No single defense is impenetrable and no information security strategy is complete without incorporating the concept of defense-in-depth. Defense-in-depth is far from a new idea. The familiar medieval castle epitomizes the application of defense-in-depth through its multiple layers of defense. The classic castle's defenses begin with its location on a hill cleared of trees, which offers early detection of attackers and the advantage of higher ground. Even if an attacker survived the downpour of various missiles, crossed the moat and broke through the gate, he still faced more defenses, finding himself in a narrow, winding passageway being defended against on both sides and from above.
Defense isn't as simple for corporations defending their information assets today. While a castle had the luxury of one entry point, business networks are becoming more and more porous as they add connections with suppliers, service provides and customers. And there are more infection vectors than just a few years ago. In the early nineties, network security was basically a matter of defending against packet-level attacks - and firewalls were glorified routers. Now your internal resources can be compromised through buffer overflows, SQL injection, malicious Web pages, active email content, wirelessly, and by phishing - to name just a few.
Any Control Can Be Compromised
In such a dynamic, complex threatscape any control (such as an antivirus product) can be compromised given the right circumstances. For instance, a new attack vector (such as instant messaging) comes along that bypasses a classic antivirus product check. A single PC is added to the network that doesn't have the organization's antivirus software installed. A crucial virus signature update comes out late or isn't deployed to a branch office. Your antivirus engine fails to detect a virus or the antivirus provider deploys a defective update that crashes your antivirus software. All of these are events that happen in the real world.
In today's environment, it's more important than ever, therefore, to position multiple controls against each risk. Continuing with the above example, let's look at how you can use a combination of controls to form a comprehensive defense-in-depth posture against viruses and other malware. With malware, your initial defense would consist of antivirus software positioned against the most commonly used vectors or entry points (e.g., email, instant messaging, Internet browsing by internal users). This means installing antivirus technology on gateway SMTP servers that process the incoming email stream, as well as installing antivirus software on firewalls or in-line with the route that end-user Web page and file downloads take. Instant message security is less mature than email and Web security solutions and the problem is a bit more complicated because of the proliferation of IM services and the fact that IM clients are designed to circumvent gateway controls. Never-the-less, solutions on the market allow you to herd internal and external IM messages through a single choke point at which you can implement antivirus technology in addition to other IM security functions.
But email, Web browsing and IM aren't the only vectors through which malware propagates. To name just a few, there's the problem of removable media ranging from floppies to CDs, USB and flash drives or from PCs of mobile users that connect directly to the Internet without the benefit or your corporate firewall and IM security solution. You can't hope to cover every possible route of virus propagation with vector-specific controls. Every organization ends up with shielded vectors and other open vectors that don't have preventive control.
Putting Defense-in-Depth into Play
What if a malware makes it past your perimeter defenses because of direct failure of vector-based control or through an unprotected vector? This is where defense-in-depth comes into play. In medieval times, castle defenders were primarily concerned with 360 degrees of attack along the plane of the surrounding land. While defensive controls began far outside the castle, they became increasingly stronger as you got closer to the center of the castle - until you finally reached the castle keep, which was a castle within a castle. If you picture defensive controls as concentric circles around the point being defended, it becomes evident why this approach was used; the further you move out from the point of defense, you require more and more resources to implement a defense that blocks all 360 degrees of attack.
The multiple virus defenses discussed so far (email, Web and IM) provide width but no depth. A given infected file is only challenged at most by one of the antivirus controls according to the vector through which the file arrives. While defense-in-width is important you can't hope to block every risk at the physical or logical perimeter of your network. Therefore, you block the easiest or most frequently exploited vectors of infection and then implement a deeper ring of controls. Your second layer of defense can be a combination of detective, remediating and more preventive controls. As an example of a detective controls, many antivirus solutions provide in-line file scanning in which the software inserts itself between applications and the file system scans each file opened by an application before the application is allowed to open it. If the antivirus solution also quarantines or repairs the file, it becomes a remedial solution as well. If in-line file scanning slows users or processes too much, you may have to revert to doing a regular scan of server and workstation volumes and other file stores (e.g., Sharepoint) during periods of low activity.
You can also implement another layer of preventive controls by enabling host-based firewalls, making file modification permissions as strict as possible and eliminating or limiting access to share folders. All such measures make it more difficult for a virus or worm to find additional files or systems to infect. Other detective controls that you can implement range from the sophisticated to the simple-yet-effective. For instance, intrusion detection and prevention systems monitor traffic on the network to look for viruses and worms. Such systems tend to be expensive and rely on a database of known attacks, which needs constant updates. And such packet analysis is subject to dropped packets and faulty reconstruction of data flows. On the other hand, you can set up honeypot folders of bait files that intentionally have lax file modification permissions. Then implement a process that catches modifications to these files. Since these are simply bait files, any attempt to modify them should be considered possible evidence of a malware outbreak.
As you can see, defense-in-depth is an effective way to deal with the multi-vector, increasingly risky environment we face with today's information systems. Make sure that your controls build depth as opposed to width (e.g., adjacent controls arrayed against different vectors). Don't limit your perspective to the physical realm, thinking only in terms of physical network and system boundaries. Unlike a castle architect concerned with protecting a single point, you have multiple points to protect in the form of each computer, application, datastore and process. To verify that you have real defense-in-depth, you should be able to take a given threat and a given asset and find more than one control that protects that asset from the selected risk.
