Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Building An Effective Security Architecture: No Piece Of Cake
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
6/20/2013 | 8:32:38 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Indeed, a one and done approach is not enough. Developing a training program to match your organizationGs goals is needed. Also, meeting compliance requirements is not enough, there should be a change in culture. We also discussed about this topic on our company blog. Here is the link for all those interested: http://blog.securityinnovation...
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/6/2013 | 5:09:38 PM
re: Building An Effective Security Architecture: No Piece Of Cake
NAC is still mechanistic - the idea is to move from static solutions that depend on signatures and policies to intelligent solutions that can identify suspicious activities and behaviors from the network layer up through the applications and transactions...
MikeH5858
50%
50%
MikeH5858,
User Rank: Apprentice
6/5/2013 | 8:28:03 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Doesn't this real-time detection/protection you describe already exist with NAC?
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/5/2013 | 6:37:08 PM
re: Building An Effective Security Architecture: No Piece Of Cake
The whole idea of DiD is to stop the known attacks. This is something your security stack MUST be capable of doing under any circumstances. However, that does not complete the stack, nor secure the network. That is the prevention part. In order to secure the network we also need a detection part. That requires integration of the data gathered by all the tools in place, and effective real-time analysis of that data.

Incremental hardening of the perimeter yields diminishing returns - at some point we have to accept that some attacks are going to succeed, and we have to be able to detect them in real time in order to keep them from becoming catastrophic.
scooterx8250
50%
50%
scooterx8250,
User Rank: Strategist
6/4/2013 | 8:02:02 PM
re: Building An Effective Security Architecture: No Piece Of Cake
What a load of apples and oranges!

Security architecture and 'defence in depth' are not mutually exclusive. In an architectural context it is valid to use 'defence in depth' when referring to the safeguards deployed within 'domains' (technology, operations, policy, governance, assurance, design) to protect assets from a particular category of compromise.

While I agree with the relevant portions of the ultimate paragraph in the article that advocate intelligence and strategy to be employed, the real challenge is to effectively advocate an architectural approach to enterprise management.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
6/4/2013 | 7:57:37 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Agree with both of your points -- I should have said Maginot Line *after* WWI, but appreciate your liking the analogy. :) With regard to DiD and layering, my goal was not to invalidate the concept -- which is theoretically practical -- but to get readers to rethink the *practices*, which these days often involve layering in the same place over and over again, while leaving some gaps completely uncovered. Thanks for the input!
--Tim Wilson, editor, Dark Reading
Mister Pink
50%
50%
Mister Pink,
User Rank: Apprentice
6/4/2013 | 6:19:17 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Sorry to sound like a pedant, but there was no the Maginot Line in World War I - it was built after WW1 with a view to preventing WW2, and was an abject failure, as those pesky Germans just drove around it through Belgium! (So in this respect your analogy is good)

More to the point, your summation that 'defence in depth' is simply a pokemon inspired collection of all the different products out there is not really fair.

Defence in depth is more about the layering of controls, some of those might take the form of magical pizza box appliances sure, but the important part is the things like policies, encryption, training, monitoring, separation of duties, centralised logging, log checking, patching process, change management etc blah blah blah.

The confusion (and the key to the problem) is to do with the fact that this industry is lead by vendors who can't make money by selling advice, system integrators pretending to be consultants who are driven by sales of boxes rather than knowledge and customers who are simply plumbers who got architect in their job title because it was cheaper than giving them pay rise. - On and let's not forget the fact that clowns like JLUIGGIJ1G are given students, even though they are still waffling on about 'The Perimiter' in 2013!!
JLUIGGIJ1G
50%
50%
JLUIGGIJ1G,
User Rank: Apprentice
6/3/2013 | 9:27:44 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Hi,

When i speak about security with my students, the first thing I talk about is to understand the perimeter (I mean the whole architecture) we have to manage.

The "layering" is used but within the architecture, the latter drives the former.

Regards.


Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34812
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34808
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34809
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34810
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34811
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.