more on defense in depth

Thomas Ptacek continues some talk about the merits of (or lack thereof) “defense in depth” (DiD). He is not sold on DiD as a core principle for security design. Which I think is perfectly fine! Even though I believe in the value of DiD, it might not always apply in every situation.

Three things to start any DiD discussion:

1) Thomas quotes Eric about my first point: “But Eric also associates ‘depth’ with network security, not application security…” I think Eric is somewhat correct. Any discussion on DiD should start with where we’re framing the discussion, application, network, other…

2) I’ve mentioned before about security religions. There is a group who does not accept anything but truly secure “stuff.” Incremental or DiD principles need not apply. There is no use in arguing about DiD to someone who believes heavily in the absoluteness of security measures. These would be black and white people: either it is secure or not. Don’t argue DiD with someone who fanatically believes in absolute security; DiD is absolutely worthless to them.

3) How do you define DiD? I know of two different definitions. First, DiD refers to layers of defense overlapping to cover deficiencies in other layers; complementary DiD. One blanket can cover half your car when it is raining, but a second, different blanket overlapping the first one can cover the rest of your car. Second, DiD refers to layers that sit like concentric rings. If you break through one, you still have to break through several more; additive DiD. Without defining our view of DiD, none of our analogies will be appropriate to compare.

I sympathize with the points raised about causing an attacker to take more time/effort to achieve an asset (attrition) and also cause them to trip more alarms in trying to evade everything you’ve thrown in their way (delay). Notice these don’t *stop* an attacker, but they give defenders a chance to react better or avoid a compromise. Does an adhoc military base erect walls such to withstand missiles, tanks, and planes? No, they rely on detection of incoming threats and react to them. Kudos on the point of reaction, though, since many of these attacks are so quick to execute in the cyberverse. But in counter, I’d rather known after the fact than not at all.

Some comments paint what I think is a realistic vision of DiD.

One comment mentions that DiD is all about economics. This is more increasingly being called risk management. If you have layered defense where an attacker uses his known parlor tricks to get into the outer crust, but has to spend a lot of time and energy to get any farther because he’s not as knowledgable about other techniques, the risk of him bullishly continuing to try may be small.

Another comment mentions DiD should not be “an alternative to rooting out and fixing vulnerabilities.” Very true, but again this comes down to economics. It also seems to be the driving point behind WAFs. Rather than fix the code (which can be costly), just throw up a WAF and not bother fixing something that can be bandaged.

Complexity vs Security vs Economics…