Military Usage of Defense in Depth

DiD is a conventional military defense tactic that is being practiced today across many different industries. Traditionally, DiD provided a means of slowing down an attack against a target by using independent layers of protection, often called “lines of defense.” The standard, widely accepted definition is that DiD argues against using a single line of defense because the likelihood of failure is usually quite high. DiD accepts the notion that when one defensive line fails, another line will take its place and ensure that risks are kept to tolerable levels.

The main deficiency in the current DiD definition is that it calls for “independent lines of the defense,” which does not convey how a modern military operates. Today, lines of communication and intelligence overlay the independent lines of defense found in the military that brings “modern awareness” to the battlefield. This sharing of intelligence produces integration of the lines of defense. When one line is under assault, intelligence about the enemy’s tactics, techniques, and procedures (including weaponry) are collected and communicated to all other lines of defense. This intelligence is used by the other lines to shore up their own defenses and allows time for adjustments to be made where needed.

Figure 2-1 presents an example of how “integrated lines of defense” are obtained in a modern military.

Figure 2-1. The military approach to integrated lines of defense.

Examples of the possible lines of military defense that are very common today might include Recon (reconnaissance), Special Ops, Infantry, Armor, Artillery, and Aviation. Although these lines of defense appear to be quite independent of one another, they are actually integrated in a very cohesive fashion.

The integration comes in the form of enemy threat intelligence that is relayed to Central Command via satellite, cellular, or radio communications by the work of the Signal Corps, as shown in the figure. After the threat intelligence is ingested by Central Command, it is then put into action by relaying this intelligence back to the appropriate lines of defense, as depicted in the figure, that can consume the intelligence and put it into its proper action.

In a modern military operation, when one line of defense is under assault, the other lines of defense become acutely aware of the line that’s under attack due to information sharing from Central Command. Depending on the type of action being taken by the enemy, adjustments are made to the other lines to support the line that’s being affected. For example, Central Command might call for an altered special operation, adjustment to infantry defenses, movements to armor (tank) units, an artillery display maneuver, or an expanded aviation reconnaissance mission.

An interesting parallel can be drawn between how a military utilizes this modern DiD strategy and how cybersecurity could do the same.

Cybersecurity Usage of DiD

Internal intelligence sharing produces an integration that is often lacking from most organization’s cybersecurity DiD strategy. This must change. If an organization observes a covert attack against a public-facing web application that concealed its way through several preceding lines of defense, it makes complete sense to initiate an adjustment on the fly to block the source of that attack upstream by way of the internal intelligence sharing. However, and in most cases, there is no construct in place to permit the sharing of internal threat intelligence across the various lines of defense.

In addition, there often tends to be an overlap in the various technologies that encompass the lines of defense, with no clear delineation between where a defensive line begins and where it ends. Therefore, a deep understanding of where security technologies are deployed, how they operate, how they block attacks and attackers, what they do best, where they’re lacking, and how they can be integrated is badly needed.

Today, integrated DiD strategies must account for many attack vectors, a broadening attack surface, increases in threat actors, limitations of security technology, and the shortage of skilled personnel. Clearly, the independent lines of defense used so often in the past must move toward integrated lines of defense of the future for effective protection and thorough risk management.

The way in which we can perform this is by putting in place a construct whereby internal threat intelligence gained from one line of defense is shared among all other defenses within an organization. In the case of protecting users and the array of technologies found there, sharing of intelligence is imperative to integrating the technologies together. Similarly, in the case of protecting web applications, these same concepts do apply. The end result will be a cohesive and integrated defensive strategy that’s much more adept at blocking attacks than the standalone technologies so often deployed.

Conclusion

What I have tried to demonstrate in this chapter is that a better model exists, and the modern military is the model we need to replicate in our fight against cybercrime. Next, let’s take a look at the lines of defense currently available to protect cloud-based web application deployments. When implementing web applications in a cloud environment, all these lines of defense are imperative because they all perform slightly different functions.