Defense in Depth is necessary, but not sufficient... or How Do We Improve Defense in Depth?
On March 22nd I had the opportunity to participate in a workshop organized by the Special Cyber Operations Research and Engineering Committee (an interagency working group that coordinates cyber security research in support of national security systems). This was the first in a series of planned workshops which are intended to challenge long-held assumptions in the cyber security world. The focus of this first workshop was Defense in Depth (DiD). Click here to read the full write-up of the agenda of the meeting.
The meeting consisted of about 50 information security professionals from a variety of sources, but with a strong emphasis on defense employees. In attendance were representatives from numerous government agencies and defense contractors, but also higher education, industry researchers, security companies, financial institutions, manufacturing, software companies and healthcare.
To set the stage we discussed the seriousness of the cyber threat. Cyber warfare raises the possibility that weapons may not fire when we count on them. Healthcare systems may not function properly when lives are at stake. The appropriate level of acceptable risk in these areas is extremely small, and therefore requires the very best security measures we can implement. The question of the day was; is defense in depth the best we can implement?
Defense in depth is necessary, but not sufficient.
One quote that was shared, which I believe sums up the consensus of the room was that, “Defense in depth is necessary, but not sufficient.” The alternative to DiD would be a single layer of exceptional security. And while one layer of exceptional security is superior to a dozen mediocre layers, it is not as good as two layers of exceptional security, or better yet, 10 of them. DiD as a model is sound, it’s our implementation of it that has been flawed.
I walked away from that meeting with two big take-aways for how defense in depth can be improved going forward.1. While depth in defense is necessary to achieve security it is not accurate to say “more depth equals more security.”
When we start with a completely unsecured system, the very first security measure we put in place is going to be the most effective. Implementing a well configured firewall in front of a wide-open webserver will have a tremendous impact. As we stack each incremental countermeasure on top of the firewall, we start to add depth. That depth adds more layers that attackers have to successfully navigate, that is a very good thing.
But as we add those additional defensive layers, we are also adding additional complexity for our system administrators. Keeping a webserver up to date by itself is a challenge. Add in the need to coordinate those updates with a firewall, and you’ve significantly increased the management workload. Now consider if you also needed to update an IDS system, IPS system, host based IDS/IPS system, log management system, SIEM, and web application firewall. That quick change to a web application goes from a few minute exercise to a mountain of administration.
Chart 1 is a rough model of the value we receive from each additional incremental security measure we implement. The first handful of security measures offer a great return, as the additional complexity is far outweighed by the security enhancements. Each additional security measure will see a higher cost in terms of complexity and administration, which erode the overall value. It eventually reaches a point where the costs of implement a measure actually outweigh the benefits received. After that point, each additional measure actually has a net decrease in the system’s overall security, due to the burden of additional complexity and management.
The point at which security measures decrease in effectiveness is proportional to the amount of resources available to the team managing them. With just one staff member, maybe you cannot successfully implement more than 2 or 3 security systems. With a large staff, you may be able to successfully implement dozens of them. But every organization has a saturation point.
Information Security management must take pains to understand their capabilities and ensure that planning doesn’t over-extend what the team can manage. That million dollars you spend on the latest and greatest gadget may cost you in dollars, time, and productivity without actually improving security at all.
2. The second concept I gained from this workshop is a bit more theoretical, but equally important in the long run. It was discussed in the workshop that an important way to make DiD more successful will be by leveraging each layer to exploit the data that the other layers gather. Instead of the end point protection software seeing only what data that hits that system, what if it could poll the internal network and perimeter systems to gain more info about the threat?
Example: Our external IPS sees seemingly good traffic from safelookingsite.com flowing to internal clients. Since the traffic seems legitimate the firewall lets it through. Unfortunately that traffic had a Trojan buried inside, and the IPS is unable to do anything about it. But what if that IPS had the ability to communicate with the enterprise antivirus server and detect that every system that is receiving traffic from safelookingsite.com is getting infected with a Trojan? Rather than the antivirus having to try to dig Trojans off the end points, and worrying about what damage they do in the meantime, we would be able to stop them from ever entering the environment.
It’s through this type of cooperative play between the layers that DiD can truly excel. Though it’s not made its way out to the market in mass, some security companies are already working on ways to implement this. This type of interconnectivity, combined with improved AI, could do some pretty amazing things.
Defense in Depth isn’t, and shouldn’t be, going away anytime soon. Installing multiple layers of security to protect critical information systems is a critical component to achieving acceptable security. The two major takeaways for improving DiD going forward:
- For those of us doing the implementing, we must get over our belief that more layers are always better. We need to take the time to study what our security needs require and resources can support.
- And for our researchers and vendors, please work to find ways the security layers can support one another to achieve greater security, rather than just increased administration.