Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:00 AM
Connect Directly

When Layers On Layers Of Security Equals LOL Security

Defense-in-depth is often poorly executed when architecture is not carefully considered.

As the security industry struggles with the precision and persistence of targeted attacks, the recommended best-practice talisman wielded by many an expert is the idea of "layered security" or "defense-in-depth." Generally, the practice is described as setting up multiple layers of protection similar to chain mail going underneath a suit of armor. If one piece of protection misses one threat, another will block it instead.

Unfortunately, even with many millions of dollars worth of layers at play, defense-in-depth often doesn't work nearly that cleanly.

"Layered security is good. It gets security products into your machine, but it doesn't necessarily mean you're secure or any better off," says Rahul Kashyap, chief security architect at Bromium. "You have to look at it from an architectural point of view. For example, if every layer in your defense is using signatures, then you have the same architectural weaknesses, fundamentally."

As he explains, an organization that has antivirus and then IDS/IPS technically is employing defense-in-depth. But attackers can easily beat both systems using similar methods.

According to analysts Bob Walder and Chris Morales in a brief last month from NSS Labs, defense-in-depth depends on two flawed assumptions. One is the outmoded assumption that there is an inside and an outside of the corporate network, something very rarely true in today's cloud- and mobile-driven business world. The second is the assumed magnification of security for every layer of security added, often calculated by multiplying the failure rates of products.

"For example, if an organization’s IPS allowed one attack in 100, and its NGFW allowed one attack in 100, then the combination of these products should allow only one attack in 10,000 (0.01 x 0.01)," the report explains. "However, NSS Research has determined that this calculation significantly overestimates the level of protection achieved by defense in depth, because there is strong correlation in the threats that pass through existing classes of products."

In a research project Bromium conducted and presented earlier in the year, Kashyap demonstrated how even with seven layers of endpoint defenses in place, a motivated attacker could still break through with a single exploit, given the right tweaks. He called the talk "LOL (Layers on Layers) Security" for what hackers are doing with most enterprises that rest on the peace of mind that they're practicing defense-in-depth.

"Basically, I took a public, known root kit and then kept tweaking the exploit until I was able to bypass every layer of defense," he says. "The point I'm trying to make here in talking about architecture and layers is that everything you have on the endpoint depends on the integrity of the kernel. Compromise the kernel and it is game over."

And this principle isn't only true for endpoint layers; there are similar Achilles' heels in the way enterprises layer network defenses. That’s not to say that these defenses don't work well. According to NSS Labs, they'll usually stop about 98 percent of threats. But the real risk lies in the two percent of risks that break through, which is why Walder and Morales recommend that organizations think of their arsenal of security products less as layers of protection and more as tools for out-maneuvering the bad guys.

"Rather, it should be viewed as a means of maneuvering the adversary into attacking a target of choice and then proactively managing the impact, as well as reducing actual network penetrations to a level that can be managed by remediation and response teams."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/29/2014 | 11:42:04 AM
Re: Solution?
I think a correlation of all of those things is a step in the right direction. Unfortunately, to your last comment involving the enforcement of certain protections, many corporations don't start implementing more stringent security capabilities until their burnt so to speak. However, reactive this may be, this is the case with many of the organzations involved in recent breaches.

As Information Security professionals, we need to make it one of the highest priorities to display value in proactive management instead of reactive management. Only then will we even be close to staying ahead of the game.
User Rank: Strategist
9/29/2014 | 11:21:27 AM
So, does infosec just need better layers? Updated understanding and training of security practices? Or (ugh) compliance/regulation to enforce certain protections?
Otherwise, I'm missing the alternative or secondary path to protect enterprise data.
User Rank: Ninja
9/29/2014 | 9:26:34 AM
Layered Approach
The last snippet sounds like honeypot functionality which I am not entirely certain is the best approach. There are many interesting points made in this article.

I saw McAfee has a type of deterrant program to protect against rootkit if all your systems are an i5 or higher. Which I think in this article would be deemed pretty useful. It seems that in the layered approach consistency is the downfall. I think the point here is evolution. Antivirus and other security layers need to evolve with threats similar to how an IPS uses anomalies to determine if new traffic should be blocked or not. Older technologies that ues the same logic tend to be exploited specifically because they have been out for such a long time and can be tested against. Not to say that AV has not changed but in its core architecture, it models very closely in its procedures to older AV's.

I know this article provides a different perpsective to Defense in Depth but how does the dark reading community feel about UTM? Does this fall into the layered approach due to its all in one housing or does incorporating layers into a cohesive process alleviate some of the woes provided in layered security?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...