Over the last six months or so I’ve a read a few articles concerning the demise of defense in depth. I’ve also conversed with a few of my peers at organizations where management seems to be forgoing defense in depth for a Hunter\Killer model of defense.
I say “A hunter\killer defense sounds really cool!” then ask questions like “How is it done?” and “How do you know when you have caught something?” These questions are usually followed by a lot of blank stares and the shrugging of shoulders, sometimes an answer of “We just search continuously” gets offered up.
This reminds me of the scene from the Matrix where Neo asks if they always watch the matrix encoded.
“Neo: Is that…
Cypher: The Matrix? Yeah.
Neo: Do you always look at it encoded?
Cypher: Well you have to. The image translators work for the construct program. But there’s way too much information to decode the Matrix. You get used to it. I…I don’t even see the code. All I see is blonde, brunette, red-head. Hey, you a… want a drink?”
Yes, yes I do want a drink and I’m going to need one. As Cypher says “there’s way too much information to decode” and his statement is totally applicable to almost every computer and network system built over the last 30 years.
It’s why we invented computers in the first place, to change data into information so we can make an informed decision. However, by abandoning defense in depth for a hunter\killer model you are removing your computational advantage over the influx of data.
This leaves your hunter\killer defenders with an insurmountable task and very limited resources. They also need exceptional knowledge in areas such as attack vectors, theory of mind and adaptive malware, not to mention having flawless knowledge of the network they are trying to defend. Hunter\killers are just not going to be effective.
If you ask the layman what defense in depth looks like at your average company they will answer with firewalls, IDS/IPS, anti-virus and user access controls. An answer I would applaud as a great start to defense in depth. I would also add to that list vulnerability management, network segmentation, network access controls, encryption, end user training, hunter\killers and the list goes on and on.
If we take a look at the new NISTIR 7621 Small Business Information Security: The Fundamentals it has discipline areas named Identify, Protect, Detect, Respond and Recover. It is literally a defense in depth how to guide.
This guide and ideas put for in it are designed to help you and your team understand your environment, and your risk. Only after that has been completed can you effectively tailor your defense in depth program to suit your business needs. You will need a robust security program with people, processes and systems in place before you can start your hunter\killer program.