We’ve probably all been in that meeting. A senior leader is asking why we have so many security controls doing essentially the same thing. In the war against cost and complexity, it’s not a good look. Then, a witness for the defense speaks up and says simply
“Defense in depth.”
The rest of the defense team nod to each other knowingly and we rest our case.
After a few recent conversations on ‘Defense in depth’, it’s clear that not everyone interprets the strategy in the same way, and it’s probably leading to some organizations feeling more secure than they should.
The term, Defense in Depth, is a military one and based around layering your resources. Rather than a strong single line of defense, the defender deploys their resources in layers. The intention is to slow the attacker and render them vulnerable to counterattack as they progress. Medieval castles were often built this way, with concentric walls. Once attackers breached the outer wall, they would be cut off from their main force and vulnerable while trying to overcome the inner wall. In this example, the walls aren’t directly defeating the attacker, defenders on the ramparts hurling rocks, oil and pitch are.
Fortunately for us, it’s a generally a less gruesome scene in CyberWarfare and our take on the strategy is quite different to the original. Rather than rendering attackers vulnerable, the strength of our design is that each of the layers is different. The aim is to limit the effectiveness of an attack by forcing the attacker to use different techniques to defeat each layer, before they can reach the castle keep. We might put a moat between those walls, throw in some alligators, some archers…defense in depth.
Unfortunately, this is precisely how we got into trouble in the first place. By adding these bells and whistles, we’re not really improving our depth, we’re simply strengthening an existing line of defense. Whatever tactics that our enemy was planning to use to overcome the wall will still probably work, with a bit of tweaking. Catapults can launch higher, ladders longer, tunnels deeper, etc.
But what if their plan didn’t involve the walls at all? Perhaps they’re planning to poison the castle’s water supply or have a spy in the gatehouse. Designing layers of controls which are effective against diverse attack vectors is real depth. A well-crafted phishing email might bypass firewall, IDS, AV, access control, security monitoring, awareness training, etc. It might only be a good proxy server policy, that prevents a user from entering their credentials into a bogus site.
Zen and the Art of CyberDefense
Rather than throwing a new shiny kitchen sink at your perimeter to keep bad stuff out, think about your defenses from the asset outwards. Ask yourself, what do you need to protect and how can it be compromised. There’s a good chance than the enemy is already somewhere within your walls. If not, they will probably be in soon. So, start with good fundamental security hygiene; authentication, privileged access management, access control, segmented networks, vulnerability assessment and patching, standard images, compliance processes, application and third-party security reviews, etc. These controls aren’t usually expensive if you’re doing them right, they just need a bit of discipline and strong governance. Once these building blocks are in place, feel free to add some more exotic tools if they’re are warranted, but don’t start eyeing your neighbour’s machiolations, until you’re fundamentally sound. Otherwise, the increases in cost and complexity will eventually come back to bite you.
Finally, even if you are covering the fundamentals and building in diversity, leaning towards defense in depth still carries risk, because it can hide sloppy controls. “We’re OK if layer A fails, because we have layer B”. If A does fail, will layer B hold up? For us to know the answer, we’d need to regularly test A and B independently of each other. Perhaps some Cyber superstars are diligently doing this today for all their depth layers, but I can’t say I’ve met any of them yet.
Sometimes, Cybersecurity can seem a bit like rocket science, but the truth is that the most sophisticated solution to a problem is usually also the simplest. Continually adding layers of obstacles in front of attackers isn’t sophisticated or simple. After all, we have finite resources to repel an infinite number of attacks. In our world, less needs to be more; doing a few things well is better than trying to do too much. Today, most data breaches still stem from lack of fundamentally sound security practices, despite the billions of dollars spent every year in the name of defense in depth.