RSA Talk - “Defense in Depth is Dead; Long Live Depth in Defense" - Matt Alderman
Matt Alderman ( @maldermania ) is VP of Strategy at Tenable Network Security.
This talk was delivered 03 March 2016 at the RSA Conference in San Francisco. I'm providing a brief reaction/summary, and then my notes. The notes are my sort-of free-form notes, so if they are only semi-comprehensible.
I’m not convinced this is particularly valuable distinction. The title and terminology makes it sound more radical than it is. The real message appears to be simply that we need to more closely integrate and monitor our defenses, which is unquestionably a good point and a vital strategy.
Defense in depth isn’t helping us tackle the attacks we are facing.
The traditional defense in depth model includes:
We haven’t connected the different solutions at the different security layers, so there are gaps that intruders hide in.
The different solution at the different layers are often managed and owned by different group in the organization.
“It is time to declare that defense in depth is dead; we need a new approach."
The depth in defense model:
- Discover - assets (physical & virtual, apps, data, mobile, cloud)
- Assess - vuln assessment, config audit, malware detection
- Monitor - log collection, activity monitoring, packet inspection, threat intel
- Analyze - event correlation, anomaly detection, behavioral analysis
- Respond - Notification & alerting, remediation, patch mgmt
- Protect - path installation, config changes, port/service modification, device isolation
This model provides:
How do I get started?
- Do you have continuous visibility to identify unknown assets/devices?
- Do you have continuous visibility into the security state of your assets?
- Do you have critical context to prioritize threats and weaknesses?
- Do you have critical context to measure security posture & assurance?
- Are you able to take decisive action to respond to attacks?
- Are you able to take decisive action to remediate your assets?