The Myth of Defense in Depth

Wednesday, January 25, 2012

Rafal Los


The Myth of Defense in Depth in the Modern Technology Landscape

Analysts always offer an interesting spark to conversations, don't they? 

I had a Twitter exchange with Neil MacDonald of Gartner recently that got me thinking again on the concepts of defense in depth in the way that we've been thinking about it in IT Security for the past 20 years or so. 

So just what is the state of defense in depth in the landscape of today's modern technology?  I think to understand the avenue I'm coming down I should explain that I've been doing security (that is, implementing security measures in corporate environments) since about 1997 - which is a little before all this became cool and hip as far as the niche of "Infosec" goes. 

You see, there are two parts to the idea of defense in depth - there is the concept and the implementation.  It's easy to talk about the concepts behind defense in depth - but to implement them effectively in today's technology landscape... well that may be an entirely different cup of tea.

Neil mentioned mentioned the loss of control of devices, applications, and systems - as organizations race toward a service or utility-based technology model (a la "cloud computing") this makes defense in depth more critical than ever to security.  Let me clear some air - I don't disagree in concept. The problem of course is that concept is not real-life implementation.  Allow me to explain more in-depth here...

Remember just a few years ago, before the prevalence of web applications, when you had to perform some serious hacker-ninja stuff to get at the enterprise treasures? 

The attacker would need to penetrate a firewall, find an exploit against a listening port/socket, exploit an operating system-specific, processor-specific protection mechanism accounting for 32-bit or 64-bit architectures and maybe then you didn't cause enough noise to be able to get a foothold on the system and look around before getting caught.

In this case, defense in depth worked (or should have worked) brilliantly if implemented with the right technical aptitude because of the notion that somewhere along the way you would encounter a technical roadblock that would either stop you dead, or trip a sensor that would alert the security teams to your presence.

While the above case can work as a flawless example if you have a firewall, network IPS, system-level IPS, good patch-management, and a half-decent enterprise centralized logging and analysis system it all falls apart when we go to what we've got today in many organizations.  Attempt to implement defense in depth for web apps where a single SQL injection will compromise an entire enterprise database without tripping a single bell. 

Sure, you can have that same firewall, network and system-level IPS and be up-to-date on patches... but that SQL injection sneaks in because it's been obfuscated by a creative attacker and your SQL database is necessarily exposed to the Internet.  Game over.

Another example of where defense in depth fails the modern enterprise is data.  There simply are no good, effective tools for protecting data as it traverses systems within your organization and as it leaves your control. 

Yes, we as an industry are trying like mad to address the problems, and data loss prevention mechanisms and other strategies are being deployed en-masse but it's still largely a bloody battlefield littered with the corpses of some of the largest enterprises out there that have lost a laptop (or desktop, yikes!) containing a spreadsheet which had all of their employee data. 

How does all that traditional approach to defense in depth help in this scenario?  The old implementation of defense in depth is inept, inadequate, and simply put - past its shelf life. As a concept, defense in depth is still absolutely necessary but it needs to be re-thought to accommodate for the evolutions and revolutions in technology and business practice over the last decade. 

Everything from how we hire employees, to how we manage data, to how devices connect to our networks and how we authorize packets between our private internal (if there is such a thing anymore) networks and our clouds and our partners must be analyzed and given a defensive posture.  Design adjustments must be made with minimalist principles - remember "least privilege" from back in the old days? 

It's more important than ever now... and it should be the first principle in designing anything.  An application that accesses a database should get the minimal amount of exposure, with the minimal amount of users, with the minimal amount of data in the minimal amount of network access... and so on.

So, is defense in depth a myth, as my title here suggests?  If you're coming at it from the implementation perspective like I am - then the answer is yes.  I see many in the industry continuing to apply the same defense in depth principles that served back when the technology landscape was completely different - and failing miserably without understanding why. 

I think the principles of defense in depth are timeless but when your enterprise landscape lacks depth (see graphic) then they are harder to apply in the traditional sense and are relegated to a mythical status.

With that, I'm fairly convinced we have an uphill battle in information security.  The threat landscape is changing faster than we can adapt to it, the enterprise is becoming more shallow in nature (flattening, for you network folks), and defense in depth is becoming a myth. 

Don't let it become a myth you tell your kids one day.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Firewalls Application Security Attacks Network Security Controls Defense in Depth Information Security Infosec IDS/IPS Rafal Los Neil MacDonald
Post Rating I Like this!
Don Eijndhoven So what you're basically saying is that you've never seen an actual defense-in-depth strategy implemented properly? Your examples indicate that you have the wrong idea of a good Defense-in-depth implementation. You speak of, and I quote: "a firewall, network IPS, system-level IPS, good patch-management, and a half-decent enterprise centralized logging and analysis system" which is all nice and good. But thats NOT where defense-in-depth stops.

A good strategy is based on the premise that you insert as many barriers between your attacker and your critical data or systems. All you've implemented is the outer shell of firewalls and IDS/IPS. Sure patch-management is a part of it, but a proper implementation also features nailing down each system (hardening) as tightly as possible, limit as much traffic internally (as well as externally) as possible, maintaining excellent account maintenance, applying data classification schemes to limit the amount of authorizations, use paper shredders at the office, have physical access control to both your systems as well as your offices and so on, and so on. I really could go on for another half hour because there are so many possibilities. Your portrayal of a Defense in Depth strategy seems to be clearly limited to IT security systems and thats just not all of it.

Im saying all of this because your article's title and some of its content seems to sell Defense in Depth as unattainable while it is the best possible kind of defense out there. You shouldnt be trying to deter people from it, you should drag them towards it (kicking and screaming if you have to).
Don Eijndhoven Ehr, I just noticed you mentioned a few of those things that I had skipped the first time over. Why do you bury the most important message under a pile of naysaying?
Anton Aylward Defence in Depth is really a military concept and is based on the idea of "ablation".

There's a cold-ware era joke about a Polishman who gets three wishes from the Genie in the Lamp. All three are the same: that the Chinese red army invades Poland and is repulsed. When asked to explain he says that the Red Army would first have to battle its way across Russia. Prerably in January and February.

Ablation. Thickness of Armor.

But if you can around the armor, as with many tanks which are only shielded on the front, or as with the Maginot Line, then the concept of Defence In Depth or ablating the armor is meaningless. An attack that doesn't focus on the armor is much more likely to succeed.

There are no shortage of examples in commerce and geopolitics of ways round Defence In Depth. RSA was bought down despite excellent 'traditional' security technology. Enron was brought down by a failure in Integrity.

There's a saying that is attributed to various luminaries of the profession:

"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

Defense in Depth is a dubious strategy for the military unless you have a lot of resources to sacrifice; for IT security security it is almost meaningless. The implementation fails because the concept is inappropriate. It may be fundamentally wrong as well, but that's another matter.

Damion Waltermeyer Your example of SQL exploits. It fails to take into account the layering of defense in depth upon the sql server itself. You'd want seperation of services and servers, layers of data validation, authentication and sanitation built into a structure like that. Not doing so in todays environment is fairly negligent for the exact reasons you express in the article, but it is not a reflection on the concept of defense in depth only on some organization's implementations.

Anton, Properly excuted there should be no way "around" defense in depth, It isn't a ring, but a sphere, like an onion around the whole, and a seperate internal onion around each other the parts. There is nothing infallable, but as a concept it is hard to argue with the security of a properly designed and implemented defense in depth Computer, Physical and Social level security program.
Damion Waltermeyer Pondering the responses, I wondering what instead is a better way of approaching security other than the defense in depth model that won't leave you even more open to the flanking vulnerabilities. Thoughts?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.