Analytics
6/3/2013
04:29 PM
Tim Wilson
Tim Wilson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Building An Effective Security Architecture: No Piece Of Cake

Enterprises need to put more thought, fewer products into their cyberdefense strategies

For years, IT security has been a "one problem, one solution" proposition. We needed a way to verify that users are who they say they are, so we invented authentication. We needed to stop viruses, so we invented antivirus technology. Intrusion prevention systems, Web application firewalls, data leak prevention -- almost all of our security technologies were created to protect the enterprise from one specific threat.

During those years, the conventional wisdom has been that by essentially buying all of these products -- a concept known as "layering" or "defense in depth" -- the enterprise could create a sort of cyberobstacle course that would make penetration all but impossible. Like the Maginot Line of World War I, all of these tools become a web of walls and trenches that snag attackers -- if one of these obstacles doesn't stop them, the next one would. The digital issue you are reading now recommends a layered set of defenses for endpoint security.

The layered approach sounds good, but recently I've begun to wonder how effective it really is. Security experts have been recommending defense-in-depth strategies for years, yet recent data from the Verizon Data Breach Report and the Ponemon Institute's Cost of a Data Breach study suggests that enterprises are suffering more breaches, at a higher cost, than ever before. If we have newer, better tools than ever before, how can this trend still be climbing?

A big part of the problem is in the technologies that enterprises choose to layer, says Vinnie Liu, managing partner at security consulting firm Stach & Liu, which does security assessments for scores of large enterprises. In those assessments, Liu finds that companies frequently buy many technologies that do essentially the same thing, such as signature-based tools that blacklist known attacks. Antivirus technology, intrusion prevention, even some behavior-based scanning tools -- they all require the product to know about a threat before they can effectively stop it.

"It's like putting on an overcoat, and then another, and another," Liu says. "If you don't wear any pants, you're still going to be cold."

If they want to stop attackers, enterprises would be better off approaching security as an architecture, rather than as a layer cake that just gets taller and taller, according to Liu and other new thinkers. When you design a building, you first consider all of the functions you need, and all of the potential threats, and then you create a master plan. You're not just adding wall after wall -- you're designing a broad set of capabilities that enable end users to do what they need to do with the data safely. An secure architecture means not just walls, but safe windows, doors, alarm systems, and other functions that align with what the building is used for.

Maybe it's time that we rethink the conventional wisdom about security "layering" and ask enterprises to think more intelligently and strategically about how they integrate today's defense technologies. Maybe it's time to build a defense that's not just complex, but smart as well. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
6/20/2013 | 8:32:38 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Indeed, a one and done approach is not enough. Developing a training program to match your organizationGÇÖs goals is needed. Also, meeting compliance requirements is not enough, there should be a change in culture. We also discussed about this topic on our company blog. Here is the link for all those interested: http://blog.securityinnovation...
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/6/2013 | 5:09:38 PM
re: Building An Effective Security Architecture: No Piece Of Cake
NAC is still mechanistic - the idea is to move from static solutions that depend on signatures and policies to intelligent solutions that can identify suspicious activities and behaviors from the network layer up through the applications and transactions...
MikeH5858
50%
50%
MikeH5858,
User Rank: Apprentice
6/5/2013 | 8:28:03 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Doesn't this real-time detection/protection you describe already exist with NAC?
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/5/2013 | 6:37:08 PM
re: Building An Effective Security Architecture: No Piece Of Cake
The whole idea of DiD is to stop the known attacks. This is something your security stack MUST be capable of doing under any circumstances. However, that does not complete the stack, nor secure the network. That is the prevention part. In order to secure the network we also need a detection part. That requires integration of the data gathered by all the tools in place, and effective real-time analysis of that data.

Incremental hardening of the perimeter yields diminishing returns - at some point we have to accept that some attacks are going to succeed, and we have to be able to detect them in real time in order to keep them from becoming catastrophic.
scooterx8250
50%
50%
scooterx8250,
User Rank: Apprentice
6/4/2013 | 8:02:02 PM
re: Building An Effective Security Architecture: No Piece Of Cake
What a load of apples and oranges!

Security architecture and 'defence in depth' are not mutually exclusive. In an architectural context it is valid to use 'defence in depth' when referring to the safeguards deployed within 'domains' (technology, operations, policy, governance, assurance, design) to protect assets from a particular category of compromise.

While I agree with the relevant portions of the ultimate paragraph in the article that advocate intelligence and strategy to be employed, the real challenge is to effectively advocate an architectural approach to enterprise management.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
6/4/2013 | 7:57:37 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Agree with both of your points -- I should have said Maginot Line *after* WWI, but appreciate your liking the analogy. :) With regard to DiD and layering, my goal was not to invalidate the concept -- which is theoretically practical -- but to get readers to rethink the *practices*, which these days often involve layering in the same place over and over again, while leaving some gaps completely uncovered. Thanks for the input!
--Tim Wilson, editor, Dark Reading
Mister Pink
50%
50%
Mister Pink,
User Rank: Apprentice
6/4/2013 | 6:19:17 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Sorry to sound like a pedant, but there was no the Maginot Line in World War I - it was built after WW1 with a view to preventing WW2, and was an abject failure, as those pesky Germans just drove around it through Belgium! (So in this respect your analogy is good)

More to the point, your summation that 'defence in depth' is simply a pokemon inspired collection of all the different products out there is not really fair.

Defence in depth is more about the layering of controls, some of those might take the form of magical pizza box appliances sure, but the important part is the things like policies, encryption, training, monitoring, separation of duties, centralised logging, log checking, patching process, change management etc blah blah blah.

The confusion (and the key to the problem) is to do with the fact that this industry is lead by vendors who can't make money by selling advice, system integrators pretending to be consultants who are driven by sales of boxes rather than knowledge and customers who are simply plumbers who got architect in their job title because it was cheaper than giving them pay rise. - On and let's not forget the fact that clowns like JLUIGGIJ1G are given students, even though they are still waffling on about 'The Perimiter' in 2013!!
JLUIGGIJ1G
50%
50%
JLUIGGIJ1G,
User Rank: Apprentice
6/3/2013 | 9:27:44 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Hi,

When i speak about security with my students, the first thing I talk about is to understand the perimeter (I mean the whole architecture) we have to manage.

The "layering" is used but within the architecture, the latter drives the former.

Regards.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.