A Different View of Defense in Depth Applied
Defense in Depth is something everyone in security talks about. It is one of the first things a security professional will know and understand when they start down their journey to the dark side. Which, cyber security is the dark side of Information Technology. We are the professionals that say no to all the kids running around. Most of the time security professionals are the parents in a company. Other times, if the company has not matured in this realm, they are the red head step children that no one wants to deal with. For those that are not familiar, Defense in Depth is just a concept that applies layers of security controls in your network environment to accomplish age old sayings “be secure enough to discourage bad guys from attacking your network” or “build the walls just high enough”.
Looking at traditional images of Defense in Depth, they are all pretty much the same. A 2D picture that shows smaller circles in front of larger circles, or a rainbow looking explanation. If you take this literally, it could read that for the outer most perimeter, do I have a perimeter firewall installed? What about secure DMZ’s? I have them on my network, so the perimeter front is good. This is a misconception I have continuously ran into. Just because something is installed or present on your network does not mean you are secure. A lot of small/medium business (SMB) really have this mind set. Don’t get me wrong, large enterprises probably do the same thing, but their cyber security posture is usually more mature than the SMB’s that I have seen.
I have witnessed environments where employees will purchase software, let’s say some form of anti-virus (AV) or anti-malware (AM). They install this software that they pay for annually onto their systems and that is it. They do not dive into the policy that the software enforces. They don’t check how often their AV/AM actually perform scans on devices. They don’t think that software agents malfunction and are just turned off for months on end.
So now as security professionals, it is time to look at Defense in Depth a different way. More or less a layered approach inside a layered approach. Basically, look at each “level” of your defense in depth approach and what level you are in in that particular area.
With that there are two categories to look at: Network Devices and Security Software.
Network Devices (Routers, switches, IPS/IDS, etc)
Level 1: Device in Place – are firewalls, IPS, etc in place?
Level 2: Secure Configurations – Does your firewall have a deny all at the end? Do routers use Telnet still? Securely configuring the devices makes having the device worthwhile in the first place. It fulfills the purpose of even investing in it.
Level 3: Actively Monitored – Does someone routinely logs in and check the device? Look at logs? See who is accessing the device?
Level 4: Metrics Reported – Actively monitoring a device allows you to develop metrics. These metrics help justify business actions for security personnel. This is how you justify the money you spent on the device or justification to purchase extra security measures.
Level 5: Constantly Re-evaluated - Do you periodically review the device purpose, configurations, and continue to make changes based on business need? This needs to be routinely reviewed, not on an ad hoc basis when someone wants something changed.
Security Software (AV/AM, SIEM, MFA, etc)
Level 1: Software in Place – Do you have a particular security software in place in your defense in depth approach?
Level 2: Policy Configurations – Are the policies that the software enforces tailored to your environment? Are alerts even configured? Are the alerts being sent to the appropriate people?
Level 3: Actively Monitored – Is the software were being monitored? Are all devices checking in? Do you know if a software agent has stopped working on any device?
Level 4: Metrics Reported – Find metrics to report on in each software you have. This gives business justification for the current software as well as giving you ammo for future projects.
Level 5: Constantly Re-evaluated – Are you constantly reviewing the policy that the software is enforcing? Are you performing audits to ensure every device that requires the software agent has it?
Both of these mention metrics. I will write up a separate article about showing security metrics to track and how to track them.
This seems pretty basic, but it is amazing how many security personnel forget the basics of security. Between companies I have worked for and talked to other security professionals about, most companies sit around the level 2 and 3 range on both. The only metrics that are reported, if any, are metrics that serve a single purpose instead benefiting the security professional. Most of the time in SMB’s, metrics are not even tracked. Some companies have a 1- or 2-man IT shop and say they do not have time. Providing the right metrics can help sway managements decision on some major projects. As far as constantly re-evaluating, some companies and security professionals never double check their policies and configurations. You may move from one security vendor to another and your firewall still have 4 exclusions in your firewall that don’t need to be there. Your AV may have been configured to not scan a certain folder while the IT team was trouble shooting a problem and never removed that white listing rule.
The goal for us security professionals is to not just install or configure devices or software so we can say we have it. We came to the dark side because we have a passion for this. Let’s not continue to hurt ourselves by only doing half the work. I hope anyone that reads this enjoyed it and takes this process into play where you work and betters your current environment.