Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Building An Effective Security Architecture: No Piece Of Cake
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
6/20/2013 | 8:32:38 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Indeed, a one and done approach is not enough. Developing a training program to match your organizationGs goals is needed. Also, meeting compliance requirements is not enough, there should be a change in culture. We also discussed about this topic on our company blog. Here is the link for all those interested: http://blog.securityinnovation...
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/6/2013 | 5:09:38 PM
re: Building An Effective Security Architecture: No Piece Of Cake
NAC is still mechanistic - the idea is to move from static solutions that depend on signatures and policies to intelligent solutions that can identify suspicious activities and behaviors from the network layer up through the applications and transactions...
MikeH5858
50%
50%
MikeH5858,
User Rank: Apprentice
6/5/2013 | 8:28:03 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Doesn't this real-time detection/protection you describe already exist with NAC?
MichaelHyatt_
50%
50%
MichaelHyatt_,
User Rank: Apprentice
6/5/2013 | 6:37:08 PM
re: Building An Effective Security Architecture: No Piece Of Cake
The whole idea of DiD is to stop the known attacks. This is something your security stack MUST be capable of doing under any circumstances. However, that does not complete the stack, nor secure the network. That is the prevention part. In order to secure the network we also need a detection part. That requires integration of the data gathered by all the tools in place, and effective real-time analysis of that data.

Incremental hardening of the perimeter yields diminishing returns - at some point we have to accept that some attacks are going to succeed, and we have to be able to detect them in real time in order to keep them from becoming catastrophic.
scooterx8250
50%
50%
scooterx8250,
User Rank: Strategist
6/4/2013 | 8:02:02 PM
re: Building An Effective Security Architecture: No Piece Of Cake
What a load of apples and oranges!

Security architecture and 'defence in depth' are not mutually exclusive. In an architectural context it is valid to use 'defence in depth' when referring to the safeguards deployed within 'domains' (technology, operations, policy, governance, assurance, design) to protect assets from a particular category of compromise.

While I agree with the relevant portions of the ultimate paragraph in the article that advocate intelligence and strategy to be employed, the real challenge is to effectively advocate an architectural approach to enterprise management.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
6/4/2013 | 7:57:37 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Agree with both of your points -- I should have said Maginot Line *after* WWI, but appreciate your liking the analogy. :) With regard to DiD and layering, my goal was not to invalidate the concept -- which is theoretically practical -- but to get readers to rethink the *practices*, which these days often involve layering in the same place over and over again, while leaving some gaps completely uncovered. Thanks for the input!
--Tim Wilson, editor, Dark Reading
Mister Pink
50%
50%
Mister Pink,
User Rank: Apprentice
6/4/2013 | 6:19:17 AM
re: Building An Effective Security Architecture: No Piece Of Cake
Sorry to sound like a pedant, but there was no the Maginot Line in World War I - it was built after WW1 with a view to preventing WW2, and was an abject failure, as those pesky Germans just drove around it through Belgium! (So in this respect your analogy is good)

More to the point, your summation that 'defence in depth' is simply a pokemon inspired collection of all the different products out there is not really fair.

Defence in depth is more about the layering of controls, some of those might take the form of magical pizza box appliances sure, but the important part is the things like policies, encryption, training, monitoring, separation of duties, centralised logging, log checking, patching process, change management etc blah blah blah.

The confusion (and the key to the problem) is to do with the fact that this industry is lead by vendors who can't make money by selling advice, system integrators pretending to be consultants who are driven by sales of boxes rather than knowledge and customers who are simply plumbers who got architect in their job title because it was cheaper than giving them pay rise. - On and let's not forget the fact that clowns like JLUIGGIJ1G are given students, even though they are still waffling on about 'The Perimiter' in 2013!!
JLUIGGIJ1G
50%
50%
JLUIGGIJ1G,
User Rank: Apprentice
6/3/2013 | 9:27:44 PM
re: Building An Effective Security Architecture: No Piece Of Cake
Hi,

When i speak about security with my students, the first thing I talk about is to understand the perimeter (I mean the whole architecture) we have to manage.

The "layering" is used but within the architecture, the latter drives the former.

Regards.


Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21554
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and, Dell Precision 7920 Rack Workstation BIOS contain a stack-based buffer overflow vulnerability in systems with Intel Optane DC Persistent Memory installed. A local malicious user with high privileges may potentially exploit t...
CVE-2021-21555
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a heap-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, a...
CVE-2021-21556
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, ...
CVE-2021-21557
PUBLISHED: 2021-06-14
Dell PowerEdge Server BIOS and select Dell Precision Rack BIOS contain an out-of-bounds array access vulnerability. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of service, arbitrary code execution, or information disclosure in System Ma...
CVE-2021-32682
PUBLISHED: 2021-06-14
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration...