There is no Onion - The Painful Reality of Defense in Depth

Wednesday, June 26, 2013

Rafal Los


Since I have been working in a security function (that’s roughly since 1998), the analogy of the “onion” has existed. The idea that security is a series of layers is somewhat of a given, and even today no one really questions its validity. Well, almost no one. There are some smart folks over at NSS Labs that recently did some testing. Dr. Stefan Frei published “Correlation of Detection Failures: The Challenge of Layered Security,” a report that you absolutely need to read. It may change the way you think about security, and if it doesn’t … why?


Imagine if you woke up tomorrow morning and it was conclusively proven that the layered onion model was proven to fail in several circumstances commonly deployed and used in today’s enterprise. That would sure explain much of the failure we’ve seen across enterprise breaches, wouldn’t it? As it turns out, when NSS labs tested 37 different security devices, none of them detected the entire breath of the exploits executed across them, and only 3 percent of the 606 total combinations yielded full detection. This means that the odds of you guessing the correct combination to protect you against the exploits being crafted against you are slim to none.


This brings me to a scary realization. Is the onion concept a complete lie? Is the notion of Defense in Depth a total failure?


Luckily, the answer is no. Defense in Depth is still helpful in circumstances where the enterprise security organization understands the defensive technologies being put into play, their capabilities and limitations as well as their true effectiveness. Reading this you’re probably thinking the same thing I am — you’re depending on luck, largely, to save your bacon. The odds aren’t good.


From where I sit, the entire analyst brief comes to a pointy head with this fact:


The number of exploits that were able to bypass multiple security devices, as well as the number of security devices that were bypassed by these exploits, is significantly higher than is the prediction for risk models that ignore correlation.


In other words — things are worse than we feared.


So without spoiling the excellent brief — which you should go read right now — here’s my conclusion: Don’t just haphazardly deploy multiple layers of defense; thinking that simply stacking technologies somehow makes them more effective. It doesn’t. Architecting a smart, layered security solution (with true Defense-in-Depth potential) means understanding the capabilities of your solutions;  the nature of your network traffic; the types of traffic endpoints, and even use-cases. This is not a game for the novice. The title of “Security Architect” carries tremendous responsibility. And I wonder how many architects of security solutions actually could reach a reasonable level of detection with their Defense in Depth strategies. Makes you wonder, what’s really getting through your defenses?


Maybe there should be a certification for security architects that involves a practical, hands-on exam where you’re asked to build a Defense-in-Depth strategy and then attacks are launched against your setup to see your detection/stop rate … I’m willing to bet the majority of us would fail.


Go grab the NSS report. Read it, think about it, and then rethink how you do defense. The real world is ugly, are you building defensible infrastructures?


Cross Posted from Following the Wh1t3 Rabbit 

Possibly Related Articles:
Firewalls IDS/IDP Network Access Control Network->General SCADA
Network Security Defense in Depth Layered Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.