cancel
Showing results for 
Search instead for 
Did you mean: 

Defence in depth

Level 9

Ever since I started working in IT and took an interest in the Information Security aspect, I have heard the term 'defence in depth' being bandied around, qualified to varying degrees. In short, defence in depth is an approach where you have different security controls at different places in your overall system. It is also referred to as the castle approach, harking back to days of yore. In those days, having tall and thick walls was not always enough. You wanted to ensure there was only one entrance in your castle (ignoring the fact you might have several back doors for quick escapes!), a moat to protect your perimeter and a draw bridge to only allow authorised persons to come across. Once in, they would often need to relinquish their weapons and the upper class people would often live in the middle of the grounds for further protection.

In the world of IT, the same approach is realised through the following, non-exhaustive list:

  • Firewalls. This is the drawbridge. Only allow traffic from the right sources, going to the right destinations. Everything else gets left outside the gate
  • IPS/IDS. You almost certainly want the Internet to get to your public web server, but if somebody out there is trying to attack a weakness in your application, a basic L3/L4 firewall won't cut the mustard. You need something that can look in to the application traffic and determine if something untoward is happening. It can either drop the traffic, slow it down, send you an alert or even launch a counter attack depending on your setup
  • Patching. Vulnerabilities in your operating system, middle-ware and applications can often be mitigated against by a security device such as an IPS, but what if the attacker is already in your network, behind this layer of protection? It is extremely important that you keep all your systems patched and have a rock solid patching policy that is adhered to. This not only refers to servers, but network devices, storage and any other device that your IT relies on
  • Physical. Where is your data physically kept? On a machine under your desk? In a comms room somewhere at your head office? Or maybe in a tier 3 data centre? You could have the best of breed security devices at every level in your network but if you leave important print outs on your desk or like taking home some key files for the board on an unencrypted USB key, you are negating all the protection that they offer
  • Policies. It's all very well talking the talk, but if you don't have all of these steps and processes documented somewhere, people won't even remember that there is a way they are supposed to be doing something or you'll end up with 10 engineers doing something in 10 different ways in a vague attempt to comply. Get buy in from senior management and create a culture of security that people will not try to circumvent. Which leads to my next point...
  • Training. InfoSec training can traditionally be very dry and usually comes from a "let's plough through this stuff for another year" angle. That is because the people doing the training are often from an InfoSec compliance background rather than Security Operations and its a box ticking exercise, rather than an attempt to really engage people to be thinking about InfoSec all year round

The list above is brief and incomplete, but you can see that even in that list, there is a broad range of areas that need addressing to really give good protection.

My question to you now is, how good is your approach to information security? Have you worked at companies that have ignored most of these well known approaches? Have others been a shining beacon of how to protect your treasured resources? I look forward to hearing your thoughts and experiences.

26 Comments
Jfrazier
Level 18

Good list... like any good defense it has to be multi layered.

cahunt
Level 17

Procedures - which are your day to day practices based on your policies. Policies set the tone while the procedure is your execution.

Vegaskid
Level 9

Thanks Jfrazier. Even with the all the prime time news stories regarding massive DDoS attacks, high profile attacks on companies such as Microsoft and Sony and the Snowden leaks, so many companies still pay little more than lip service to information security

Vegaskid
Level 9

Thanks cahunt and good point. An over arching philosophy that drives policy creation which are implemented via procedures.

jkump
Level 15

Good list.  The layers are needed and the breadth of those layers need to be both independent and comprehensive.  As I have moved through companies in my career it seems that some only think in terms of one method (firewall) but modern thinking is multi-layered (the security onion).  Even having multiple types at the same layer (email screeners from two or more companies handing off as messages come in) and multiple firewalls protecting network segments.  The use of VLANs and segmentation.  Extensive filtering rules.  Etc. 

bspencer63
Level 12

Vegaskid,

One cannot have too many layers.  The old security DID onion analogy...  If they can't peel enough layers to get to the core, then you might have enough...  I said MIGHT!  Agree with cahunt, policies and procedures are a must!

No matter the complexity nor the diverse nature of the devices, we are only watching as other eventually will attempt and possibly get onto your Network.  The most important part, IMHO, is what you do after they have gotten past the door knock and are inside.  Active Rules?  Alerts?  Alerts with Active Rules?  Encryption on disk, device, in transit, etc, or are you the one that will find it out many days, weeks, months later when you receive an email or are perusing your logs and see an anomaly and think, WTH just happened, when it actually happened and is either over or your entire Network has been compromised, data stolen, user account passwords changed!

Now, "Whatcha gonna do?", dang heard Macho Man Randy Savage saying that....

And let us not forget the most critical and easy access to any Network, the user!  No matter how hard you try, how much money you throw at your Network perimeter, how many layers of security your DID strategy employs, if you do not educate your users, you ARE DOOMED!  Even with training they can be manipulated and someone will eventually click a phishing scam email, but an educated user is definitely better than the opposite!  What do you think? 

