As the security industry struggles with the precision and persistence of targeted attacks, the recommended best-practice talisman wielded by many an expert is the idea of "layered security" or "defense-in-depth." Generally, the practice is described as setting up multiple layers of protection similar to chain mail going underneath a suit of armor. If one piece of protection misses one threat, another will block it instead.
Unfortunately, even with many millions of dollars worth of layers at play, defense-in-depth often doesn't work nearly that cleanly.
"Layered security is good. It gets security products into your machine, but it doesn't necessarily mean you're secure or any better off," says Rahul Kashyap, chief security architect at Bromium. "You have to look at it from an architectural point of view. For example, if every layer in your defense is using signatures, then you have the same architectural weaknesses, fundamentally."
As he explains, an organization that has antivirus and then IDS/IPS technically is employing defense-in-depth. But attackers can easily beat both systems using similar methods.
According to analysts Bob Walder and Chris Morales in a brief last month from NSS Labs, defense-in-depth depends on two flawed assumptions. One is the outmoded assumption that there is an inside and an outside of the corporate network, something very rarely true in today's cloud- and mobile-driven business world. The second is the assumed magnification of security for every layer of security added, often calculated by multiplying the failure rates of products.
"For example, if an organization’s IPS allowed one attack in 100, and its NGFW allowed one attack in 100, then the combination of these products should allow only one attack in 10,000 (0.01 x 0.01)," the report explains. "However, NSS Research has determined that this calculation significantly overestimates the level of protection achieved by defense in depth, because there is strong correlation in the threats that pass through existing classes of products."
In a research project Bromium conducted and presented earlier in the year, Kashyap demonstrated how even with seven layers of endpoint defenses in place, a motivated attacker could still break through with a single exploit, given the right tweaks. He called the talk "LOL (Layers on Layers) Security" for what hackers are doing with most enterprises that rest on the peace of mind that they're practicing defense-in-depth.
"Basically, I took a public, known root kit and then kept tweaking the exploit until I was able to bypass every layer of defense," he says. "The point I'm trying to make here in talking about architecture and layers is that everything you have on the endpoint depends on the integrity of the kernel. Compromise the kernel and it is game over."
And this principle isn't only true for endpoint layers; there are similar Achilles' heels in the way enterprises layer network defenses. That’s not to say that these defenses don't work well. According to NSS Labs, they'll usually stop about 98 percent of threats. But the real risk lies in the two percent of risks that break through, which is why Walder and Morales recommend that organizations think of their arsenal of security products less as layers of protection and more as tools for out-maneuvering the bad guys.
"Rather, it should be viewed as a means of maneuvering the adversary into attacking a target of choice and then proactively managing the impact, as well as reducing actual network penetrations to a level that can be managed by remediation and response teams."