Layered Defenses

A layered defense can be anything that stops or slows down an advance. A good, layered defense will create a complicated path of adverse conditions that will stop or slow down and attack and possibly alert the defenders so actions can be taken against the attack. The purpose of these layers is to increase the cost in terms of time and resources. The hope is that the cost will be onerous enough for the attacker to move on or give up. If the attack has alerted the defenders perhaps there can also be a follow up prosecution of some sorts thus eliminating a possibility of future attacks.

What might this look like? A router that drops traffic from China and Russia. Now if the attacker is from China, they will have to find a way around that. A firewall that only allows inbound access to your web server. A web server that is isolated and only uses stored procedures. An email server that drops all executable files by MIME type. A user account on a PC that does not have administrative rights. A PC that can not download executable files. Software on that PC that allows no other software except what is on a whitelist. A PC that has default patch schedule setup. There can be more layers…but the ones mentioned already would have stopped 99 percent of all the attacks that have been seen in or out of the news.

Think of how a roof is constructed. There is the first layer, shingles being the most common, that sheds the water. If there is a defect in the shingles, there is tar paper or some other type of waterproof membrane that will shed the water. If that fails, some houses have special types of roof decking that has an embedded waterproof laminate to shed water. If that fails and the water enters the house, you can build the attic space to be conditioned, which can cause the water that penetrates all those layers to dry out faster than it would otherwise, reducing the chances for rot.

Layered Defenses are a critical piece of Security Infrastructure. There should be no asset that relies on a single protective measure.

Mitigations

A mitigation is a special thing. What does it do for you? It provides another way to protect an asset. Say you have a PC and patch program that does successfully patch your systems, but it has a natural lag of up to 30 days. A zero-day vulnerability comes out and is being actively exploited but it requires administrative rights to work. However, you also have your user accounts that run without administrative rights. The Risk presented by that zero day is not eliminated until the PCs are patched – but it is effectively mitigated.

Mitigations offer ways to operate in an otherwise dangerous situation. Perhaps you can think of them like shutters on a house. The window can still be broken by flying storm debris but with the shutters closed they cannot be. Or perhaps a house built on a hill in a wash area; the house can be flooded in a hard rain, but it can be mitigated with sculpted terrain that causes the water to flow around the house.

Mitigations can be part of the permanent design (part of a layered defense), or they can be special configurations that can be used as a stopgap to allow operations to continue normally. Mitigations used in this way, as a stop gap, should be cataloged, tested, and readied for use so when the time comes that they are needed, they can be implemented in a fast, safe and predictable fashion.