The dark side of layered security

Sometimes, layered security can have unintended consequences and even make a company less secure than before

Layered security is currently considered a best practice for enterprises, since a single layer of defense against attackers is no longer enough. Sometimes, however, these layers can have unintended consequences and even make a company less secure than before.


Jason Brvenik, principal engineer in the Cisco Security Business Group, said that he's seen organizations with as many as 80 different security technologies applied in layers.

"The proliferation of best of breed technologies creates security technology sprawl in pursuit of layered security and defense in depth," he said. "We see plenty of examples and sprawl and operational cost rising, where the technologies tend to conflict with each other."

Security practitioners have been talking about layered security for decades, said Brian Contos, Chief Security Strategist and SVP Field Engineer at Foster City, Calif.-based Norse Corp., a cybersecurity intelligence firm founded by former law enforcement and intel officials.

"While academically this makes sense," he added, "if done incorrectly, it leads to the number one enemy of security: complexity."

Without an overall plan in mind, it's easy to overspend on individual products, to buy overlapping systems, or to leave unsecured gaps between layers.

"It's very common for security organizations to jump at technologies that address 'the monster of the week' but don't have broader value," said Carson Sweet, co-founder and CEO at San Francisco-based CloudPassage, Inc. "Keeping long-term perspective is extremely important, especially with point vendors pounding at security buyers about the latest FUD."

Cisco's Brvenik pointed out another problem with purchasing too many technologies, that of unmanaged or undermanaged systems.

Companies buy a technology in order to meeting a compliance need, or fill a security gap, or check off an item on a list, without budgeting or staffing the system's implementation or ongoing management. Then they forget about it, he said.

Not only is this a waste of money, but it actually hurts a company's security posture.

"You're creating opportunities for blind spots, because you think you mitigated that risk, but you haven't maintained a solid presence there," he said.

And even well-managed layers can create problems within an organization, said Jerry Irvine, CIO at Chicago-based security vendor Prescient Solutions.

Different security systems require different kinds of expertise, and the larger the organization, and the more systems there are in place, the more possibilities there are for conflicts -- especially when some of the systems are managed by different companies, such as outsourcers, cloud vendors, or other service providers.

Each security team focuses on its own security task, and this can interfere with that of other groups and with enterprise operations.

"Groups saddled with the responsibility of physical security may tighten down access controls to the point where applications and systems are affected, causing failure or extreme performance issues," Irvine said. "And when separate groups within the organization are responsible for the application they frequently open up access at the lower levels to assure connectivity, but increasing the overall vulnerability of the environment."

In fact, the more security layers are in place, the more likely it is that some will interfere with business operations, said Nathan Wenzler, executive director of security at Washington DC-based Thycotic Software Ltd.

Security products need to be configured then, once they're in place, they might need ongoing tuning, patching, or other kinds of maintenance. Administrators need to understand how the initial configuration and the subsequent changes might affect business processes, as well as other security systems, he said.

But most organizations only have so much expertise and time to go around.

"There's not enough time to implement them well, and keep managing them well," he said. "That becomes a challenge."

User pushback

Operations teams aren't the only ones who might try to fight back against too-restrictive security layers. Individual users can, as well, said Leah Neundorf, Senior Research Analyst at Cleveland-based security consulting firm SecureState LLC.

Say, for example, a company decides to use different credentials for different systems as part of its layered defense strategy.

Users are going to try to defeat that by using the same set of credentials for all systems, she said.

At a minimum, a company is going to want a set of credentials to access internal systems and another set of credentials to access email.

Users who use their email address as their account name for internal systems -- and the same password for both -- are creating a major security problem, since its so easy for outsiders to find out employees' email addresses.

She suggests that enterprises require different formats for user names and passwords to different systems.

"And make sure people understand the reasons you're putting these things in place," she said.

She also warned against credentials that give users access to, say, all the systems within a certain layer.

"Every admin doesn't have to have god rights," she said.


With each new security layer come integration challenges, where one product might interfere with the functioning of another, or create security policy conflicts.

"Sometimes interactions can have operational consequences," said Fred Kost, VP at Mountain View, Calif.-based security vendor HyTrust Inc. "It's critical for CSOs to test and validate layered security under different attack and load conditions. Clever attackers might use this to render some of an organization's layered security ineffective."

The tendency to buy best-of-breed systems from different vendors can also cause communication problems, forcing security analysts to learn to work with multiple systems instead of having one single view of a company's security situation.

The effort required might outweigh the benefits, said Usman Choudhary, chief product officer at Clearwater, Fla.-based security vendor ThreatTrack Security.

In particular, enterprises have to deal with systems that don't have a common data taxonomy and trying to correlate data after the fact can lead to gaps in coverage, he said. It also takes more time to deal with false positives and false negatives.

"These layered security challenges are the big problem in the cyber threat detection and mitigation space, and are the root cause of many of the recent breaches," he said. "Often the bad guys are very well aware of these issues and are able to exploit these gaps in the security solutions."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about CiscoCisco SecurityFredInc.Mountain ViewThreatTrack Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place