Kenneth G. Hartman bio photo

Kenneth G. Hartman

Security Consultant,  
Forensic Analyst & 
Certified SANS Instructor

Email Twitter GitHub

Security is hard because it requires attention to detail and getting the “blocking & tackling” right. There are lots of cool and shiny security products on the market today. Remember a “product” is not a “solution” until it is tailor-fit to meet the needs of the organization and properly maintained over time.

Unfortunately, there is no such thing as a security “magic bullet.” And if there were, could we put all of our faith in it? What if the magic bullet failed? It is for this reason that well run security programs will employ a security principle of defense in depth. The defense in depth principle calls for multiple, overlapping security controls such that if one control fails, the other controls will function as designed.

The usual way of explaining defense in depth is to discuss the security features of a medieval castle such as the moat, castle walls, and soldiers that serve to protect the king and his crown jewels. An attacker would have to make it past not one, but multiple obstacles on the way to the goal.

When discussing security controls, most people think of preventive controls, such as a firewall or a razor wire fence. These are called preventive controls because their objective is to prevent an attack. However, there are also deterrent controls and detective controls.

Examples of a deterrent control might be a logon banner or a no trespassing sign. Of course these will not dissuade a determined attacker, but they help keep honest people honest and help support your case if your company should decide to legally prosecute.

The purpose of a detective control is to alert you that an attack has occurred, usually because one or more preventive controls have failed. Examples of this control would be a burglar alarm or an intrusion detection system. Detective controls require human intervention and generally speaking, the more timely the response, the less damage.

Think about your security controls. Have you identified which controls are preventive, and which are detective or deterrent controls? Also remember that the controls should overlap because adjacent controls do not provide defense in depth protection. For example, a security guard at the front entrance and a camera at the back entrance is not defense in depth.

My hope that this quick discussion about security defense in depth has inspired you to take a fresh look at the layers of your security controls. In my next posting, I will give discuss an example of a common defense in depth measure that is quite frequently disabled.