Published: 01 Feb 2002
Just about everyone involved in infosecurity has heard of "defense-in-depth," the practice of building multiple layers of security into a given system or network. Most security books, trade magazines, conferences and workshops trumpet defense-in-depth as a fundamental principle of security management and administration.
Defense-in-depth is, indeed, a key security concept. But I would contend that most of us think of "depth" in rather shallow ways. We don't do a very good job of implementing depth at an organization-wide level. Worse, we don't use the defense-in-depth concept to simultaneously simplify and improve security.
Binary vs. Synergistic Controls
First, a working definition. There are five different control types that can be applied to any given security threat (or attack) scenario: protect, detect, recover, deter and transfer. Some people define defense-in-depth as the ability to respond to each threat or attack with at least one control from each of these five categories.
For example, think about how a bank protects itself from a robbery. It uses vaults, armed guards and bulletproof glass dividers to protect against break-ins; alarm systems and security cameras to detect unauthorized entry; recovery plans and alternate facilities to help it recover in the event of a theft; laws and marketing to deter robbery attempts; and insurance to transfer the residual risk.
Such an approach guarantees security redundancy; should any one of the controls fail, others are there to back it up. If the bank security guard falls asleep, the alarm system will detect unauthorized activity. If the alarm system is disabled, the security cameras will record the break-in. And so on.
The problem with most approaches to digital defense-in-depth is that they assume that each control has "binary effectiveness" -- that is, it works either all of the time or not at all. And, as we all know, perfect security is impossible. We all pay lip service to the idea that "no security is perfect," but most of us translate that into a belief that good security controls will still be in excess of 99 percent effective.
It's laudable to try to achieve this level of effectiveness with any one security control, but it's totally unrealistic. Trying to achieve even 90 percent effectiveness in some controls is incredibly costly, time-consuming and counterproductive.
A better (and broader) approach to defense-in-depth is one that I call "synergistic security." Like traditional conceptions of defense-in-depth, the success of synergistic security hinges on the redundancy of security controls. But unlike binary security controls, synergistic controls are not either "on" or "off." Each synergistic control is purposefully understood to be (significantly) less than 100 percent effective, making it more practical to maintain while also reducing cost, infringement, management and maintenance burdens.
Let's go back to the bank example. What is it that keeps banks from being robbed? And how effective are each of the controls? If you think about it, a security guard, a surveillance camera and a vault are independently only about 70 percent or 80 percent effective in preventing a robbery. For example, the vault in most banks is kept open during banking hours. For the vault to be 90 percent effective or better, it would have to be kept closed almost all the time. This, in turn, would force a bank manager to open and close it every time he needed to get some money or help a customer with a safe deposit box. Imagine how much time that would take; the bank would have to dedicate a manager to doing nothing else but opening and closing the vault!
My point is, any single control that's 99 percent effective would cripple the bank's business productivity. What keeps most banks from being robbed is that each of its controls works synergistically with the others to achieve an additive effect. The same holds true for enterprise infosecurity. Single controls with binary effectiveness often kill our ability to do business efficiently. We should actively look for a better way.
The statistical theory I use behind the concept of synergistic security is called Baye's Theorem, which describes a "new" probability (control effectiveness) given a "prior" probability. If one control is 80 percent effective, then it fails one out of five times. Two controls, each 80 percent effective, together will fail one out of 25 times. Three 80 percent effective controls, operating together, will fail one out of 125 times. In other words, they will succeed with a likelihood of 99.2 percent.
Now, suppose that in addition to implementing good primary controls, we look for and implement a suite of complementary controls that are nowhere near as good -- not robust, not fundamental, not whiz-bang, not even sold by any vendors, and perhaps not even thought of as relating to security at all. These controls need to be cheap, easy and non-infringing; effective enough (say, more than 60 percent) against an important category of risk; and able to operate independently versus other controls.
For example, to protect an IIS server from external hacks, you could implement multiple complementary controls at different levels. At the perimeter, you could configure border routers and firewalls to default-deny traffic. On the IIS box itself, you could delete sample files, move or rename the command shell .exe and delete the scripts directory. On the policies and practices level, you could specify only local management of the server and insist on a quarterly tune-up cycle. And so on.
These are only a few examples for a very specific application. For any protected resource, it's easy to look around at the practices, policies, procedures, configurations, architectures and other protective mechanisms already in place at your organization and use Baye's Theorem to determine where your real needs are. (For example, the TruSecure Antivirus Policy Guide offers an example of how to use four primary controls and more than 20 synergistic controls to protect against viruses and other malware.) At a bare minimum, for most categories of risk, you should have either two protective primary controls (defined as controls with greater than 90 percent effectiveness), or a primary and at least three synergistic controls. Failure of any one control in a scenario like this would still leave better than 99 percent effectiveness.
Mind you, I'm not advocating we abandon the excellent primary controls most of us already use: firewalls, IDSes, AV scanners, crypto, door locks, etc. But even in the best of all worlds, the effectiveness of these controls (used by themselves) is in the low 90 percent range. Our task should not be finding ways to increase the protection levels of these controls beyond their capabilities. Instead, we should optimize these primary controls and then add depth with simple, manageable, low-infringement, synergistic controls.
Allowing yourself to give some value to things which are only partially effective can be liberating. For every threat category, force yourself and your team to list at least a dozen synergistic controls. Then look at your list and narrow it not for controls that are the strongest, but instead for those with the least business impact on your organization. Be realistic about just how poor these kinds of controls can be. Put enough of them together to take the appropriate bite out of your risk-worry. Don't forget to include the things that may already be in place.
About the author:
Peter Tippett, M.D, Ph.D., is the executive publisher of Information Security and CTO of TruSecure Corp.