Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Explaining Defense in Depth SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Explaining Defense in Depth

Realizing That You Have a Problem

Once an organization reaches a certain size, you end up with a situation where separate groups are responsible for firewalls, IDS, anti-virus, etc.  Often these groups will not share a common chain of command.  Eventually, you may find yourself on a conference call similar to this (note, the names and protocols have been changed to protect the guilty.)

Alan the Intel Guy: “Based on law-enforcement’s reports, the group is using NFS to compromise systems.”
Betty from Vulnerability Assessment: “We’re scanning for running NFS daemons, I’ll shoot our report over to you.”
Alan: “Pat, do we have an IDS rule to detect NFS sessions crossing the perimeter?”
Pat, in IDS: “Let me check…”
Gene in management: “Shouldn’t the firewalls be blocking NFS?”

At this point Alan starts Googling for a LOLCat that says something like: “Defense in Depth: you’re doing it wrong.”

Illustrating the Problem to Technical People

Repeat after me:

“AV signatures are reactive”

“IDS signatures both false-positive AND false-negative”

“Your regularly-scheduled firewall maintenance doesn’t always go so regularly-scheduled.”

Putting it Into Terms Your Boss Can Understand

Earlier this week while I was piggybacking into the building behind a couple of co-workers, I overheard a bit of their conversation about a show they had watched on TV the previous day.  It was likely Dr. Phill or something.  An otherwise perfect couple was having marital difficulties whenever something important was accidentally sent through the washing machine.  One blamed the other for not emptying their pockets while the other counter-blamed because they didn’t check the pockets before running the wash.

The solution: do both.

At this point, the wise manager will observe: “but isn’t this a wasteful duplication of effort?”

So you must counter: “it’s a small price to pay (by automated processes I may add) to make certain that your Rolex doesn’t go through the wringer.”

Kevin Liston

292 Posts
ISC Handler
Another analogy of Defense-in-depth that your boss can understand:

Me: How many safety systems are there to help prevent you from being hurt in an car accident?

Boss: There is the airbag and seat-belt.

Me: Those are the last two in a chain of safety features built into the car. You also have crumple zones and safety glass to protect you if an accident is happening.

However, you also have systems in place to prevent the accident in the first place like: anti-lock brakes; mirrors; brake lights; high visibility windshields.

You also have backup to help you in case you are injured to help reduce the injuries like: paramedics; ambulances; fire departments; emergency rooms.

Then you also have plans to help you recover from injury: doctors; medicine; and insurance.

There are many parallels to these systems in IT Security.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!