Defence in Depth
Without a clear idea about which IP assets most need protecting, CIOs may put their security dollars in the wrong places. "Most large organizations have all done basic blocking and tackling — firewalls, antivirus products, et cetera," says Amit Yoran, CEO of network forensics company NetWitness and former director of the US Department of Homeland Security's National Cyber Security Division. But as with cybercrime generally, perimeter defence goes only so far. Companies need a cyberdefence strategy that is multilayered with different types of protection at each layer.
One strategy, called "defence in depth", derives from the military technique for slowing down rather than trying to stop the advance of an adversary. The model applies when the question is not if, but when, hackers will break in. "If you reinforce one area, [attackers] will look to another," says James Lewis, director and senior fellow with the Centre for Strategic and International Studies. "The job is to reduce the chance that they'll be able to get in."
On the network, defence in depth means traditional perimeter security is supplemented with advanced intrusion detection systems, segmented networks with tighter security around some information, demilitarized zones for public data and security audits. But a good defence-in-depth strategy takes its multilayered approach to people, processes and technology as well.
The approach enables IT security teams to get beyond dealing with hackers as if playing a game of whack-a-mole and treat the problem more like a chess game, says Jim DuBois, general manager of information security and infrastructure services security for Microsoft. DuBois has worked at Microsoft for 14 years and lived through a public incident in 2000 when hackers, who The Wall Street Journal reported were traced to Russia, allegedly accessed some of Microsoft's key applications and source code. (DuBois was not part of the security group at the time. A Microsoft spokesperson argues that the incident was not portrayed accurately in the media, but that it reinforced the importance of security controls and helped drive adoption of several projects, including smart cards for remote access and a public key infrastructure — which allows for the secure and private exchange of data in unsecure environments.)
"The thought process is no longer making sure nothing bad ever happens," says DuBois. "There may be a bug in the Cisco code or someone might misconfigure a device. If [attackers] get at that chess piece we left unprotected, what will we do?" Microsoft has moved toward host-based controls, meaning they protect the data on a device or a network. "You have to protect everything, not just important data. Controls are more onerous than they need to be," says DuBois. He wants to get more granular. His goal is to secure the data itself, not the hardware or applications in which it resides, with next-generation digital rights management tools.