If you’ve been in security for more than five minutes, you’ve undoubtedly heard all about “defense in depth”. For today’s modern security threats, it’s so very important to have layers to your defenses. Modern malware is designed to evade traditional security detection and remediation tools. Hackers and criminals are getting very insidious and can fly past defenses to strike right in the heart of your user base.
But what is defense in depth when you really look at it? Because most people that are trying to sell you a solution will tell you that depth in this case is all about buying more devices and services to layer on top of your existing infrastructure. But, there’s a fallacy in that whole approach.
At the recent Security Field Day in Silicon Valley, Wolfgang Goerlich had a great presentation about defense in depth and how it’s not unlike a tower defense game.
Have Fun Storming the Castle
For those that may not know, tower defense is a style of game where you position static assets designed to defend against attackers. Each of these assets have some kind of special ability to defend against certain kinds of attackers and are weak against others. Wolf’s analogy is spot on when it comes to the parade of companies that want to sell you more security assets to stop the people from marching in the front door.
What Wolf brings up as important to the whole idea of defense in depth is strategy. Just like in the tower defense game, it’s not the assets that you’re given but instead how you place them that matter. You have to have certain pieces in certain places to stop attackers before they get too far into your enterprise. And since you’re usually working with a limited budget to buy assets or limited space to place them, the key is using what you have effectively with a plan.
Wolf’s talk goes into some of the frameworks that are important to consider when there is incident detection and response. I especially loved his callout of the Mitre ATT&CK database, which is a roadmap for how most attackers decide to exploit your insecure systems. Just like the tower defense game, the attackers are going to follow similar paths almost every time. If you know where people are going to be exploiting or attacking you, it makes sense to deploy your assets there to make the most of those chances to stop attacks.
Also critical is how you handle things when they get through. Security professionals have to be on their game for every attack attempt against their systems. The criminals only have to get lucky once. That means you have to use what you have in the best possible way every time to make sure you’re catching everything you can. And yet, something will always slip through. That’s when detection becomes response. And that’s where the NIST frameworks come into play. One that Wolf loves is NIST 800-53B, which talks about risk in federal systems. If you know what your risk profile is, you know how to respond to things. You know that POS endpoints talking to the wrong things in your network is a huge risk potential. But you also know that certain systems can be left less secure because they have no impact on operations.
Bringing It All Together
The real key to defense in depth is having actual depth to your process and polices. By having a plan for combating the bad guys as soon as they appear and utilizing your resources effectively, you can stop almost everything before it gets into your enterprise. And if something does slip through, real depth will let you adjust and respond and mitigate as much risk as possible before you become a headline on the Internet about the failures of defense by SKU.