For years, IT security has been a "one problem, one solution" proposition. We needed a way to verify that users are who they say they are, so we invented authentication. We needed to stop viruses, so we invented antivirus technology. Intrusion prevention systems, Web application firewalls, data leak prevention -- almost all of our security technologies were created to protect the enterprise from one specific threat.
During those years, the conventional wisdom has been that by essentially buying all of these products -- a concept known as "layering" or "defense in depth" -- the enterprise could create a sort of cyberobstacle course that would make penetration all but impossible. Like the Maginot Line of World War I, all of these tools become a web of walls and trenches that snag attackers -- if one of these obstacles doesn't stop them, the next one would. The digital issue you are reading now recommends a layered set of defenses for endpoint security.
The layered approach sounds good, but recently I've begun to wonder how effective it really is. Security experts have been recommending defense-in-depth strategies for years, yet recent data from the Verizon Data Breach Report and the Ponemon Institute's Cost of a Data Breach study suggests that enterprises are suffering more breaches, at a higher cost, than ever before. If we have newer, better tools than ever before, how can this trend still be climbing?
A big part of the problem is in the technologies that enterprises choose to layer, says Vinnie Liu, managing partner at security consulting firm Stach & Liu, which does security assessments for scores of large enterprises. In those assessments, Liu finds that companies frequently buy many technologies that do essentially the same thing, such as signature-based tools that blacklist known attacks. Antivirus technology, intrusion prevention, even some behavior-based scanning tools -- they all require the product to know about a threat before they can effectively stop it.
"It's like putting on an overcoat, and then another, and another," Liu says. "If you don't wear any pants, you're still going to be cold."
If they want to stop attackers, enterprises would be better off approaching security as an architecture, rather than as a layer cake that just gets taller and taller, according to Liu and other new thinkers. When you design a building, you first consider all of the functions you need, and all of the potential threats, and then you create a master plan. You're not just adding wall after wall -- you're designing a broad set of capabilities that enable end users to do what they need to do with the data safely. An secure architecture means not just walls, but safe windows, doors, alarm systems, and other functions that align with what the building is used for.
Maybe it's time that we rethink the conventional wisdom about security "layering" and ask enterprises to think more intelligently and strategically about how they integrate today's defense technologies. Maybe it's time to build a defense that's not just complex, but smart as well. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio