What it takes to develop defense in depth

The threat of increasingly sophisticated attacks against computer networks and systems is a recognized issue in the information security industry, as is the growing presence of attackers who are motivated by political, social, religious or economic issues.

The need for stronger defenses against attacks that contain multiple exploits is well understood by corporate security organizations, which are constantly looking at countermeasures to improve their defensive capabilities.

Since the introduction of antivirus software, firewalls and intrusion-detection software, the term "defense in depth" has been used as a label for a multilayered security architecture that involves the deployment of these technologies. The idea is to combine technology components with good security management practices to form layers of protection that will reduce the risk of attack or intrusion.

Defense in depth should be thought of not as a set of independent steps to be executed separately, but as a series of related and overlapping technical and nontechnical security measures that, when strategically deployed together, have a greater effect than their individual components.

What's involved

To establish the components part, you will need to take these steps:

Bob McKee is an independent security consultant in East Longmeadow, Mass.
Bob McKee is an independent security consultant in East Longmeadow, Mass. He is a former director of corporate information security for The Hartford. He can be reached at bmckee2@aol.com.

Photo Credit: John Soares

  • Set up a team: Start with a team of experienced security professionals, perhaps led by a chief information security officer, to be the architects of a defense-in-depth strategy.
  • Established policies: Have a set of well-communicated policies that clearly define acceptable use of corporate computer resources and that promote user understanding of the potential threats to the safety of information assets.

  • Training: Ongoing training of those who will be first responders when and if an incident takes place is essential.

The most expensive and complex component involves building a security infrastructure and regularly evaluating its ability to deal with incidents through the following means:

  • Prevention: Manage identities through strong user authentication, authorization and access control; configuration (patch) management; and regular assessments to identify vulnerabilities.
  • Detection: Identify threats using up-to-date antivirus software, properly configured firewalls, intrusion-detection software, activity-log monitoring and intelligence gathering.
  • Reaction/response: Activate a corporate incident-response team to isolate and contain incidents and use forensic tools for evidence handling.

Keeping pace with the growing volume and complexity of threats to the safety of sensitive information means examining the effectiveness of a security architecture at regular intervals. To that end, software products have been introduced that are designed to manage user identities, detect and prevent attacks, and facilitate activity log management. These products are surfacing from a long list of software companies, some of which are new to the security market and many of which are well-established technology vendors. They include offerings under the generic label "identity management," which provide a centralized approach to security administration — including the authorization and authentication of users — and help manage the life cycle of subject and object relationships.

Also emerging is intrusion-prevention software or host protection "from the inside out," which provides active attack detection and prevention by allowing an organization to establish its own rules for acceptable application behavior. This is a significant improvement over traditional intrusion-detection software, which is passive in nature and intended to detect only specified attack types. Finally, security information management tools are being developed to provide automation for the difficult and labor-intensive task of managing activity logs from multiple security devices.

A pragmatic approach to the installation of new technology is an important factor in the success of a defense in depth. Although the need for improvements in user identification, incident detection/prevention and device management is clear, new security technologies being introduced (see chart) must be carefully studied to determine if they function as advertised and actually have the capabilities necessary to make a difference.

There is another selling point to consider when examining these products: the potential return on investment. The return may include reduction or containment of administrative costs or the more effective use of valuable security resources by automating time-consuming routine procedures. In the end, the capability of any new technology to improve a corporate defense in depth will be greatly appreciated by IT security shops looking to keep up with advances in computer exploits.

Building an effective defensive strategy is no guarantee that an organization won't be attacked. On the contrary, deploying defense-in-depth components is an acknowledgement that intrusions and attacks are inevitable; the strategy is to make their success as difficult as possible. Surveys have repeatedly shown that the number and complexity of electronic incidents are growing rapidly and becoming increasingly costly to their victims. In addition to those who want to access, steal or destroy information for the sport of it, individuals and organizations that are highly motivated by the political, social and economic issues of the day are using computers with increased frequency to accomplish their disruptive or destructive goals.

To those who are responsible for protecting the confidentiality, integrity and availability of information, concerns about safe computing won't diminish anytime soon. Security breaches will become even more difficult to address over time, making information asset protection through a proactive defense-in-depth strategy a critical success factor for many corporations. A successful strategy will continue to be dependent upon factors such as how sensitive management is to threats, the mix of components that are chosen for installation, and how effectively the steps in the process are monitored, re-evaluated and executed.

By combining protection, detection and reaction into a single strategy, the likelihood of experiencing costly downtime or public embarrassment can be greatly reduced.

Finally, the presence of a well-constructed defense-in-depth strategy is an indicator that corporate management is assigning a high priority to the protection of its information assets and practicing due diligence.


Emerging Security Technologies

The security technology market is crowded with products offering capabilities designed to provide a better defense in depth. Categories of new technologies include the following:


Mechanisms to better identify an entity, provision user access and manage the life cycle of a subject or object.


Offers new approaches to protecting system resources by improving the identification and prevention of attacks from inside or outside the enterprise; new rules can be established for the behavior of applications; based upon corporate security policy.


Automating the collection and analysis of information from security systems and devices across the enterprise by using a central management console to correlate events and produce reports.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon