Defense-in-Concert: Moving Beyond Defense-in-DepthDefensive cybersecurity strategies must evolve to meet the complexities of an evolving threat landscape By: Jon Ramsey
Every organization, when developing a strategy to defend against online threats, fundamentally comes down to evaluating how to best minimize risk with finite resources. Over the past 20 years, defense-in-depth – using multiple layers of security controls to slow down attackers – has been an instrumental approach to risk mitigation. When we see a new threat tactic, the security industry responds with a new product to protect against it, thereby adding another layer of protection. But with hundreds of tactics and an increasingly complex threat landscape, is adding a new layer for each new threat the most effective use of resources?
To quote, arguable one of the smartest people in the security field, Dan Geer, "If you want to reduce your risk by half, you have to double your cost." As new threat tactics surface, you have to ask what is the risk reduced per dollar spent for adding the new layer. Knowing the new tactic could compromise your security, applying defense-in-depth principles, you would likely deploy the new product. But is it really worth it? If you're adding a fourth layer or a tenth layer or even a 40th layer, historically, it's been the industry standard approach. On average, the 150 largest SecureWorks clients have 78 controls in place, but once you're adding an 80th layer – which is not uncommon – the law of diminishing returns applies. The amount of risk reduced is less than the amount of significant investment needed for more layers.
Defense-in-Depth to Defense-in-Concert
Defense-in-depth has been a great strategy, but now we need a new methodology. Instead of adding another layer as a way of responding to new tactics, we need to drive collaboration and contextualize what's happening within the infrastructure between the layers and let that context inform the action. That is defense-in-concert. You can buy new layers of defense, but that strategy becomes cost-prohibitive as new threats surface. By adopting a defense-in-concert strategy, you more efficiently apply your resources to garner more effective outcomes.
Think about today's security marketplace and the challenges organizations face to stay ahead of evolving threats. With a defense-in-depth approach, there's a tradeoff that has to be made. Organizations must determine if they are better protected buying a suite of products from one vendor whose layers are collaborating with one another or buying best of breed products (endpoint, data security, application security, cloud, etc.) from different vendors, sacrificing collaboration.
What you really want and what the market needs is the best-of-breed that's also collaborating. Our job is to be able to get to defense-in-concert and allow for contextualization and collaboration value while letting the market choose the best-of-breed technologies amongst those layers. Being vendor agnostic lets clients use the technologies with which they've already invested and get the value out of them. Businesses can choose the technologies they want and implement a defense-in-concert strategy without having to sacrifice capabilities of a particular layer.
Orchestration is About the Playbook, Not the Plumbing
Automation is important to contextualizing the collaboration between security layers, but it's also worth noting that successful orchestration isn't just about the ability to automate an action. It's about understanding what actions need to be taken and what the effective gain-loss analysis is of that action. What I mean is automation is great, but if you're not careful, you can break a lot of things automatically really quickly.
So when you're going to take an action across the infrastructure, first you want confidence that the action isn't going to cause any negative, unintended consequences. Second, if you're taking an action because of a security event, you want it to be effective, and that can require validating what's actually happening. By collecting all of the contextualized information and synthesizing it to understand what is occurring, you'll be in a better position to take an action rooted in ground truth – what we can observe – instead of relying on inferences.
Security Needs to Speak the Same Language
Let's assume the plumbing is in place and that all the security layers from different vendors can communicate with one another. The challenge then becomes aligning the semantics and interpretations from each vendor to determine what the next action should be. Contextualization is important, but precision, timeliness and fidelity are also fundamental. If your endpoint vendor tells the network it has detected an instance of ransomware, is it making the right call? Could it be a false positive? If it has correctly detected ransomware, while that may be interesting, that alone does not provide enough details to inform an action. But if it tells you what version of Cryptolocker it has detected, then you might know what action to take.
What makes this even more complicated is that the security industry has never had any kind of standardization in terms of taxonomy. Vendors use different naming conventions for malware families and threat actor groups, so if security layers from different vendors are to communicate and collaborate, we need to establish a common taxonomy, map it, and share it so that there is industry-wide consistency. Because we integrate with, monitor, and manage numerous third-party products, we understand the nuances of the different naming conventions currently in use. While one malware group may have different names used by different vendors, we can treat it as one entity using our mapping system.
The industry does not currently use a shared naming system, and if we continue using incongruous language, the message gets lost in translation. Secureworks uses an internal taxonomy to map threats so that the message can clearly inform the necessary action.
Taking the Next Step in Security across the Ecosystem
Looking at the complexities of the threat landscape, malicious tactics are outpacing the efficacy of defense-in-depth. Building more walls is an unsustainable strategy that cannot meet evolving security challenges businesses face. Instead, organizations need to adopt strategies that optimize their resources and focus on rapid, accurate detection and response. As an industry, we need to ensure that we're creating an environment where layers of security can communicate in a way that can be consistently understood and interpreted and that provides the context, timeliness, and precision to drive the most effective actions to protect and defend.