What defense in depth is in information security

Defense in depth is a common phrase you hear in information security. It’s also frequently misunderstood. In this blog post, I’ll provide links to a couple of examples of defense in depth, and provide some insights into the mindset. Because more than anything else, defense in depth is a mindset that takes more than seeing examples to grasp.

Borrowed from a military term

Defense in depth is a term that computer security, or infosec, borrowed from the military. But from my understanding, it’s a bit of a misuse of the military term.

My understanding of the military term is it means you have reinforcements available. But when it comes to information security, doubling up on tools for reinforcement purposes isn’t always practical, or possible. At the very least, it’s not very cost effective. There usually isn’t much room in budgets for redundancy, and there’s rarely incentive for keeping redundancy, unless you have a multipurpose tool that does one job well and several other jobs passably, and you buy specialty tools to do one or more of those other jobs well.

A fairly common exmaple of this would be using Crowdstrike for EDR and to get a second opinion on vulnerability management while using Tenable most of the time for vulnerability management. But when it comes to information security, that isn’t really what I would call defense in depth, because if both tools are configured correctly, Crowdstrike isn’t going to catch things Tenable misses.

What defense in depth means in information security

The reason why the traditional concept of defense in depth is a misnomer for information security is not just the idea that you have multiple lines of defense, but presumably, on the battlefield, your lines of defense don’t have a lot of gaps in them. When there is a gap, hopefully it’s because there is some natural barrier in place that is compensating for you not having soldiers and equipment in that area.

In information security, defense and depth is more about making sure that the line of defense you have has as few gaps as possible. Your defense may rate a nine on a scale of 1 to 10 or it may rate a two. It really depends on what you have to work with. But defense in depth is making sure you have something out there, and periodically reviewing it, at least annually, to see if you have budget to do better, including hiring experienced people and building the processes to support it, not just buying a technology. I’ve seen companies struggle for a year to do basic vulnerability management, then hire someone with experience and make more progress in three weeks than they’d made in the year prior.

So a better example of defense in depth, rather than having both Crowdstrike and Tenable handling vulnerability management would be this: Having Crowdstrike handle endpoint protection while Tenable handles vulnerability management and having teams that actively monitor both tools and act on any alerts.

The logical fallacy

This may be human nature, but I’ve seen this mindset become more common over the last couple of decades: The mindset is that if something you do doesn’t solve the entire problem, it’s not worth doing. And I’ve seen people say this about solutions that solve 98% of a problem or 10% of a problem.

I see this a lot when I’m working on implementation projects. I’ve been on customer calls where I offer to walk them through implementing part of the project on the phone and knock out 10% of the project right then and there, in less than an hour. I get two reactions to this. It probably won’t surprise you to hear that some customers are very eager to take me up on that. But I get the occasional customer who gets very angry at that offer, because it’s only 10%. They want 100%.

Hopefully it doesn’t surprise you that the people who take those 10% gains when they can get them get their stuff implemented much faster than the people who hold out for 100%. The people who hold out for 100% almost never end up finishing their project. They have options. These include changing vendors, bringing in professional services, bringing in a managed service provider (MSP) or changing MSPs, reorganizing internally, or bringing in a new hire. But unless that change results in a shift in mindset, the result tends to look the same.

The reason I am successful at vulnerability management is because I am very good at finding incremental gains that can be achieved in the short term, and also good at holding those gains while I wait for the next opportunity to seize.

The key

The key to vulnerability management, and defense in depth as well, is looking at what you have to work with, building what you can with it, and then periodically evaluating whether there might be anything else you can add. You may be able to cover 20% of a weakness, or you may be able to cover 80%. Covering 20% is better than covering zero.

The difference in the mindset is what you do with that remaining 80%. If you obsess over the existing solution leaving 80% undone, that’s a defeatist attitude. Defense in depth is looking for what you have to cover some of that remaining 80%.

Note my word choice there. I said some. It’s not likely that I can cover 100%. Even if it is possible, it may not be cost effective, especially once the budget for the year is allocated. My job as a defense-in-depth-minded security professional is not to eliminate all of the risk, it’s to shave the risk down to an acceptable level.

I am probably not the one who decides the acceptable level. I advise on it.

A story from earlier in my career

I learned defense in depth from the military. No, not the battlefield. I spent about 7 years of my career working on military contracts and for the last 3 years of that time, I evaluated defense in depth. We had a framework called RDAC that considered 11 threats and mapped more than 40 potential mitigations to those threats. We looked at whether they were functioning as preventative, detective, or reactive, and scored them. There was always a target score that we were aiming for, and if we fell short, we needed to find ways to improve enough of those 40 mitigations to bring the score into the acceptable range.

I did one of these evaluations that passed, but barely, and I didn’t feel at all good about it. No one else did either, so it got much shorter than usual expiration date. But I still didn’t feel good about it.

One of my co-workers reminded me that all we do is advise. It was someone else who accepted that risk. I wanted something much closer to perfection. But I also didn’t know the whole story. Implementing something better would have taken more time, and I didn’t know if we had that time. The person who signed off on it did have that answer.

A mindset as much as a methodology

So that’s why I say defense in depth is a mindset. In information security, perfect is the enemy of good. And I’ve been in this industry long enough that I have seen people fail because they were chasing perfection, especially when their pursuit of perfection meant they rejected a good interim solution that could have been providing some level of protection in the meantime.

The way you see compromise makes a big difference in security, especially defense in depth. If you see compromise as a defeat, because you didn’t get everything you wanted, you’ll make slower progress and potentially even leave yourself open to manipulation. If you see compromise as a way to make progress in the short term while you make plans to come back for more, you’ll pile up more accomplishments and make fewer enemies. In the United States, an unwillingness to compromise runs deep in our culture. Sometimes we have to work against that tendency.

Lessons learned

I performed more than 100 of these evaluations, and that experience served me very well once I moved to the private sector. Not so much the scoring. I’ve used what I learned from the scoring methodology to assess maturity levels, but what’s been more useful is remembering the things I used to do to improve scores, so I could make recommendations on the fly.

I learned another important thing in that process. I was trained up to be an assertive problem solver. We had another guy on the team who was famous for being loud and obnoxious. But he’s also creative, and that’s why I’ve stayed in contact with him since we worked together. What we both found, independently, was that being loud and obnoxious only helped when you had a defensible solution to fight for. It did absolutely nothing to motivate other people to build a solution when you didn’t have one.

On my last day at that job, my manager took me aside near the end of the day and said he was going to miss me. He said that he liked that I did the big things, and the little things. He’s one of the few managers I’ve worked for who noticed I do a lot of little things, and I’m not sure if he understood my motivation for that. But more than anything else, defense in depth is about finding little things that don’t cost a lot but make a difference. One analogy from baseball really fits here. The biggest thing you can do on the baseball field is to hit a grand slam home run–a home run with three people on base. But someone can’t hit a grand slam unless three teammates do something small first.

People, process and technology

Effective defense in depth is as much about having the right people as anything else. Get people who understand the technology you use, whether that means getting specialized training and certification for the people you have, or hiring someone who really knows the ins and outs of that technology. Then go and look for one or more creative problem solvers. These are interdisciplinary people who can look at a situation and see something nobody else noticed. Have those specialists build the foundational things, and those creative problem solvers connect those things together to build a whole that’s greater than the sum of its parts, and you’ll have defense in depth.