Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link: https://hub.dyn.com/i/1077963

Contents of this Issue

Navigation

Page 15 of 53

the aforementioned approach is that, again, none of the lines of defense are integrated and none of them are aware of any other line of defense deployed. Noise, Noise, and Even More Noise One of the most significant problems experienced today—because of all the independent security technologies deployed to protect users, DNS, web servers, and web applications that we just men‐ tioned—is the massive number of event and alert logs that each sol‐ ution generates. Today's security technologies are very noisy, and, in most cases, organizations are completely overwhelmed by the sheer number of logs that they are supposed to consume daily, not to mention the log and alert fatigue that security personnel experience when they observe those same logs and alerts over and over again. As a result, security information and event management (SIEM) sol‐ utions are being deployed today to provide correlation of events, and not just log collection. SIEMs are often implemented with the hope that an organization will be able to effectively manage the mas‐ sive number of log and alert entries generated by the overabundance of independent security solutions deployed in separate lines of defense. Significant numbers of analysts are in high demand today. They are needed to comb through the logs and alerts daily in the hope of finding something of interest that indicates a successful attack is taking place or had taken place in the past. Integration Is What's Missing with This Approach When an attacker breaches one of the independent lines of protec‐ tion in this antiquated Defense in Depth approach (as mentioned in the previous two sections), the other layers are often completely incapable of detecting that one defensive layer was breached. This is primarily because these layers are completely unaware of one another, and they are not integrated except for aggregating logs to the associated SIEMs. The security technologies deployed have no concept of the upstream and downstream defenses and have no abil‐ ity to make automated changes "on the fly" to one defensive layer versus another. This fact has continually allowed attackers to remain 6 | Chapter 1: What's Not Working, and Why?

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth