If you ask an ordinary person about information security, they’ll probably talk to you about endpoints. Most people are aware of virus scanners for notebooks or PCs, and may have encountered some kind of mobile device management on a work-provided phone. These endpoint solutions naturally come to mind if someone mentions cyber security. However, this is backward from the way that infosec professionals think about the issue.
Someone who works in infosec will tell you that the endpoint should be the absolute last line of defense. If a virus scanner finds malware on your work notebook, the malware should have had to defeat a long list of other security precautions in order to get that far. This layered approach to security is known as defense in depth.
The term “defense in depth” originally was applied to military strategy. It described the practice of trying to slow an enemy down, disperse their attack, and cause casualties; rather than trying to stop their attack at a single, heavily fortified point. The enemy might breach the first layer of defenses, but would find additional layers beyond. While they struggled to advance, they could be surrounded and then counter-attacked.
Infosec in Depth
The information security version of defense in depth makes similar use of many layers of protection. A determined hacker can get past a firewall, but there should be additional measures in place to detect the intrusion and limit the damage that the attacker can cause. These might include authentication, the use of VPNs, encryption, intrusion detection, microsegmentation, and SIEM—just to name a few.
Different organizations will use different combinations of defenses according to their particular needs. However, you’ll note that almost all of these security solutions are network-based. Networking is a vital part of security, and of defense in depth in particular.
The tools required to set up and maintain a network perform some of the same tasks that are required for good security. Networking tools inspect packets and log traffic. Secure network design isolates the most important parts of the network and limits access to different network resources.
In an ideal world security products and networking products will share information, resulting in stronger network defenses. A SIEM solution, for example, might ingest information from logs and traffic monitoring tools, and—if an issue is found—use a helpdesk app to alert IT staff to a problem. In a highly automated environment, certain kinds of alerts can even trigger particular actions: disabling a port, powering off a system, blocking a set of credentials, or whatever other measure might be required to contain a potential threat until a human can investigate.
However, there can be obstacles to implementing this in practice. These kinds of network security solutions require interoperability; they don’t work unless all of the products involved can talk to each other. There are several options here.
You could try to buy only products from a single vendor, but this will be difficult. Only a few large vendors have a full suite of both networking and security products. These tend to be expensive. And a single-vendor solution limits your options for growth; your network can only evolve if the vendor has a product that will enable what you want to do later down the road.
You can try to buy products from different vendors, but you’ll have to ensure that they’ll all integrate with each other. This is certainly possible, though it requires a lot of research. This type of defense in depth strategy is potentially vulnerable if partnerships between vendors change, and if a vendor stops supporting a particular integration with another vendor’s product. At least, this is the case if the vendors involved use proprietary code.
The scenario changes if networking and security vendors have all committed to open standards. When this is the case, vendors design and test their products for maximum compatibility. There’s no need to commit to products from only a single vendor. There’s no need to worry about whether your future data center investments will work with your existing infrastructure.
The Open Advantage
If a particular integration between products does not yet exist, you don’t need to wait for a vendor to create it. The open source community may have already done so. If not, with access to the relevant APIs, it’s perfectly possible to create your own scripts to connect and automate network defenses.
Information security is a complex and rapidly evolving field. No one solution will do everything. Good security practice requires solutions from multiple vendors working in concert. Interoperability and integration become vital.
Cumulus Networks recognizes the need for open standards as a part of defense in depth: layers of technologies, techniques, best practices, and incident response woven together into the tapestry of everyday operations.