says that if you add up enough average players they are worth a superstar. Or as I've heard it explained before, make a tall enough stack of trash and it just might work. The problem is that there is no amount of mediocre talent that adds up to Albert Pujols' value. He is simply worth too much to be replaced by a commodity.  The same is true of any exceptional talent.

So, what does this have to do with information security? This seems to be the same strategy many organizations use when it comes to implementing defense in depth. They focus on making the tallest pile of security measures. But when it comes down to it, a mile's worth of depth isn't worth one truly effective measure.

We have all heard that a defense in depth is required for an effective security program. But in many ways defense in depth has become a security blanket for companies, rather than a security strategy. The number of different technologies may give a nice sense of security, but provides negligible added value.

This means that organizations that are racing around trying to purchase and implement the latest and greatest should stop. Take a hard look at those systems you already have in place, and figure out what you're getting from them. Real risk mitigation is not about having all the greatest countermeasures, it's making sure that the countermeasures you have in place can do the job.

This is good news for just about everyone involved (though, not so much for the VARs and technology manufacturers who will be losing the sales). The company can save money by not buying every solution out there. By focusing on the highest impact defenses first, and thoroughly, they can spend less on new technologies while getting more results.

The technical employees win because they are able to invest more time getting to better understand and master the technologies they have in place. There is a ton of value in being the master of a few technologies, rather than familiar with many.

For those companies who see themselves stuck in this situation, think of this as a money saving opportunity. Look at your security stack, and do some real analysis on the technologies you have deployed. Are they really providing the security they promised? Are there significant features and functions you haven't even turned on yet because you haven't had the time or staff? Take the time to answer these questions truthfully and candidly. Your answers should lead you to optimize or drop those which aren't currently supplying significant value.

After you have maximized the impact of each of your technologies, it very well may make sense to add more depth. That new web application scanning tool, or DLP technology absolutely can make your organization safer. But by putting off their implementation until rest of your tools are properly configured you not only save money, you make your organization more secure.

Cross-posted from Enterprise InfoSec Blog from Robb Reck.

Possibly Related Articles:
5362
Network->General
Enterprise Security Security Strategy DLP Defense in Depth Information Security
Post Rating I Like this!
4ce009efd2b0f7a9c9507c94ed61bb5a
Kenneth Bechtel You're not the first to comment negatively on Defense in Depth. However, you like everyone else who's dismissed it focus on the poorly implemented, buy the latest and greatest, which is NEVER the answer. I wrote an article for Security Focus back in 2003 http://www.symantec.com/connect/articles/anti-virus-defence-depth which showed proper leveraging of anti-virus/ anti-malware and intrusion detection, when used right, will compliment each other, and improve overall defensive posture. This article was re-examined and the findings published at the 2008 Virus Bulletin Conference, finding that with a few minor tweaks to address new attack methods (which were addressed as low threat in the initial paper, but were being used currently) the model is still sound. In Fact, I know several Fortune 100 organizations leveraging this model and have reduced their attack footprint, with out having to change tools to the latest and greatest (although software patching for security vulnerability and end of life, are required).

As such carpet statements such as Defense in Depth is a Security Blanket is disingenuous at least, and dangerous at best.
1296138848
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley 'We have all heard that a defense in depth is required for an effective security program. But in many ways defense in depth has become a security blanket for companies, rather than a security strategy. The number of different technologies may give a nice sense of security, but provides negligible added value.' - I disagree with this. I would always go defense in depth and not because its a security blanket, but because I want an environment that if one of my controls doesn't behave as expected, I'm still reasonably protected. I would always choose a collection of maybe out of date but well configured firewalls, IPS, Server Hardening, Patching, security policies,physical security etc over the latest go-faster product from company 'x'.
1296141396
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson Redundancy is good. Having a fall back if the main defense fails is a good idea, but it's important to look at what you NEED before adding more layers to an existing defense.
I think the strategy for buying new security products should be to figure out what your attack surface actually is. Then find the defense to fill your gaps... then work on redundancy.

I think a lot of the Defense in Depth hype started when organizations only had a firewall at the perimeter and anti-virus on the hosts. Going forward from that point and adding IDS/IPS and host firewalls, and network based anti-virus seemed a good route. More layers, especially layers that the users couldn't alter themselves, were good. Now that all that tech is in place for most organizations, just adding more of it doesn't make you more secure. Finding where you are vulnerable still and trying to remedy that... that makes you more secure.

More than buying new tech, I think most places would benefit more from additional staff training. Learning to do more with what you have is probably a much better spending strategy than just buying the latest, greatest gizmo and installing it in a half-baked way, trusting that the smart people that made it know exactly how to protect your environment.
1296144087
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley 'Redundancy is good. Having a fall back if the main defense fails is a good idea, but it's important to look at what you NEED before adding more layers to an existing defense.
I think the strategy for buying new security products should be to figure out what your attack surface actually is. Then find the defense to fill your gaps... then work on redundancy. ' You won't get any disagreement from me :o) We all run regular vulnerability checks on our systems right....
1296148715
4ce009efd2b0f7a9c9507c94ed61bb5a
Kenneth Bechtel Rod and Ben bring up a very valid point. Just adding or bolting on the latest greatest application or appliance is not necessarily defense in depth or adding a new layer, most often DiD exists, but is improperly managed or integrated and then it's not doing the job as intended. Proper maintenance and administration are a MUST.
1296158783
C787d4daae33f0e155e00c614f07b0ee
Robb Reck Hey guys, thanks for taking the time to read and comment on this post.

Let me first say that it was not my intention to suggest that defense in depth is bad or worthless. Defense in depth is simply a strategy of how we apply different types of countermeasures to combat a threat. There is a right way and a wrong way to apply DiD. We can all agree on that, right?

The right way is dealing with threats as Rod said. Assess your environment and figure out what technologies can work to reduce your overall risk posture.

The wrong way is by simply trying to stack more security technologies on one another because of the misconception that "more technologies = more secure." While I don't know any IT leaders who would ADMIT to building their security programs that way, I know many who end up doing exactly that. They base their upgrades on trendy solutions that they read about on the web rather than doing the real work of figuring out what their individual environment needs.

My intention is not to say that defense in depth is a security blanket, it's to say that it CAN BE a security blanket (offering perceived value, but little real value) if it's implemented incorrectly. The flip side is that it can instead be an effective and efficient security strategy that provides excellent benefits.

Which is true in your environment depends on the quality of the implementation and self-awareness of your organization.
1296164739
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.