Defense in depth - looking for standards or best practices

TheFORCE

Does anyone know of any good white papers or any reaearch papers that talk about defense in depth? What layers are important and the controls that need to be placed around each layer? Im doing some research to identify if my enviornment is lacking protections at different layers or if we have more controls at some and less in others so i would like to see what the best practices or standards are when it comes to defense in depth.

cyberguypr

I don't have a particular one in mind but there's a plethora of papers covering this topic in the SANS Reading Room.

This poster also provides some basic ideas on how to cover the top 20 controls.

TechGuru80

First, look at how well you comply with any compliance regulations that apply to your company. If you really want to be granular, use NIST 800 series but it's generally very expensive to do correct.

marcellis

It depends. Without knowing your exact environment (DOD, private, commercial?), its pretty hard to judge.

kiki162

@TheFORCE - You need to get yourself some SANS courses my friend

There are a crap load of compliance frameworks out there. Do you have some type of compliance based vuln scanner on your network?


For starters, take a look at this:

https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

636-555-3226

CIS' Top 20 Critical Security Controls (previously "owned" by SANS) has the basic layers. I'd start with that.

dustervoice

I found this : https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf

iBrokeIT

636-555-3226 wrote: »

CIS' Top 20 Critical Security Controls (previously "owned" by SANS) has the basic layers. I'd start with that.

To pile on to that, AuditScripts.com has some awesome resources located here for getting started with actually using metrics to measure your level of defense in depth using the 20 CSC. More specifically, I thought this assessment tool that breaks down each control into actionable items was awesome.

beads

Realize that the SANS top 20 is really adapted for more civilian usage based on a report from the NIST, right? SANS takes too much credit in this case.

Also, I respectfully submit the whole "think like a hacker" mantra is worth more in marketing fluff than is feasibly practical. Much the same with Defense in depth relying on the castle defense analogy. The cannon took care of that problem so the walls got thicker and rounded. OK that lasted about 50 years before better cannon technology was developed.

TheForce is on the right track as we cannot rely on simply one narrow minded framework in which to think. We need to start thinking in terms of chains of defense one chain for each layer starting with the physical layer protecting the data and communications from physical tampering to the end point and back again. Same with layers 2-7, if not layer 8. Layer 8 can easily destroy the first seven in a blink of the eye. Everything else has been proven to be too brittle to be effective over time.

When each chain is unbroken you have a complete defense. Now, that doesn't mean I can't take a cutting torch to the chain but it means I have to take extraordinary measures to do so. Incorporate most of the other two models with more than one person designing the controls and you should be about 95 percent secure. The rest is really the unknown to anyone.

Its something I am slowly working as I don't have enough to do with this client. LOL!

- b/eads