frenta - Fotolia
Cybersecurity defense in depth means more than ticking boxes
F-Secure's Tom Van de Wiele explains the realities of cybersecurity defense in depth, and why companies need to have the right attitude to defend against cyberattacks.
Ask most experts about the most important task for protecting an organization's data, and cybersecurity defense in depth is almost sure to be the answer.
But just what does that mean? Tom Van de Wiele, principal security consultant at F-Secure, believes that cybersecurity defense in depth is critical to infosec defense. Given that most cyberattackers work from a relatively limited menu of exploit techniques when running an attack, Van de Wiele believes that good strategies for cybersecurity defense in depth are readily available.
However, Van de Wiele blames enterprise security woes on a mindset that relies on checking compliance boxes as a proxy for doing cybersecurity defense in depth the right way.
Rather than deploying more security products as a path to building a cybersecurity defense in depth strategy, Van de Wiele suggests enterprises examine how their systems are used and what might represent an attack -- and then build in the tripwires, alerts and systems necessary to detect attacks as they are in progress, but before they do too much damage.
In this Q&A, Van de Wiele shares the realities of cybersecurity defense in depth and what companies can do to strengthen their defenses rather than simply checking a box on a compliance checklist.
What does it mean to talk about cybersecurity defense in depth, and how do enterprises do it? What are some of the specific steps defenders can take?
Tom Van de Wiele: I'll tell you what it really means from a security industry standpoint, and then I'll tell you what companies actually do with it.
Defense in depth is really making sure that if you have one layer that falls through -- when that new zero-day comes out, or a known attack is being used in a different way -- that that should simply not be the end of it. That should not be a binary situation where either you have all the data and all the connection strings for all the underlying databases and servers or not, but that you have the physical, logical layers.
You should have compartmentalization, [so] when you go from zone A to zone B, you can do that, but it's going to trip a lot of tripwires with hopefully a lot of bells on them that hopefully get responded to by someone saying, 'Whoa, that's not supposed to be. Server A is never supposed to be contacting server B -- it's always server B contacting server A. Why is it doing that?'
And you need to have that baseline. You need to know what's going on in your network. And in these days of cloud and these days where database servers are dynamically scalable, all of a sudden, parts of your tables of your database are in the cloud -- and then they're not, and then the lines are frayed. And that, of course, doesn't help.
But our definition of defense in depth is making sure that security is not dependent on one control, and that you can rely on other controls to either slow down or tar pit the attacker in a way that lots of alerting mechanisms get activated so that someone can respond to these things.
If you have these scripting attacks and these privilege escalation attacks, these are easy to detect, but you need to know what you're looking for, and that's really the problem. Most of the detection mechanisms that we see out there are not aligned with the attacks that we're seeing on the internet, which are basically about 15-20 attacks.
It's the same thing if you're inside an internal network and you want to have any kind of lateral movement from computer to computer or from segment to segment; there's only about 10 things that attackers do, which is port scan, fingerprint, find users, find passwords, extract the hashes. It's always the same stuff, and you can anticipate those things by putting barriers in between that will trigger alerting mechanisms. It's really about compartmentalization.
What does it really mean when companies talk about cybersecurity defense in depth?
Van de Wiele: When companies hear defense in depth what they say is, 'Let's buy a second firewall and put that in front of the first firewall, and let's buy another antivirus and endpoint security solution,' because if one company doesn't get it, maybe the other company will get it. And, unfortunately, that doesn't really scale, nor does it really pan out when it comes to having any kind of defense strategy that will actually catch something.
Tom Van de Wieleprincipal security consultant, F-Secure
The way that we illustrate the limitations of the detection mechanisms for companies is with the parking lot joke. It's where you see your colleagues in the parking lot looking at the ground and you ask your colleague, 'What are you looking for?' and he says, 'I dropped my keys somewhere, but they're somewhere over there,' and your colleague points somewhere in the distance. And you say, 'If you know your keys are somewhere over there, then why are you looking here?' And the answer is, 'Well, the lighting is better.'
And that's really how companies are doing detection, which is they buy an intrusion detection system, they turn it on, there's stuff scrolling down the screen, and they say, 'Whoa! Good job, guys!'
That's it; check the box. And then they have to find out they got compromised.
Of course, then the company is in hot water. You get all these elaborate discussions and media riots and then they say, 'Look, I mean, I bought the box -- you can't say I didn't do anything about security.'
So doing defense in depth properly would mean taking that list of the 10 or 20 things that attackers do, and then monitoring the systems that would be involved and sending out alerts when things happen?
Van de Wiele: That's exactly right. Are companies able to see these attacks, able to respond to them, and, if so, how fast?
The easiest way of trying to get into any hotel room is taking the card [key] to your hotel room and walking up to every single other room in the hotel, trying to see if your card works there.
You can do the same thing on an Active Directory-powered network where you have your login and password, and you try it on every single other Windows machine because somewhere, someone will have thrown you or your user group into the group of allowed people, and you'll be able to log on.
That test case alone of just taking your login and password in Active Directory and going through every single Windows machine, I think three quarters of the companies that we handle business for are not able to see that. And that's a pity.