Real Life Lessons: Defense in Depth
- At January 24, 2008
- By Josh More
- In Business Security
- 0
[flickr]photo:121282608(small)[/flickr] The first lesson to draw from my experience is that is almost perfectly illustrates the idea of Defense in Depth (DiD). Simply put, the concept is that it is best to layer your defenses. That way, if one layer fails, there is a good chance that a second layer will block the attack.
In my case, I had locks (two different ones). I had a security system. I also had two watch cats and a defensive weapon. When the incident occurred, my first two controls had failed. The locks weren’t engaged and the security system was off. However, my watch cats reacted to the changed circumstances (which I ignored). Once I became aware of the situation, I was able to arm myself and defuse it.
To generalize this, if you’ll oblige me while I lapse into a bit of math (a small amount, I promise).
Suppose that you are comparing two technologies. One is 99% effective, the other is 90% effective. If money were not a factor, most people would go to the 99% effective option. . . but let’s look a tad deeper. Let’s say that the 99% effective solution costs $100,000 but the 90% effective solution only costs $10,000. Now you’re caught in a classic security vs economy choice. However, suppose that there is a second product that is also 90% effective and costs $10,000. If you layer them, you get the following comparison:
99% – Cost = $100,000 – 1 out of every 100 attacks gets through.
90% + 90% – Cost = $20,000 – 10 out of every 100 attacks gets through the first layer… 1 out of every 10 attacks get through the second.
So, you are looking at the same average effectiveness – 1 out of every 100 attacks are successful, which leaves you free to compare the $100,000 and $20,000 price tags. The choice gets a lot easier, doesn’t it?
However, that’s only half of the story. Let’s extend this a bit with two more layers.
99% – Cost = $100,000 – 1 out of every 100 attacks gets through.
90% * 90% * 90% * 90% – Cost = $40,000 – 1 out of every 10000 attacks gets through!
So, for $100,000 you can get a single solution that is 99% effective. And for $40,000 you can get four solutions that combine to be 99.99% effective!
In my case:
- Locks ($200) – This is a binary defense. It is either ON or OFF. While you can still break the defense when they are ON, they are effectively absent when they are OFF.
- Security System ($200 + $20/mo) – This is also a binary defense. Given that it is inside the house, it is more difficult to break this defense, but still quite possible. Like the locks, it is 100% ineffective when it is OFF.
- Watch Cats (~$100/mo) – This is a complex defense. They have a high false positive rate. However, the false negatives are fairly low. The problem is that the high false postive rate creates the “cry wolf” problem that can render this defense ineffective. This is what occured in my instance.
- Me + Sword ($200) – This is also a complex defense. It is highly expensive, as it depends on the primary resource that needs to be protected (me) to be effective. If it fails, the resource (me, again) could be compromised (i.e. injured or killed). On the plus side, I have a fairly low false positive rate (I almost never stab legitamate visitors) as well as a low false negative rate (I almost never let strangers wander around my house without confronting them).
Thus, in an instance where I had four fairly inexpensive security controls, three of which failed. However, because I had a layered defense, the primary resource (me) and the secondary resources (my stuff) were kept safe from harm. My questions to you:
- What is your business’s primary defense?
- What happens when it fails?