Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Building An Effective Security Architecture: No Piece Of Cake

Enterprises need to put more thought, fewer products into their cyberdefense strategies

For years, IT security has been a "one problem, one solution" proposition. We needed a way to verify that users are who they say they are, so we invented authentication. We needed to stop viruses, so we invented antivirus technology. Intrusion prevention systems, Web application firewalls, data leak prevention -- almost all of our security technologies were created to protect the enterprise from one specific threat.

During those years, the conventional wisdom has been that by essentially buying all of these products -- a concept known as "layering" or "defense in depth" -- the enterprise could create a sort of cyberobstacle course that would make penetration all but impossible. Like the Maginot Line of World War I, all of these tools become a web of walls and trenches that snag attackers -- if one of these obstacles doesn't stop them, the next one would. The digital issue you are reading now recommends a layered set of defenses for endpoint security.

The layered approach sounds good, but recently I've begun to wonder how effective it really is. Security experts have been recommending defense-in-depth strategies for years, yet recent data from the Verizon Data Breach Report and the Ponemon Institute's Cost of a Data Breach study suggests that enterprises are suffering more breaches, at a higher cost, than ever before. If we have newer, better tools than ever before, how can this trend still be climbing?

A big part of the problem is in the technologies that enterprises choose to layer, says Vinnie Liu, managing partner at security consulting firm Stach & Liu, which does security assessments for scores of large enterprises. In those assessments, Liu finds that companies frequently buy many technologies that do essentially the same thing, such as signature-based tools that blacklist known attacks. Antivirus technology, intrusion prevention, even some behavior-based scanning tools -- they all require the product to know about a threat before they can effectively stop it.

"It's like putting on an overcoat, and then another, and another," Liu says. "If you don't wear any pants, you're still going to be cold."

If they want to stop attackers, enterprises would be better off approaching security as an architecture, rather than as a layer cake that just gets taller and taller, according to Liu and other new thinkers. When you design a building, you first consider all of the functions you need, and all of the potential threats, and then you create a master plan. You're not just adding wall after wall -- you're designing a broad set of capabilities that enable end users to do what they need to do with the data safely. An secure architecture means not just walls, but safe windows, doors, alarm systems, and other functions that align with what the building is used for.

Maybe it's time that we rethink the conventional wisdom about security "layering" and ask enterprises to think more intelligently and strategically about how they integrate today's defense technologies. Maybe it's time to build a defense that's not just complex, but smart as well. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
6/20/2013 | 8:32:38 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Indeed, a one and done approach is not enough. Developing a training program to match your organizationGs goals is needed. Also, meeting compliance requirements is not enough, there should be a change in culture. We also discussed about this topic on our company blog. Here is the link for all those interested: http://blog.securityinnovation...
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/6/2013 | 5:09:38 PM
re: Building An Effective Security Architecture: No Piece Of Cake
NAC is still mechanistic - the idea is to move from static solutions that depend on signatures and policies to intelligent solutions that can identify suspicious activities and behaviors from the network layer up through the applications and transactions...
MikeH5858
50%
50%
MikeH5858,
User Rank: Apprentice
6/5/2013 | 8:28:03 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Doesn't this real-time detection/protection you describe already exist with NAC?
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/5/2013 | 6:37:08 PM
re: Building An Effective Security Architecture: No Piece Of Cake
The whole idea of DiD is to stop the known attacks. This is something your security stack MUST be capable of doing under any circumstances. However, that does not complete the stack, nor secure the network. That is the prevention part. In order to secure the network we also need a detection part. That requires integration of the data gathered by all the tools in place, and effective real-time analysis of that data.

Incremental hardening of the perimeter yields diminishing returns - at some point we have to accept that some attacks are going to succeed, and we have to be able to detect them in real time in order to keep them from becoming catastrophic.
scooterx8250
50%
50%
scooterx8250,
User Rank: Strategist
6/4/2013 | 8:02:02 PM
re: Building An Effective Security Architecture: No Piece Of Cake
What a load of apples and oranges!

Security architecture and 'defence in depth' are not mutually exclusive. In an architectural context it is valid to use 'defence in depth' when referring to the safeguards deployed within 'domains' (technology, operations, policy, governance, assurance, design) to protect assets from a particular category of compromise.

While I agree with the relevant portions of the ultimate paragraph in the article that advocate intelligence and strategy to be employed, the real challenge is to effectively advocate an architectural approach to enterprise management.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
6/4/2013 | 7:57:37 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Agree with both of your points -- I should have said Maginot Line *after* WWI, but appreciate your liking the analogy. :) With regard to DiD and layering, my goal was not to invalidate the concept -- which is theoretically practical -- but to get readers to rethink the *practices*, which these days often involve layering in the same place over and over again, while leaving some gaps completely uncovered. Thanks for the input!
--Tim Wilson, editor, Dark Reading
Mister Pink
50%
50%
Mister Pink,
User Rank: Apprentice
6/4/2013 | 6:19:17 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Sorry to sound like a pedant, but there was no the Maginot Line in World War I - it was built after WW1 with a view to preventing WW2, and was an abject failure, as those pesky Germans just drove around it through Belgium! (So in this respect your analogy is good)

More to the point, your summation that 'defence in depth' is simply a pokemon inspired collection of all the different products out there is not really fair.

Defence in depth is more about the layering of controls, some of those might take the form of magical pizza box appliances sure, but the important part is the things like policies, encryption, training, monitoring, separation of duties, centralised logging, log checking, patching process, change management etc blah blah blah.

The confusion (and the key to the problem) is to do with the fact that this industry is lead by vendors who can't make money by selling advice, system integrators pretending to be consultants who are driven by sales of boxes rather than knowledge and customers who are simply plumbers who got architect in their job title because it was cheaper than giving them pay rise. - On and let's not forget the fact that clowns like JLUIGGIJ1G are given students, even though they are still waffling on about 'The Perimiter' in 2013!!
JLUIGGIJ1G
50%
50%
JLUIGGIJ1G,
User Rank: Apprentice
6/3/2013 | 9:27:44 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Hi,

When i speak about security with my students, the first thing I talk about is to understand the perimeter (I mean the whole architecture) we have to manage.

The "layering" is used but within the architecture, the latter drives the former.

Regards.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.