I’ve had some recent conversations that lead me to believe there may be some misunderstanding of the term defense in depth. Some practitioners may propose that this is a simple architecture that translates into a specific finite set of products and architectures. In a note I wrote last year (which is currently being updated) I used the term to bolster the support that our clients (for example a security manager, engineer or architect) may need to be able to increase their security capabilities (see Best Practices for Mitigating Advanced Persistent Threats). When some practitioners hear this term (especially those that are senior) they cringe and sometimes have the reaction or believe that its “old school” philosophy. I disagree. I’m saddened when I hear that some security practitioners seem to have abandoned this concept, in fact I feel it may need to be expanded.
- Defense In Depth – Implement preventative controls as much as possible/affordable.
Should we expand the terms used to be (DDR):
- Defend In Depth – Implement preventative controls as much as possible/affordable.
- Detect In Depth – Implement detective controls as a final “last straw” approach.
- Respond in Depth – Respond as quickly as possible to avoid the negative effects of security control failures.
Should practitioners expand their thinking and this new strategic approach to their security programs?
What are your own thoughts?
Category: Security Tags: