What is Defense-in-Depth?
In the previous post, defense-in-depth was defined as: “… a defensive strategy designed to protect by using multiple layers of mutually supporting or reinforcing defenses where each layer must be penetrated and overcome before an attack can be successful”.
Also, in the previous post, some defense-in-depth planning assumptions were given as:
- An attacker will always be able to penetrate the perimeter
- Defense-in-depth enables counterattacking the enemy
- The enemy will be located some distance away from what requires defending-yielding space to the attacker in order to outflank and destroy them is part of the defensive strategy
- It is possible to eliminate the attacker or at least degrade their ability to continue an attack
Defense-in-Depth Assumptions in Cybersecurity
Let’s take another look at these military defense-in-depth planning assumptions and ask: Do these planning assumptions carry over to cybersecurity defense-in-depth?
- An attacker will always be able to penetrate the perimeter.
This is a core assumption that drives the rest of the military defense-in-depth strategy. The remaining defensive layers are designed to react and respond to this assumption.
In cybersecurity defense, there are still those who believe that it is possible to protect their organization at the border. Let’s be clear: It is not possible to repel every attack at the border of your network. From the standpoint of defensive strategy, it has always been assumed that the perimeter will be penetrated. Cybersecurity planners need to adopt this assumption, also. In most cases, military perimeter defenses are not intended to stop an attacker, but merely to slow them down so that other defensive strategies can be brought to bear.
2. Defense-in-depth enables counterattacking the enemy.
In military strategy, once an enemy has penetrated the perimeter, additional defensive layers are intended to allow the enemy to penetrate deeply enough to be outflanked and enveloped and destroyed by the defender. Or perhaps, the enemy will be channeled into kill zones where defensive weapons have been prepositioned to destroy the enemy.
In cybersecurity, the idea that an attacker can be drawn into the network deep enough to be outflanked and destroyed just doesn’t exist.
3. The enemy will be located some distance away from what requires defending-yielding space to the attacker in order to outflank and destroy them is part of the defensive strategy.
This is similar to the previous assumption except that this assumption makes clear the idea that physical space can be yielded to the enemy for a defensive advantage.
In the cybersecurity realm, there is no physical space that is occupied; there is no physical space that can be traded away as part of a defensive strategy
4. It is possible to eliminate the attacker or at least degrade their ability to continue an attack.
Uh, no. There is no possibility that a cyber attacker will be eliminated or their offensive capability will be degraded by any cybersecurity defensive strategy.
The reality is that there is no notion of space in the cybersecurity environment that can be given up in order to envelope the attacker. In fact, the attacker is sitting just outside your door, trying one attack method after another, until an attack is successful. There is nothing you can do to stop them from trying and you certainly are not going to eliminate them or degrade their capability to attack.
Now that we have seen that the classic military strategy known as defense-in-depth has no real application in the cybersecurity realm, let’s explore what we really should be paying attention to.
First, we must turn our attention away from trying to repel invaders at the border. We must discard the notion that it is possible to protect our information networks and the business operations supported by them, at the borders of our networks.
Then, must focus on the information assets that need to be protected. Hyper-focusing on border protection has caused us to lose sight of what must be protected. We must protect the information that we need to sustain operations, whether or not intruders have invaded our networks. We must adopt a practical defensive model that can actually be used to build an information security management system that provides the level of security desired and the level of compliance required.
In the next post of this series, a defensive model that is applicable to cybersecurity will be offered and discussed. A model of defense-in-depth that is built upon well-defined security practice areas that contain the administrative, physical, and technical controls necessary to support implementation of each defense layer will be presented and discussed.