Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly

When Layers On Layers Of Security Equals LOL Security

Defense-in-depth is often poorly executed when architecture is not carefully considered.

As the security industry struggles with the precision and persistence of targeted attacks, the recommended best-practice talisman wielded by many an expert is the idea of "layered security" or "defense-in-depth." Generally, the practice is described as setting up multiple layers of protection similar to chain mail going underneath a suit of armor. If one piece of protection misses one threat, another will block it instead.

Unfortunately, even with many millions of dollars worth of layers at play, defense-in-depth often doesn't work nearly that cleanly.

"Layered security is good. It gets security products into your machine, but it doesn't necessarily mean you're secure or any better off," says Rahul Kashyap, chief security architect at Bromium. "You have to look at it from an architectural point of view. For example, if every layer in your defense is using signatures, then you have the same architectural weaknesses, fundamentally."

As he explains, an organization that has antivirus and then IDS/IPS technically is employing defense-in-depth. But attackers can easily beat both systems using similar methods.

According to analysts Bob Walder and Chris Morales in a brief last month from NSS Labs, defense-in-depth depends on two flawed assumptions. One is the outmoded assumption that there is an inside and an outside of the corporate network, something very rarely true in today's cloud- and mobile-driven business world. The second is the assumed magnification of security for every layer of security added, often calculated by multiplying the failure rates of products.

"For example, if an organization’s IPS allowed one attack in 100, and its NGFW allowed one attack in 100, then the combination of these products should allow only one attack in 10,000 (0.01 x 0.01)," the report explains. "However, NSS Research has determined that this calculation significantly overestimates the level of protection achieved by defense in depth, because there is strong correlation in the threats that pass through existing classes of products."

In a research project Bromium conducted and presented earlier in the year, Kashyap demonstrated how even with seven layers of endpoint defenses in place, a motivated attacker could still break through with a single exploit, given the right tweaks. He called the talk "LOL (Layers on Layers) Security" for what hackers are doing with most enterprises that rest on the peace of mind that they're practicing defense-in-depth.

"Basically, I took a public, known root kit and then kept tweaking the exploit until I was able to bypass every layer of defense," he says. "The point I'm trying to make here in talking about architecture and layers is that everything you have on the endpoint depends on the integrity of the kernel. Compromise the kernel and it is game over."

And this principle isn't only true for endpoint layers; there are similar Achilles' heels in the way enterprises layer network defenses. That’s not to say that these defenses don't work well. According to NSS Labs, they'll usually stop about 98 percent of threats. But the real risk lies in the two percent of risks that break through, which is why Walder and Morales recommend that organizations think of their arsenal of security products less as layers of protection and more as tools for out-maneuvering the bad guys.

"Rather, it should be viewed as a means of maneuvering the adversary into attacking a target of choice and then proactively managing the impact, as well as reducing actual network penetrations to a level that can be managed by remediation and response teams."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/29/2014 | 11:42:04 AM
Re: Solution?
I think a correlation of all of those things is a step in the right direction. Unfortunately, to your last comment involving the enforcement of certain protections, many corporations don't start implementing more stringent security capabilities until their burnt so to speak. However, reactive this may be, this is the case with many of the organzations involved in recent breaches.

As Information Security professionals, we need to make it one of the highest priorities to display value in proactive management instead of reactive management. Only then will we even be close to staying ahead of the game.
User Rank: Strategist
9/29/2014 | 11:21:27 AM
So, does infosec just need better layers? Updated understanding and training of security practices? Or (ugh) compliance/regulation to enforce certain protections?
Otherwise, I'm missing the alternative or secondary path to protect enterprise data.
User Rank: Ninja
9/29/2014 | 9:26:34 AM
Layered Approach
The last snippet sounds like honeypot functionality which I am not entirely certain is the best approach. There are many interesting points made in this article.

I saw McAfee has a type of deterrant program to protect against rootkit if all your systems are an i5 or higher. Which I think in this article would be deemed pretty useful. It seems that in the layered approach consistency is the downfall. I think the point here is evolution. Antivirus and other security layers need to evolve with threats similar to how an IPS uses anomalies to determine if new traffic should be blocked or not. Older technologies that ues the same logic tend to be exploited specifically because they have been out for such a long time and can be tested against. Not to say that AV has not changed but in its core architecture, it models very closely in its procedures to older AV's.

I know this article provides a different perpsective to Defense in Depth but how does the dark reading community feel about UTM? Does this fall into the layered approach due to its all in one housing or does incorporating layers into a cohesive process alleviate some of the woes provided in layered security?
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-19
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
PUBLISHED: 2020-02-19
The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.
PUBLISHED: 2020-02-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-02-19
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
PUBLISHED: 2020-02-19
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).