‘Silver Bullets’ versus Defense in Depth

Jason Soroko

I am privileged to speak with a lot of organizations that are architecting their security infrastructure. Some of them have purchased a security point solution and honestly believe that they are now “secure.”

If you spend time walking through the vendor halls at security conferences you will get a good sense for the sheer number of security technologies available. I have a lot of respect for the people and technologies that are in the industry; the problem we are trying to solve is not easy.

What all good vendors agree upon is that there is no silver bullet in security. In other words, there isn’t a single security solution or vendor that will protect an organization from every attack vector. When I’m speaking to a security architect that has purchased a security point solution and is ready to put their feet up onto their desk and declare “mission accomplished,” I have to question how secure that organization is.

Security governance and security culture are as important as the solutions. It’s too easy to get lost in the weeds of the technology and forget that it’s ultimately people that are using tools. Automation tools in their current state are meant to help make things a bit easier for the people using technology. Anyone claiming full automation for defense has not been able to convince me.

If you have been keeping track of recent information coming out of breach investigations you might notice that monitoring tools and malware detection technologies have done their job to spit out alerts during an attack. What is troubling is the response to those alerts. Monitoring tools issued so many warnings that defenders simply ignored them as noise. Real alerts were wrongly assumed to be false positives. Malware detection tools issued warnings, but this did not lead to an effective defense — and for reasons still unclear.

Perimeter defenses can be breached with social engineering. Even when preventative technologies such as monitoring tools and malware detection issue a legitimate alert, effective incident response has often been ineffective. Defenses are not automated. Once the alarms go off, effective incident-handling is not easy and requires planning.

Even with layers of defense, many recently reported breaches were successful. Not only is a single security point solution insufficient, but even with layered technology criminal groups are still hitting their targets.

Remember, an attack is never just a single step by an attacker. I still meet people responsible for security who believe that they are defending against a single, blunt-strike attack and as long as they implement a single piece of thick armor enough, they have done their job. This analogy simply does not work in cyberdefense.

The attackers have a deep pipeline of technologies that they will use in their next generation of attacks. Assume an attacker gets past your perimeter. Your preventative measures take time to eradicate with incident-handling.

What have you done to protect your identities? Have you implemented multifactor authentication, or is the attacker stealing your usernames and passwords with a key-logger? Have you protected your critical transactions from session-riding attacks? This kind of thinking leads to real defense in depth rather than ineffective defensive architectures.

Jason Soroko
Jason Soroko
Manager, Security Technologies

Soroko has spent 17 years in systems architecture and development roles in diverse industries with an emphasis on security. As the threat landscape becomes more advanced, the need for Entrust to understand evolving threats requires deep and dedicated thinking in security concepts. Soroko's thought-leadership in security is rooted in connecting the threat perspective to how systems work as a whole. He frequents security conferences and publishes on important security topics.


Add to the Conversation