Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly

When Layers On Layers Of Security Equals LOL Security

Defense-in-depth is often poorly executed when architecture is not carefully considered.

As the security industry struggles with the precision and persistence of targeted attacks, the recommended best-practice talisman wielded by many an expert is the idea of "layered security" or "defense-in-depth." Generally, the practice is described as setting up multiple layers of protection similar to chain mail going underneath a suit of armor. If one piece of protection misses one threat, another will block it instead.

Unfortunately, even with many millions of dollars worth of layers at play, defense-in-depth often doesn't work nearly that cleanly.

"Layered security is good. It gets security products into your machine, but it doesn't necessarily mean you're secure or any better off," says Rahul Kashyap, chief security architect at Bromium. "You have to look at it from an architectural point of view. For example, if every layer in your defense is using signatures, then you have the same architectural weaknesses, fundamentally."

As he explains, an organization that has antivirus and then IDS/IPS technically is employing defense-in-depth. But attackers can easily beat both systems using similar methods.

According to analysts Bob Walder and Chris Morales in a brief last month from NSS Labs, defense-in-depth depends on two flawed assumptions. One is the outmoded assumption that there is an inside and an outside of the corporate network, something very rarely true in today's cloud- and mobile-driven business world. The second is the assumed magnification of security for every layer of security added, often calculated by multiplying the failure rates of products.

"For example, if an organization’s IPS allowed one attack in 100, and its NGFW allowed one attack in 100, then the combination of these products should allow only one attack in 10,000 (0.01 x 0.01)," the report explains. "However, NSS Research has determined that this calculation significantly overestimates the level of protection achieved by defense in depth, because there is strong correlation in the threats that pass through existing classes of products."

In a research project Bromium conducted and presented earlier in the year, Kashyap demonstrated how even with seven layers of endpoint defenses in place, a motivated attacker could still break through with a single exploit, given the right tweaks. He called the talk "LOL (Layers on Layers) Security" for what hackers are doing with most enterprises that rest on the peace of mind that they're practicing defense-in-depth.

"Basically, I took a public, known root kit and then kept tweaking the exploit until I was able to bypass every layer of defense," he says. "The point I'm trying to make here in talking about architecture and layers is that everything you have on the endpoint depends on the integrity of the kernel. Compromise the kernel and it is game over."

And this principle isn't only true for endpoint layers; there are similar Achilles' heels in the way enterprises layer network defenses. That’s not to say that these defenses don't work well. According to NSS Labs, they'll usually stop about 98 percent of threats. But the real risk lies in the two percent of risks that break through, which is why Walder and Morales recommend that organizations think of their arsenal of security products less as layers of protection and more as tools for out-maneuvering the bad guys.

"Rather, it should be viewed as a means of maneuvering the adversary into attacking a target of choice and then proactively managing the impact, as well as reducing actual network penetrations to a level that can be managed by remediation and response teams."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/29/2014 | 11:42:04 AM
Re: Solution?
I think a correlation of all of those things is a step in the right direction. Unfortunately, to your last comment involving the enforcement of certain protections, many corporations don't start implementing more stringent security capabilities until their burnt so to speak. However, reactive this may be, this is the case with many of the organzations involved in recent breaches.

As Information Security professionals, we need to make it one of the highest priorities to display value in proactive management instead of reactive management. Only then will we even be close to staying ahead of the game.
User Rank: Strategist
9/29/2014 | 11:21:27 AM
So, does infosec just need better layers? Updated understanding and training of security practices? Or (ugh) compliance/regulation to enforce certain protections?
Otherwise, I'm missing the alternative or secondary path to protect enterprise data.
User Rank: Ninja
9/29/2014 | 9:26:34 AM
Layered Approach
The last snippet sounds like honeypot functionality which I am not entirely certain is the best approach. There are many interesting points made in this article.

I saw McAfee has a type of deterrant program to protect against rootkit if all your systems are an i5 or higher. Which I think in this article would be deemed pretty useful. It seems that in the layered approach consistency is the downfall. I think the point here is evolution. Antivirus and other security layers need to evolve with threats similar to how an IPS uses anomalies to determine if new traffic should be blocked or not. Older technologies that ues the same logic tend to be exploited specifically because they have been out for such a long time and can be tested against. Not to say that AV has not changed but in its core architecture, it models very closely in its procedures to older AV's.

I know this article provides a different perpsective to Defense in Depth but how does the dark reading community feel about UTM? Does this fall into the layered approach due to its all in one housing or does incorporating layers into a cohesive process alleviate some of the woes provided in layered security?
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.