In an attempt to explain why the seemingly simple concepts of warfare are actually quite complex Clausewitz (in 1832) suggested a mechanism called 'friction' to help distinguish 'war on paper' and 'real war' in a book titled "On War". This idea of friction is the attempt to explain external factors such as chance, weather, individual will, opponent strength and how such variables will swiftly throw any plans out the window. In my words: complexities in the battlefield must never be assumed to be accounted for. When I speak to external factors, it's important to point out that your 'external factors' may overlap with the offenses 'internal factors' and vise versa.
COL John Boyd recognized Clausewitz did not take this idea far enough. The commander has the ability to increase this friction for the enemy as well as reducing his own. A great Boyd quote:
“The essence of winning and losing is in learning how to shape or influence events so that we not only magnify our spirit and strength but also influence potential adversaries as well as the uncommitted so that they are drawn toward our philosophy and are empathetic towards our success.” (source)With that as a backdrop, let's talk about "Defense in Depth". The current practice of vulnerability management is arguably thought of as a major component of "Defense in Depth". It's effectiveness (or lack of) I've been known to rant at great lengths. This idea of friction points out it's weakness as a conventionally relied upon tactic. Vulnerability management focuses on removing one's known weaknesses before they can cause harm. Other conventional components of "defense in depth" include blocking, filtering, proxies, antivirus, authentication, access controls, etc. I suggest this defense in depth methodology, either explicitly or implicitly believes in a condition of creating moderate to high deterrence environment. That's where things stop.
"Defense in depth" has become a standard argument for security architecture costs/complexity analysis at the cost of not applying the concepts of Clausewitzian friction. But this is help stagging where the 'battle' will be held. This is you, as commander, preparing for invasion by increasing friction to the enemy through closing doors, windows, and up-righting walls and turrets (Incidentally it's also adding a degree of friction to you: all this work takes valuable time and effort). And that's where you stop. But we can't stop there: we need to additionally throw barriers, traps and make the 'terrain' as difficult an environment as possible for the opponent through the use of deception, feigns, warning signals, intelligence, etc.
I believe a great and fundamental question that needs raised is: Does your implementation of "Defense in Depth" increase friction for the offense while decreasing friction for the defense?
Also, you should follow the #mircon hashtag this week. Lots of good tweets on interesting subjects which inspired me to finish this post.
Note: The bad guys have learned these lessons already. Indeed, their infrastructures are far more resilient and clever than the ones they are attacking.
One more implication: Using standard best practices can harm you. The procedures of (let's say) patching or enforcing complex passwords create a certain degree of understanding (aka- lowering the friction for both sides) between the defense and offense of the tactics and procedures you're organization will be adhering to. (Don't even get me started on Antivirus.)
Anyone use this approach?