In the first blog post in this series, defense-in-depth was defined as a military defensive strategy that focused on physical security:

“Defense-in-depth is a defensive strategy designed to protect by using multiple layers of mutually supporting or reinforcing defenses where each layer must be penetrated and overcome before an attack can be successful.”

In Part1, several defense-in-depth planning assumptions were offered.  Chief among those assumptions was:

“A central assumption driving military defense-in-depth is the assumption that a determined attacker will always be able to penetrate the perimeter defense.”

In Part 2 of the defense-in-depth series, the military-style defense-in-depth planning assumptions were tested to see if they can apply to cybersecurity.  It was shown that those planning assumptions do not readily transfer from the physical to the cybersecurity realm.

Part 2 concluded:

“We must focus on the information assets that need to be protected. Hyper-focusing on border protection has caused us to lose sight of what must be protected. We must protect the information that we need to sustain operations, whether or not intruders have invaded our networks. We must adopt a practical defensive model that can actually be used to build an information security management system that provides the level of security desired and the level of compliance required.”

Defense-in-Depth, Part 3

Cybersecurity Model: Defense-in-Depth

Defense-in depth for cybersecurity is using multiple cybersecurity countermeasures in a coordinated way to protect the confidentiality, integrity, and availability of information assets.  Cybersecurity defense-in-depth is based upon the military defensive strategy of using a complex, multilayered defense system where all the security layers must be defeated for an attack to succeed.

Many cybersecurity defense-in-depth models employ generic and overly broad layers that do not provide much help in deciding how to secure critical information.  An example of a generic cybersecurity defense-in-depth model may have security layers or locations named Perimeter, Network, Host, Application, Data.  Clearly, these locations are places where security needs to be maintained, but this model doesn’t provide guidance in the policies, plans, practices, and technology that are needed to achieve the desired level of security.

A cybersecurity defense-in-depth model must also acknowledge that a determined attacker will always be able to gain access to the network, especially a network where the information security focus pays exclusive attention to technical controls at the network perimeter.  The layered approach offered by a defense-in-depth security model must provide overlap in defense mechanisms designed to to protect the organization even if a vulnerability is exploited or a security control fails.

Each layer of a defense-in-depth model will contain administrative, physical, and technical controls necessary to support implementation of that layer.

Practical Defense-in-Depth

The call-to-action in Part 2 of this blog series on defense-in-depth was:

“We must adopt a practical defensive model that can actually be used to build an information security management system that provides the level of security desired and the level of compliance required.”

A practical defense-in-depth model is one that can actually be used to build an information security management system that provides the level of security desired and the level of compliance required.

The information security management system presented here is based on a defense-in-depth security model designed by the Software Engineering Institute (SEI), the home of CERT/CC.  This security model is built upon well-defined security practice areas that contain the administrative, physical, and technical controls necessary to support implementation of each defense layer.  This approach takes defense-in-depth out of the textbooks and transforms it into concrete security practice areas that can actually be built and managed.  The SEI also offers a three-day course on defense-in-depth: Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth. (Full disclosure: I am an SEI Visiting Scientist, and this is one of the courses I teach.)

A brief overview of each defense-in-depth layer follows.

Defense-in-Depth Layers

Policy Management

Policy management is the foundation for the information security management system.  It includes plans, policies, procedures, and business and technology process that supports the goals and continuity of the organization.

Risk Management

Information security management is an operational risk management activity.  Risk management seeks to lessen the probability that identified risk scenarios are actually realized and/or reduce the impact (damage) to operational capability when risks are realized.

Risk management needs to be understood for what it really is, and that is as a prioritization and decision-making tool that helps organizations decide which potential problems need to be mitigated and those that can be accepted.

Identity Management

Identity management is required to distinguish users from one another and allow the appropriate delivery of services and access to resources.

Current identity management systems continue to rely upon username/password identification that are unable to provide strong identification and authentication.

Authentication as part of identity management is required to validate the digital identity.

Authorization Management

Authorization management is concerned with user rights and permissions.  User rights and permissions are determined by organizational policy.

Note:  Today identity and authorization management is sometimes referred to as identity and access management (IAM) as if it were a single thing.  In reality IAM is a combination of business processes, technology and policies used to manage information about a person, their relationship to the organization and provides access to the resources they need and have been approved.  In this security model identity management and authorization management will be treated separately.

Accountability Management

Accountability is understanding who is doing what on the network.  Authentication, authorization, and accountability all depend upon identity management.

Availability Management

Availability of information resources is an essential part of the Confidentiality-Integrity-Availability triad and is a critical element especially with respect to continuity of operations.

Configuration Management

Configuration management includes the software update process, inventory control, change management, and internal assessment.

Incident Management

Incident management is concerned with effective response to security incidents.  Defense-in-depth aids incident response in that the various security layers can slow an attacker down such that it becomes easier to detect and respond to an incident.  Effective response can lower the amount of damage done and reduce the time and cost of recovery.