When Layers On Layers Of Security Equals LOL Security

Defense-in-depth is often poorly executed when architecture is not carefully considered.

As the security industry struggles with the precision and persistence of targeted attacks, the recommended best-practice talisman wielded by many an expert is the idea of layered security or defense-in-depth. Generally, the practice is described as setting up multiple layers of protection similar to chain mail going underneath a suit of armor. If one piece of protection misses one threat, another will block it instead.
Unfortunately, even with many millions of dollars worth of layers at play, defense-in-depth often doesnt work nearly that cleanly.
Layered security is good. It gets security products into your machine, but it doesnt necessarily mean youre secure or any better off, says Rahul Kashyap, chief security architect at Bromium. You have to look at it from an architectural point of view. For example, if every layer in your defense is using signatures, then you have the same architectural weaknesses, fundamentally.
As he explains, an organization that has antivirus and then IDS/IPS technically is employing defense-in-depth. But attackers can easily beat both systems using similar methods.
According to analysts Bob Walder and Chris Morales in a
brief last month from NSS Labs
, defense-in-depth depends on two flawed assumptions. One is the outmoded assumption that there is an inside and an outside of the corporate network, something very rarely true in todays cloud- and mobile-driven business world. The second is the assumed magnification of security for every layer of security added, often calculated by multiplying the failure rates of products.
For example, if an organization’s IPS allowed one attack in 100, and its NGFW allowed one attack in 100, then the combination of these products should allow only one attack in 10,000 (0.01 x 0.01), the report explains. However, NSS Research has determined that this calculation significantly overestimates the level of protection achieved by defense in depth, because there is strong correlation in the threats that pass through existing classes of products.
In a
research project Bromium conducted
and presented earlier in the year, Kashyap demonstrated how even with seven layers of endpoint defenses in place, a motivated attacker could still break through with a single exploit, given the right tweaks. He called the talk LOL (Layers on Layers) Security for what hackers are doing with most enterprises that rest on the peace of mind that theyre practicing defense-in-depth.
Basically, I took a public, known root kit and then kept tweaking the exploit until I was able to bypass every layer of defense, he says. The point Im trying to make here in talking about architecture and layers is that everything you have on the endpoint depends on the integrity of the kernel. Compromise the kernel and it is game over.
And this principle isnt only true for endpoint layers; there are similar Achilles heels in the way enterprises layer network defenses. That’s not to say that these defenses dont work well. According to NSS Labs, theyll usually stop about 98 percent of threats. But the real risk lies in the two percent of risks that break through, which is why Walder and Morales recommend that organizations think of their arsenal of security products less as layers of protection and more as tools for out-maneuvering the bad guys.
Rather, it should be viewed as a means of maneuvering the adversary into attacking a target of choice and then proactively managing the impact, as well as reducing actual network penetrations to a level that can be managed by remediation and response teams.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
When Layers On Layers Of Security Equals LOL Security