Defense in Depth: It’s Just Not the Same Any More
Just a few days ago I read an extremely interesting article titled “Update: Security industry faces attacks it cannot stop.” Written by Robert McMillan, it appeared in the March 10 issue of Computerworld. It in effect said that although we have all kinds of security technology available to us, attackers need exploit one vulnerability (often one of which we are not aware) to breach security. Success for the black hat community is thus inevitable if attackers try one exploitation vector, then another, then another, and so on—one will eventually work. Try as we may, we are losing the war against computer criminals very badly right now.
Although I am still a believer in anti-virus software, the information security has for several years now had to face the bitter truth that AV software doesn’t do all that it should. Because of various security evasion capabilities (polymorphism, code packing, and much more) of today’s generation of viruses and worms, even the best of the AV products doesn’t have anything near a 100 percent detection and eradication proficiency. Things get even worse when it comes to detection of zero-day attacks involving malware (which they almost always do); in this case, most AV software will not even have a clue that malware is present. And when it comes to detecting Trojan horse programs, some major AV products do not even have a 50 percent detection rate.
An intuitive solution would be to adopt a defense-in-depth strategy in which AV software running on individual hosts would be just one in a layer of barriers against malware. After all, we have virus walls, personal and gateway-based firewalls, integrity checking software, authenticated code, anti-spyware software, network access control technology, intrusion detection and intrusion prevention tools, and much more. But even those who use this strategy are finding that their networks and hosts are being owned regularly.
What’s wrong? Isn’t defense-in-depth the way to go? Of course it is! But anyone who deploys a defense-in-depth strategy has to do it super intelligently if there is to be a chance for it to be successful. The advanced persistent attack onslaught we have been facing for several years should have at least taught us one thing—that the concept of defense-in-depth no longer works the same way it used to. We can erect one barrier after another, but if the barriers do not include controls that fend off the specific attacks that are currently occurring, the barriers will not work. So if we have all the barriers listed above but have not kept Adobe Reader up to date with patches, we lose if an attacker launches an attack against this utility.
And perhaps worse yet, if we put a myriad of controls in place as part of a defense-in-depth strategy, it is way too easy to become overconfident that it would take an almost supernatural effort to breach the security that we have put in place. This overconfidence in turn keeps us from looking more objectively and analytically at the full range threats that our organization faces and the complete set of vulnerabilities that exist in our networks, hosts and applications.
So the bottom line is that it is time to reconsider what we know about defense-in-depth. We need it, but at the same time we cannot put defense-in-depth in place and not consider and control the range of specific threats and exploits that so frequently present themselves nowadays. Defense-in-depth has now become one of the first things you do in a successful information security strategy, and you’d better not stop there if you want to have a chance of being able to resist today’s attacks.