Core Concepts: Defense in Depth

Defense in depth is becoming an increasingly popular concept in the IT security community today. However, it's frequently misapplied. Having a defense-in-depth strategy is about more than just tossing out multiple controls and defensive technologies. The essence of defense in depth pertains to how you position, or array, those defenses. To do a really good job of incorporating a defense-in-depth strategy, you need to have done a decent threat analysis in which you identify:

The defense-in-depth concept has been around for thousands of years, so I'll turn to the often-used example of a medieval castle to show what defense in depth is and is not. To clearly communicate the defense-in-depth concept, let's keep things simple and consider only one of the threat vectors a castle must defend against: a direct attack on its front entrance. A castle has multiple defenses arrayed against this threat vector. When those defenses are properly implemented, attackers must overcome each defense before being able to truly threaten the human, military, political, or material assets the castle is defending.

First, the attackers must withstand the barrage of arrows as they approach. Next, assuming the drawbridge is raised, the attackers must cross the moat and penetrate the gate created by the raised drawbridge. Then, the attackers must traverse a narrow canyon created by opposing walls and attempt to penetrate the inner gate while the castle defenders continue to harass the attackers.

This scenario is a good example of multiple layers of defense arrayed against a single threat vector. However, just having multiple defenses doesn't mean you have true defense in depth against specific vectors. For example, another threat vector that can be brought to bear on a castle is the undermining of its walls. A moat might be one defense against that threat but what if the attackers drain the moat? The castle hardly has achieved defense in depth without additional defenses, such as having deeply dug footings and having boiling tar ready to pour from the top of the castle walls.

In the IT world, no single defense is impenetrable and no information security strategy is complete without a defense-in-depth strategy. Implementing this strategy isn't simple for corporations defending their information assets. While castles have the luxury of only one entry point, corporations' business networks have multiple entry points (e.g., support connections with suppliers, service providers, and customers), making security more porous. Moreover, there are many more threat vectors now than there were just a few years ago. In the early 1990s, network security was basically a matter of defending against packet-level attacks, and firewalls were glorified routers. Now, internal resources can be compromised through buffer overflows, SQL injection, malicious Web pages, malicious active email content, wireless connections, phishing, and more.

In such a dynamic, complex threatscape, any control can be compromised given the right circumstances. Take, for example, antivirus software. A new attack vector might bypass the classic checks the way in which IM bypassed checks performed by antivirus software. A single PC that doesn't have the organization's antivirus software installed might be added to the network. A crucial virus signature update might come out late or might not get deployed to a branch office. The antivirus engine might fail to detect a virus, or a defective antivirus update might crash your antivirus software. All these events happen in the real world.

Have a Comprehensive Defense-in-Depth Strategy
In today's environment, it's more important than ever to position multiple controls against each risk. Continuing with the antivirus software example, let's look at how you can use a combination of controls to form a comprehensive defense-in-depth strategy against viruses and other malware.

For malware, your initial defense would consist of antivirus software positioned against the most commonly used vectors, or entry points, which are email, Web browsing, and IM. Thus, you would install antivirus technology on gateway SMTP servers that process the incoming email stream and install antivirus software on firewalls or inline devices that intercept the route that Web browsing and file downloads take. IM security is less mature than email and Web security solutions. Plus, the problem is a bit more complicated because of the proliferation of IM services and the fact that IM clients are designed to circumvent gateway controls. Nevertheless, there are solutions that let you herd internal and external IM messages through a single choke point at which you can implement antivirus technology in addition to other IM security functions.

But email, Web browsing, and IM aren't the only vectors through which malware propagates. For example, malware can propagate through removable media, such as floppies, CD-ROMs, and USB and flash drives. Malware can propagate when a user takes his laptop to Starbucks, uses the Wi-Fi network, gets whacked, then takes the laptop back to the office and plugs into the network, thereby bypassing the perimeter defenses. These are only a few ways malware can propagate. You can't hope to cover every possible route of propagation with vector-specific controls. Every organization ends up with shielded vectors and open vectors that don't have preventive controls.

What if malware makes it past your perimeter defenses through an unprotected vector or because a vector-specific control failed? This is where defense in depth comes into play. In medieval times, castle defenders were primarily concerned with 360 degrees of attack along the plane of the surrounding land. Although defensive controls began far outside the castle, they became stronger as you got closer to the center of the castle until you finally reached the castle keep, which was a castle within a castle. If you picture defensive controls as concentric circles around the point being defended, it becomes evident why this approach was used. The farther you move out from the point, the larger the circumference of the circles—and the larger the circumference, the more resources it takes to implement a defense that blocks all 360 degrees of attack.

The multiple virus defenses discussed so far provide breadth but no depth. For example, an infected file is challenged at most by only one of the antivirus controls, depending on the vector through which the file arrives. Although breadth is important, you can't hope to block every risk at the physical or logical perimeter of your network. Therefore, you block the easiest or most frequently exploited vectors of infection, then implement a deeper ring of controls.

Your second layer of defense can be a combination of detective, remedial, and additional preventive controls. An example of a detective control is inline file scanning. Many antivirus solutions provide this control by scanning files for viruses before applications are allowed to open those files. If the antivirus solutions also quarantine or repair files, the solution becomes a remedial control as well. If inline file scanning slows down users' systems or your processors too much, you might have to fall back to performing a regular scan of server and workstation volumes and other file stores during periods of low activity.

Other detective controls that you can implement range from the sophisticated to the simple, yet effective. On the sophisticated side, there are intrusion detection and prevention systems that monitor traffic on networks, looking for viruses and worms. However, such systems tend to be expensive and rely on a database of known attacks, which needs constant updates. In addition, packet analysis is subject to dropped packets and faulty reconstruction of data flows. On the simple side, you can set up honeypot folders of bait files that intentionally have lax file-modification permissions, then implement a process that catches modifications to these files. Because these files are simply bait, any attempt to modify them should be considered possible evidence of a malware outbreak.

You can also implement another layer of preventive controls by enabling host-based firewalls, making file-modification permissions as strict as possible, and eliminating or limiting access to shared folders. All such measures make it more difficult for a virus or worm to find additional files or systems to infect.

Assess Your Defenses
As you can see, defense in depth is an effective way to deal with the multivector, ever-changing risk environment we face with today's information systems. Make sure that your controls build depth as opposed to just breadth. Don't limit your perspective to the physical realm, thinking in terms of only physical network and system boundaries. Unlike a castle architect concerned with protecting a single point, you have multiple points to protect in the form of each computer, application, data store, and process. To verify that you have real defense in depth, you should be able to take a given threat and a given asset and find more than one control that protects that asset from the selected risk.