In an attempt to explain why the seemingly simple concepts of warfare are actually quite complex Clausewitz (in 1832) suggested a mechanism called 'friction' to help distinguish 'war on paper' and 'real war' in a book titled "On War". This idea of friction is the attempt to explain external factors such as chance, weather, individual will, opponent strength and how such variables will swiftly throw any plans out the window. In my words: complexities in the battlefield must never be assumed to be accounted for. When I speak to external factors, it's important to point out that your 'external factors' may overlap with the offenses 'internal factors' and vise versa.
COL John Boyd recognized Clausewitz did not take this idea far enough. The commander has the ability to increase this friction for the enemy as well as reducing his own. A great Boyd quote:
“The essence of winning and losing is in learning how to shape or influence events so that we not only magnify our spirit and strength but also influence potential adversaries as well as the uncommitted so that they are drawn toward our philosophy and are empathetic towards our success.” (source)With that as a backdrop, let's talk about "Defense in Depth". The current practice of vulnerability management is arguably thought of as a major component of "Defense in Depth". It's effectiveness (or lack of) I've been known to rant at great lengths. This idea of friction points out it's weakness as a conventionally relied upon tactic. Vulnerability management focuses on removing one's known weaknesses before they can cause harm. Other conventional components of "defense in depth" include blocking, filtering, proxies, antivirus, authentication, access controls, etc. I suggest this defense in depth methodology, either explicitly or implicitly believes in a condition of creating moderate to high deterrence environment. That's where things stop.
"Defense in depth" has become a standard argument for security architecture costs/complexity analysis at the cost of not applying the concepts of Clausewitzian friction. But this is help stagging where the 'battle' will be held. This is you, as commander, preparing for invasion by increasing friction to the enemy through closing doors, windows, and up-righting walls and turrets (Incidentally it's also adding a degree of friction to you: all this work takes valuable time and effort). And that's where you stop. But we can't stop there: we need to additionally throw barriers, traps and make the 'terrain' as difficult an environment as possible for the opponent through the use of deception, feigns, warning signals, intelligence, etc.
I believe a great and fundamental question that needs raised is: Does your implementation of "Defense in Depth" increase friction for the offense while decreasing friction for the defense?
Also, you should follow the #mircon hashtag this week. Lots of good tweets on interesting subjects which inspired me to finish this post.
Note: The bad guys have learned these lessons already. Indeed, their infrastructures are far more resilient and clever than the ones they are attacking.
One more implication: Using standard best practices can harm you. The procedures of (let's say) patching or enforcing complex passwords create a certain degree of understanding (aka- lowering the friction for both sides) between the defense and offense of the tactics and procedures you're organization will be adhering to. (Don't even get me started on Antivirus.)
Anyone use this approach?
If you replace defense in depth with friction as your paradigm you still have to address the mobile nature of the attacker. You can create friction but if it is static your adversary will simply avoid it. The Maginot Line created a tremendous amount of friction for any attacker, so the Germans simply avoided it. Create an amazing perimeter that generates copious amounts of friction and an attacker will simply avoid it. As the incident related to Operation Buckshot Yankee showed. http://wapo.st/9n9bLI More interesting perhaps is figuring out how to create, through friction or whatever, a way to funnel your adversary to a place of your choosing. (Not really talking honey pots here as they work more on temptation) If the French had built the Maginot Line to intentionally funnel the Germans into Belgium so that they could be exploited there you would have had a very different outcome.
ReplyDeleteRead http://amzn.to/b36Q0j for a critique of Clausewitz and a History of Warfare. He is more concerned with Clausewitz theory that all war is politics, but interesting nonetheless.
Joel - Hrmm. Honeytokens are more interesting than honeypots. I also suspect we could be better at reducing our own friction- a lot of our angst is self inflicted. Defense in depth doesn't account for this at all. More after I think (and not confined to an iPad keyboard).
ReplyDeleteThanks for replying.