Hmmm. Defense-in-Depth …where do we start? How about with the good old castle defence analogy?
David, Brian K., THE OBSERVER’S BOOK OF CASTLES, 1979: ‘Wall tower, barbican and gatehouse enabled the defenders of a castle to keep the enemy at a distance – so long as he remained above ground. The enemy below ground presented a greater problem. Undermining by tunnelling was, in the long run, the most effective way of bringing down a wall or tower. To combat this it was necessary to raise the natural water-table in the vicinity of the castle, so that any tunnel would automatically flood, drowning the miners. This was the original purpose of the castle moat. There were other advantages to be gained from it. A moat made it difficult for an attacker to bring ladders and wooden assault towers close to the castle walls. It provided a supply of water in case of fire. It could even be stocked with fish. But primarily it existed to discourage tunnelling.‘
Castles across the world, back in those days, can be seen as companies nowadays. Some castles carried more risks from attacks whether inherent, internal or external than others. Some castles had more available budgets and personnel than others.Defense-in-Depth when properly applied recognizes that defences need to be set up against external and internal risks, that they must respond to dynamic threats, and that defences must protect, detect, respond and recover.
If I was protecting a castle and had available security budgets then I would want physical controls such as moats and walls, intelligence such as who may attack and when, slick processes such as an effective whistle blowers system for suspicious insiders, paper log records of activity (e.g. visitors book) to be recorded and stored safely for auditing and post attack investigation, and two guards from different divisions required to open the wall gate to prevent a rogue one opening it for the enemy.
When thinking about defense-in-depth for IT Security, it can be very daunting to understand the real risks at different depths and tie that with available budgets and correctly articulate value from any given solution (because all vendors say you need their solution and give you their special pair of glasses when doing a proof of concept that shows their solution is indeed needed!).
Doing something hastily can also be as bad as doing nothing at all. For example, building a roof may be useless if the wall is too tall for any known missile to rise above.The finite resources used for the roof could have been used on a more effective control.
At CIPHER we intimately know about defense-in-depth. This is because Information Security is our passion. We are the modern day equivalent of a castle security historian that has their own castles. It is this passion that drives our business and provides us with true expertise.
We believe defense-in-depth for an organization should include some or all of these controls depending on the results of a risk assessment.
Which of these boxes do you have in place? You either have it in place, partially in place or need it.
Different businesses carry different risks resulting in different control requirements. A well-known company however big or small will have a greater risk of a DDOS attack compared to one that is not well known which is better off spending their available budget on a different control that addresses a greater risk to their organization.
CIPHER is more than happy to discuss these controls with you. We love talking about Information Security.
By Parthi Sankar – Principal Security Architect – CIPHER