The Death of Defense in Depth: IANS Forum Recap

During the New England Information Security Forum here in Boston last week, IANS Faculty Ron Ritchey presented an IANS Focus Topic (IFT) on, "The Death of Defense in Depth: Rethinking Your Security Spend," urging participants to think about the origin of defense in depth, how defense in depth is being implementing today, and why it's not as powerful as it should be.

The session focused on some of the shortcomings of defense in depth: security is often implemented after the fact, after an incident occurs as opposed to being “baked in.” According to Ron, this is not the right approach. Supporting his theory, Ron presented data showing that even companies which are proactive in their security efforts, still only spend about 10% of their budget on computer security (on average). Even with firewalls, intrusion detection systems, properly patched OS’s, forensics, and education, government and other high value systems are being compromised on a daily basis. Clearly we need to do more.

With these issues in mind, attendees of Ron's session discussed and came away with a few key points that we'll share here. The first key point agreed upon by all attendees is that organizations must evaluate the cost/benefit and agility of its existing controls. Participants concurred that systems that can "occasionally lose then adapt quickly" are the ones that will prove the most beneficial to information security.

As such, organizations need to set aside resources to support flexible, intelligent response capabilities. It's one thing to have myriad technologies in place, but ask yourself:

• What technologies do we spend the most on?
• Do they still work? Are they appropriate for today's environment? If so, how much longer will they be?
• Can we replace what we have with something more flexible, agile, or cheaper that also has better monitoring, observation, and response to events?

As far as defense in depth is concerned, a priority should be placed on adaptability: Your adversaries are always changing and the threats are always changing, so security should be able to nimbly respond to those changes. Because there is no "silver bullet" technology that will stop sophisticated attacks, organizations must consider how security controls are addressed as systems are being build rather than after they have already been compromised.