The western front of World War I started out highly mobile and dynamic. It wasn’t until the armies quickly utilized basic entrenchments that the famous stalemate began. These basic trenches eventually grew to become a massive array of communications lines, barbed wires, and bunkers.
Worse yet, this first layer of defenses was always backed up by redundant trenches from which a separate defense could halt a breakthrough. This concept of overlapping, redundant defenses that contains multiple layers is known as defense in depth. Cybersecurity approaches mirror these military defensive networks in more ways than one.
A firewall can be the cybersecurity equivalent to a basic trench. Bunkers and barbed-wire would be our perimeter network security appliances. Even the communications lines, with the critical role of reporting a breakthrough, have a modern equivalent in the SIEM/SOC 24/7 alerting.
One of the core factors of the stalemate of trench warfare being broken was the development of “infiltration tactics”. This new doctrine focused on exploiting every small breakthrough. The parallels to modern cyberattack tactics are uncanny. Security was previously all about the perimeter, but in the past few decades, things have changed. Small breakthroughs and “living off the land” are the bread and butter of advanced attackers.
While our analogy might not extend to modern security perfectly, it does help to get the overall picture across. Modern security relies on an absolutely daunting array of tools, procedures, and policies in order to maintain the frontline and ensure that infiltrations are dealt with quickly and effectively.
This post will be the first part of a series that helps define some of the securities available to companies looking to enact a more robust security stack.
Defense in Depth
Defense in Depth is simply defined as having security controls in more than one of the three areas of security. Generally, the three areas are regarded as Administrative Controls, Physical Controls, and Technical Controls. This definition almost universally includes all businesses to some degree. For example, if a company has a basic firewall and locks on their doors they technically have a “defense in depth” approach. However, designating such a company as secure would be a gross misrepresentation of the term. In order to adhere to the conventional defense in depth doctrine, a company must make every effort to cover as much as possible while maintaining current controls.
Defense in depth generally assumes that the controls are used to block or delay a threat until it is eradicated. Infiltrations will happen, it’s up to the controls to help remediate these issues before they get more serious. Generally, it will be a question of “when” not “if” when it comes to security threats. A breakthrough will occur at some point, but theoretically, the array of defenses should at least delay any critical event. With the proper controls, even the most threatening breakthroughs can be dealt with via human intervention.
Control and Vendor Diversity
Administrative, physical, and technical controls all play their part in creating a defensive grid for a company. Furthermore, vendor diversity within these controls can help ensure that there is no uniform risk within your security assets. Below we will define these concepts and provide some basic concepts. Note that none of these categories are rigid, and they are definitely not mutually exclusive. It is entirely possible for something to fall into every category. Look for future posts that go into greater detail regarding the options provided within each control category.
The least intuitive of the three areas, administrative controls nevertheless provide a vital backbone for the company’s security plan. These controls can define the methods used by the business to hold-up certain standards. A good rule-of-thumb for determining if a control is an administrative control is to analyze whether a person implemented the control. A security audit would be a prime example of an administrative control. This audit is not automatic and required business support in order to occur. Training is another good example of an administrative control. Administrative controls usually require extensive documentation and planning.
Sometimes physically keeping the bad guys out can be the most important part of securing an environment. It doesn’t matter what kind of impregnable security stack a company has if an attacker can simply walk into the office and destroy the servers. Physical security controls are things that you can physically touch that provide enhanced security. The most common examples would locks on a door, security guards, badge readers, and other physical assets. Note that even an HVAC system can be considered a physical control if it helps keep systems cool and mitigates risk.
Simply put, these controls are the use of technology to mitigate threats or reduce vulnerability. Technical controls are usually the flashiest and newest controls due to ever-advancing technology. While every control category has its place, technical controls are vital to actually do the work. Without a firewall or other basic technical controls, no amount of administrative finesse will protect your network from the maelstrom that is the internet.
While this isn’t strictly a control type, it is still an important concept in the defense-in-depth doctrine. Utilizing a single vendor can leave a company overly vulnerable to price changes, end-of-life, and unpatched vulnerabilities within the software. Diversity is good, and maintaining a strict policy of vendor diversity can help prevent security holes generated from vendor error.
Extended Definitions and Examples
This overview just scratches the surface of Defense in Depth. Now that we have these basic terms and concepts defined, look for next month’s article covering in-depth examples of administrative controls and some of the current solutions used by today’s top enterprises. For more details on current security controls, be sure to check out the NIST documentation on security controls: https://nvd.nist.gov/800-53.