Chainmail is Composed of Several Layers, as Should Your Security Strategy.
Everyone has heard of the “layered” security approach, yet very few security professionals seem to fully appreciate what is actually meant by it, nor do they know how to go about designing such a strategy. The conventional view is similar to an ice cream sandwich– each layer piled on top of the other, providing a thick pillow of protection that a would-be information assassin has to fully penetrate in order to do any harm.
Yet this model entirely misses the point of the layered security strategy, which is that of inter-grasping and interlocking security mechanisms. This strategy is designed to support, complement and strengthen each mechanism, and to provide a symbiotic, inter-related security ecosystem.
An ardent student of warfare will find that a better analogy for a holistic security strategy is that of chainmail. Chainmail is not just a one-layered, one-dimensional collection of steel rings. The mail is actually composed of several layers of steel-ring cloth, interlocked not just in the width and length, but also through several layers in depth. That is where chainmail derives its strength, and so should any well-designed defensive security strategy.
Currently, security architecture design is approached in the same way a housewife of Orange County approaches style: Shop, shop, shop, and accessorizes, Then, go back to the store or under the knife for another upgrade or style change in a few years.
Applied to fashion and being popular, this method works wonderfully; applied to information security however, hackers aren’t halted by good color sense. The expectation is that somehow via magic, divine animation, or the more scientific wonder of emergent self-organization, this colorful mix of off-the-shelf products will provide a panacea for all known security ills.
Yet somehow, against all hope and wishing, each security solution that is added to the mix just creates additional management and maintenance overheads, adds further requirements and idiosyncrasies, and results in yet another tangled layer of complexity.
Many of these solutions can perform marvelous specialist feats, but if used in a vacuum they can easily be bypassed by a skilled infiltrator. Placed haphazardly without due consideration and proper understanding, their interaction can even cause the types of gaps in your defense that they were intended to plug.
Much like ceremonial armor, the end result may look impressive and imposing in a parade- but when mauled with mace, a battleaxe, or even Nmap on the digital battlefield, they will yield and cave like tinplate covered in gold foil.
Speaking from my own field of expertise, Vulnerability Management and Assessment, the solutions and methodologies currently dominating the market and recommended by most vendors and consultants can serve to illustrate this lack of understanding of how to design and implement an effective, layered chainmail-like strategy.
Patch, inventory and vulnerability management, vulnerability assessment and erroneously, penetration testing, are all executed by the same tool set, preferably in the same work flow, and if possible, fully automated. At first glance this sounds very intuitive and attractive. Pragmatism and efficiency always do. But it misses the simple fact that its purpose is to actually provide security, and it does so only marginally.
In a chainmail security strategy, these individual phases serve a very specific and special purpose, and should not be aggregated and executed using the same process and tool chain.
Inventory and Patch Management are the first ring of the chainmail. These tasks should be undertaken and managed by an engineering, operations, or IT team– whoever manages and maintains your systems and infrastructure on a day to day basis. It is not really intended as a security function, and will cause friction between the different teams in your organization while wasting the time of your expensive analysts, and diluting their impact.
Vulnerability assessment is the next ring, and serves to assess the effectiveness and success of the patch and inventory management process. It is intended to confirm that all of the assets have been configured as required from a security perspective, and that all relevant and necessary patches have been successfully applied. It should not be done using the same toolset, or in the same sweep, just like you cannot sieve sand more efficiently using the same gauge twice. The security team should work together with the stakeholders in charge of the patch and inventory management, pointing out what was missed, and where to prioritize their efforts when resources are too tight to resolve everything at once. This effectively already provides a two-layer failsafe mechanism.
Penetration testing provides the next layer of the chainmail, serving as a further set of eyes and validation, by double-checking your entire security posture to see if anything was missed in the first phases and hopefully catching any loose ends. More than likely, there are blind spots missed by whatever commercial egg-laying milk-wool-pig was purchased for the first two phases.
One should also never rely on just one single tool or solution. Vulnerability assessment using only one solution will inevitably miss some issues. There is no single vulnerability management tool or solution that covers every single operating system, application or technology, meaning that you will certainly leave open any vulnerable holes that an attacker can and will eventually exploit. One single missed patch or misconfigured user account will suffice for a data breach or embarrassing PR incident.
Similarly shocking is the tendency of some vulnerability management vendors to only cover a small basket of 3rd party applications and products, playing this down with wild claims of how this prevents XX % of the most common attacks. It simply does not interest a hacker that you have covered the top 10 exploited applications. He will simply exploit number 11, 12 or 13. There is essentially no security provided at all… You may as well patch nothing… These cost-efficiency calculations mean nothing against a targeted attack executed by a skilled anti-security expert.
There is no such thing as half-secure, and the I.T. gods rarely answer prayers. More importantly, this strategy provides a further layer of security that will interlock with the others to provide a tighter mesh. Not everything has to cost money and eat into the budget. A mix of commercial solutions and open source, or other free tools, will perform far more effectively and ultimately provide better protection than just using one. Diversity and vendor agnosticism increase your chances of finding security problems, and technological dogmatism is a luxury a security guru can and should avoid. The smart and shrewd will use any advantage they are given.
Relying on one process, tool, solution or vendor cannot provide this level o holistic security. It may help you to adhere to compliance, or at least on paper it appears as though something is being done, but it does nothing.
The art of building and designing efficient, and most of all, effective security architecture without blowing a budget or available resources is akin to the art of the master armorsmith. It is a skill only few possess and master, and it is never to be found in a single solution, no matter how colorful the marketing.