But, nothing is perfect!  As NSS alludes to in this article: NSS Labs Report

Always enjoy security chats!

BSpencer

muwale
Level 12

nice

Vegaskid
Level 9

Thanks bspencer63. I will be looking a bit more at the human factor in an upcoming post.

Vegaskid
Level 9

Thanks jkump.

Vegaskid
Level 9

Thanks muwale.

mr.e
Level 14

While on the subject of firewall rules... 

I hear that some tend to forget to add comments to the rules they create (or modify).  That is not good since it could lead to confusion as to why the rule was created (or modified).  This is critical, regardless of whether the firewalls are managed by one person or by a team. Lack of comments on firewall rules demonstrate lack of foresight and poor planning.  What happens if the firewall manager is sick, or gets rolled over by a bus? 

Vegaskid
Level 9

Thanks mr.e. I would take it a step further and say that all changes to config should be documented, whether additions, deletions or changes. Because this can only be done in limited sections of a firewall config, my preference is to capture this metadata elsewhere, usually in a ticketing system. That way, I can see what changes were made to which assets, when and why. It also helps keep the config cleaner, especially in a busy environment where many changes are made each week, or even day.

mr.e
Level 14

This reminds me of a pet peeve that I have...  All too often, i find that the Ethernet ports are missing descriptions or the descriptions are vague.  That makes it very hard for me to figure out whether or not the port should be monitored.  For example, the NOC and the network teams do not want to be contacted if an access port loses connectivity, which makes sense.  Yet, if the port is missing a label or its label is vague or confusing it seems like I am playing Russian Roulette.

network_defender
Level 14

My biggest beef most places I have been, is logs.  We all keep them, but how often do we review them?  I tend to be the only person who actually looks at the logs on a daily basis.  Many of the most current breeches could have been much less disastrous if the logs had only been reviewed on a regular (Daily) basis.

clubjuggle
Level 13

This is an excellent list. I would add that in addition to engineer training, end-user training is critical as well. A well-designed training program can make information security accessible and understandable, and build a culture that is supportive of security.

Vegaskid
Level 9

Oh yes, ports definitely need succinct descriptions in the config. It shows up in so many useful commands that it's critical. I like to state the device and port details of the other end of a link on a port description and vice versa so both sides know what is at the other end.

Vegaskid
Level 9

Great point network defender. Some places don't collate them in any fashion, some have teams dedicated to reviewing them. Most fall in between. It's the false positives that tend to drive companies to turning the sensitivity dial down to the point where important logs are not being flagged up

Vegaskid
Level 9

Thanks clubjuggle and good point. The training is a critical aspect of any company's InfoSec strategy. I cover it in a bit more detail in my next post.

jkump
Level 15

Excellent point.  We do all this logging and monitoring but who actually analyzes what is being captured.  I like you do read the logs daily looking for anything out of the ordinary.  We are in the process of implementing a SIEM to do the heavy analytics for us but each day those reports are reviewed and any offenses are investigated immediately.  Most things are normal, but you do find something every now and then.

Vegaskid
Level 9

A good SIEM can apply a good amount of intelligence to your logs. I've not got a massive amount of experience with them, but I know they range in usability from plug and play with a few tweaks to 'can we hire another two engineers to keep this thing running?'.

clubjuggle
Level 13

Excellent! I'm looking forward to reading it.

goodzhere
Level 14

Our approach is as good as the money we get to throw at it.  We are pretty good with security, but funding has definitely limited what we can do.

Vegaskid
Level 9

That's an important point too goodzhere. There are lots of open source and free solutions out there, but I find lots of them to be a bit clunky or limited in some way e.g. free version of Splunk, meaning you have to have deep pockets, especially if you want a suite of products utilising a single pain of glass rather than a load of disparate systems.

rschroeder
Level 21

I'm looking forward to my organization doing training about Social Engineering as a vulnerability, including casual conversations, thumb drive scattering, and e-mail phishing tests.  PHI is a concern where I work; not enough is done to ensure folks have great habits instead of being polite & accommodating, and thus letting a stranger with a clipboard and an ID badge on a lanyard into a (formerly) secure area.

steamfoundry
Level 9

Thanks for this.   Saving this to my notepad for the next time management needs it re-explained why we need everything, not just to buy a shiney tool a vendor showed them.

rschroeder
Level 21

It occurs to me that we all might be missing a basic and powerful option.  "A good defense is a strong offense."  What are we doing to reduce the attacks at the source?

Yes, that dives right off the edge into the political/religious realm, but we've all got hammers (firewalls, AV, security policies), so everything looks like a nail to us, to be hammered down.

Suppose we all spent a tiny percent on improving/educating ethics and morals in a new generation.  That ounce of prevention results in fewer attacks, fewer viruses being written etc.

I don't think it can't be on the table for discussion, but it's far above most of our pay grades to make that decision at a corporate level.  It requires a short-term view towards altruism, with a long-term benefit that's immense.