Skip the navigation

What it takes to develop defense in depth

By Bob McKee
February 4, 2003 12:00 PM ET

Computerworld - The threat of increasingly sophisticated attacks against computer networks and systems is a recognized issue in the information security industry, as is the growing presence of attackers who are motivated by political, social, religious or economic issues.


The need for stronger defenses against attacks that contain multiple exploits is well understood by corporate security organizations, which are constantly looking at countermeasures to improve their defensive capabilities.


Since the introduction of antivirus software, firewalls and intrusion-detection software, the term "defense in depth" has been used as a label for a multilayered security architecture that involves the deployment of these technologies. The idea is to combine technology components with good security management practices to form layers of protection that will reduce the risk of attack or intrusion.


Defense in depth should be thought of not as a set of independent steps to be executed separately, but as a series of related and overlapping technical and nontechnical security measures that, when strategically deployed together, have a greater effect than their individual components.


What's involved


To establish the components part, you will need to take these steps:












Bob McKee is an independent security consultant in East Longmeadow, Mass.
Bob McKee is an independent security consultant in East Longmeadow, Mass. He is a former director of corporate information security for The Hartford. He can be reached at bmckee2@aol.com.
Photo Credit: John Soares

  • Set up a team: Start with a team of experienced security professionals, perhaps led by a chief information security officer, to be the architects of a defense-in-depth strategy.


  • Established policies: Have a set of well-communicated policies that clearly define acceptable use of corporate computer resources and that promote user understanding of the potential threats to the safety of information assets.


  • Training: Ongoing training of those who will be first responders when and if an incident takes place is essential.


The most expensive and complex component involves building a security infrastructure and regularly evaluating its ability to deal with incidents through the following means:


  • Prevention: Manage identities through strong user authentication, authorization and access control; configuration (patch) management; and regular assessments to identify vulnerabilities.


  • Detection: Identify threats using up-to-date antivirus software, properly configured firewalls, intrusion-detection software, activity-log monitoring and intelligence gathering.


  • Reaction/response: Activate a corporate incident-response team to isolate and contain incidents and use forensic tools for evidence handling.


Keeping pace with the growing volume and complexity of threats to the safety of sensitive information means examining the effectiveness of a security architecture at regular intervals. To that end, software products have been introduced that are designed to manage user identities, detect and prevent attacks, and facilitate activity log management. These products are surfacing from a long list of software companies, some of which are new to the security market and many of which are well-established technology vendors. They include offerings under the generic label "identity management," which provide a centralized approach to security administration — including the authorization and authentication of users — and help manage the life cycle of subject and object relationships.