Welcome back to our discussion on the new information security triad. The first two parts, visibility and accountability, were covered in previous blogs. Today, we touch on the final piece – defense-in-depth.
With the other two pieces of our triad taken care of, you can answer the questions "what happened?" and "who is responsible?" So what's next?
Defense in depth means putting together policies and processes for data security. It means putting controls in place to protect and monitor the network, and to provide another level of protection; putting in controls to back up other controls; reviewing the activity and performance of these controls; and monitoring the review process to make sure it's being performed.
It means you watch the watchers - both the technical and human – and back up controls with other controls. Let's walk through an example.
IDENTITY AND ACCESS MANAGEMENT
Of course you have policies and detailed procedures in place and specific staff tasked with this function. We'll just make that assumption.
- We start with a formal, trackable request mechanism, such as an IAM tool or ticketing system.
- Is someone outside IaM spot checking to make sure accountability for the access changes is maintained, proper approval was provided, and all changes track back to a request?
- Now your IaM staff member adds IDs and grants access.
- You are collecting these logs, right? Can your SIEM tool alert if someone outside the assigned staff grants access? Great!!!
- And again, doing spot checks or audits to make sure the access was granted as requested and per policy. And again checking that the right staff is making the changes.
- Regular employment verification and continuing business need reviews. This puts the accountability back on the approving managers. And helps clean up AD.
Woo, that's a lot of work. Glad that's over, right? But is it? Have we achieved the correct depth? Who's watching the watchers? Where is the verification that all these checks and reviews were actually performed as needed? Was that process trackable? Where is that accountability? It's not nice to find out there was a lapse in this area by getting a call from a three letter agency.
Let's look at another common example.
- Of course you have anti-virus installed wherever appropriate.
- Do you have a process or dashboard in place to track compliance with signature updates and scan requirements? Is someone monitoring this? Is it a regularly scheduled process? Is the person monitoring accountable for the review (maybe by tracking the activity)? Is someone monitoring the monitor?
- And of course you have a response plan for in infections and failed updates / scans in place.
- Is staff assigned and accountable? Do they keep track of events and responses (or the decision not to respond)? And again, reviewing the tracking data, and reviewing the review of the tracking data.
- Now you put in another layer of defense, IDS / IPS.
- Are the logs being maintained? Is someone reviewing them or are they sent to SIEM or MSS? And so on. Do you see a pattern here?
- What other defense in depth is possible?
- File integrity monitoring, at least of critical files?
- Outbound traffic restrictions? (for example, can your servers reach the internet on ports 80 and 443? Do they need to? Makes it easy for them to reach a malicious Command and Control (C&C) server. And can anyone change their DNS to 184.108.40.206? I know, you don't let end users change that value. But wouldn't a defense in depth (block DNS traffic at the perimeter except from internal DNS servers) provide another level of comfort?
- Web filtering? Well managed and monitored web filtering?
In my world, I ask these types of questions, and I'm often worried about the safety of my own data when I hear the answers.
Visibility, Accountability and Defense-in-Depth.
It's a triad that can be hard to achieve. It takes effort, vigilance, skill, and most of all, support from the top. But organizations need to find a way. Or the public can resort to torches and pitchforks. You decide.
And if you think of a good acronym, let me know.