The dark side of layered security
Complexity
Jason Brvenik, principal engineer in the Cisco Security Business Group, said that he's seen organizations with as many as 80 different security technologies applied in layers.
"The proliferation of best of breed technologies creates security technology sprawl in pursuit of layered security and defense in depth," he said. "We see plenty of examples and sprawl and operational cost rising, where the technologies tend to conflict with each other."
Security practitioners have been talking about layered security for decades, said Brian Contos, Chief Security Strategist and SVP Field Engineer at Foster City, Calif.-based Norse Corp., a cybersecurity intelligence firm founded by former law enforcement and intel officials.
"While academically this makes sense," he added, "if done incorrectly, it leads to the number one enemy of security: complexity."
Without an overall plan in mind, it's easy to overspend on individual products, to buy overlapping systems, or to leave unsecured gaps between layers.
"It's very common for security organizations to jump at technologies that address 'the monster of the week' but don't have broader value," said Carson Sweet, co-founder and CEO at San Francisco-based CloudPassage, Inc. "Keeping long-term perspective is extremely important, especially with point vendors pounding at security buyers about the latest FUD."
Cisco's Brvenik pointed out another problem with purchasing too many technologies, that of unmanaged or undermanaged systems.
Companies buy a technology in order to meeting a compliance need, or fill a security gap, or check off an item on a list, without budgeting or staffing the system's implementation or ongoing management. Then they forget about it, he said.
Not only is this a waste of money, but it actually hurts a company's security posture.
"You're creating opportunities for blind spots, because you think you mitigated that risk, but you haven't maintained a solid presence there," he said.
And even well-managed layers can create problems within an organization, said Jerry Irvine, CIO at Chicago-based security vendor Prescient Solutions.
Different security systems require different kinds of expertise, and the larger the organization, and the more systems there are in place, the more possibilities there are for conflicts -- especially when some of the systems are managed by different companies, such as outsourcers, cloud vendors, or other service providers.
Each security team focuses on its own security task, and this can interfere with that of other groups and with enterprise operations.
"Groups saddled with the responsibility of physical security may tighten down access controls to the point where applications and systems are affected, causing failure or extreme performance issues," Irvine said. "And when separate groups within the organization are responsible for the application they frequently open up access at the lower levels to assure connectivity, but increasing the overall vulnerability of the environment."
In fact, the more security layers are in place, the more likely it is that some will interfere with business operations, said Nathan Wenzler, executive director of security at Washington DC-based Thycotic Software Ltd.
Security products need to be configured then, once they're in place, they might need ongoing tuning, patching, or other kinds of maintenance. Administrators need to understand how the initial configuration and the subsequent changes might affect business processes, as well as other security systems, he said.
But most organizations only have so much expertise and time to go around.
"There's not enough time to implement them well, and keep managing them well," he said. "That becomes a challenge."
User pushback
Operations teams aren't the only ones who might try to fight back against too-restrictive security layers. Individual users can, as well, said Leah Neundorf, Senior Research Analyst at Cleveland-based security consulting firm SecureState LLC.
Say, for example, a company decides to use different credentials for different systems as part of its layered defense strategy.
Users are going to try to defeat that by using the same set of credentials for all systems, she said.
At a minimum, a company is going to want a set of credentials to access internal systems and another set of credentials to access email.
Users who use their email address as their account name for internal systems -- and the same password for both -- are creating a major security problem, since its so easy for outsiders to find out employees' email addresses.
She suggests that enterprises require different formats for user names and passwords to different systems.
"And make sure people understand the reasons you're putting these things in place," she said.
She also warned against credentials that give users access to, say, all the systems within a certain layer.
"Every admin doesn't have to have god rights," she said.
Integration
With each new security layer come integration challenges, where one product might interfere with the functioning of another, or create security policy conflicts.
"Sometimes interactions can have operational consequences," said Fred Kost, VP at Mountain View, Calif.-based security vendor HyTrust Inc. "It's critical for CSOs to test and validate layered security under different attack and load conditions. Clever attackers might use this to render some of an organization's layered security ineffective."
The tendency to buy best-of-breed systems from different vendors can also cause communication problems, forcing security analysts to learn to work with multiple systems instead of having one single view of a company's security situation.
The effort required might outweigh the benefits, said Usman Choudhary, chief product officer at Clearwater, Fla.-based security vendor ThreatTrack Security.
In particular, enterprises have to deal with systems that don't have a common data taxonomy and trying to correlate data after the fact can lead to gaps in coverage, he said. It also takes more time to deal with false positives and false negatives.
"These layered security challenges are the big problem in the cyber threat detection and mitigation space, and are the root cause of many of the recent breaches," he said. "Often the bad guys are very well aware of these issues and are able to exploit these gaps in the security solutions."