It Is Time For Security Through Simplicity
Almost 20 years ago, Cisco advocated for a "defense in depth" model for security. The idea was that optimal security was achieved through layers of protective devices and tools so that any one failure would be mitigated by the other layers. A valiant ivory tower concept advocated by a company with a myriad of security products. As part of this model, Cisco built a design with validated designs and configurations for all their products to work together: if you ran XA version of software on device one, and XB version on device 2, XC on device 3, and so on with the given configurations, it would all work. (And, yes, the implied vary a version or configuration and all bets are off was quite real.) While that was useful, it overlooked a basic tenant of the defense in depth theory: one device failure being mitigate by others. When all of these devices are from the same vendor which is reusing cipher suite codes, etc, the value of the defense in depth model is watered down.
So, security practitioners embraced the "best of breed" approach to security: they would use the best VPN and the best firewall, the best IPS, etc. This idea postulated that a dream team of security products would provide optimal security. Unfortunately, as with many human dream teams, this is not the case. The reason is that each vendor has their own spin on feature implementation and support, with each having differing default settings. Thus, configuration and troubleshooting of infrastructure requires not just understanding of features, but a list of how to configure each device for compatibility. This, quite literally, took Cisco's defense in depth model to an almost ridiculous extreme. It prolonger security device deployments and created outages when one device was upgrade and new the default setting for something changed, bringing down the whole house of cards.
These days, there is an increasing realization that one of the pillar of security is making resources available to those authorized for their use. Well, that cannot be done if things don't work. The ISACA State of Cybersecurity Report shows misconfigurations as the third most common cause of compromise at 10%, behind social engineering at 15% and advanced persistent threats at 11% (figure 35). However, they define that category as only unpatched flaws or default credentials. They have other categories for sensitive data exposure (web applications or APIs that do not properly protect sensitive data) at 9% and broken authentication at 8%. I call ALL of those misconfigured security settings. Combined that means they account for 27% of breaches! Anyone who has done a 4 AM troubleshooting session knows the temptation of opening things wide open to "just get it to work" with the promised intention of "we can secure it later". In other words: the more tools and devices there are, the easier is is for a misconfigured item to go unnoticed. Or, for it to be left open on purpose.
What can be done to address this? Well, I think a simplified security model where not as many components have to be configured can help. The more parts and pieces that have to come together to make things work the more likely there will be wide open settings involved. So, I propose leave "best of breed" with low rise jeans and enter a new era of security through simplicity. We recognize the value of a simple, elegant solution ESPECIALLY when applied to security. We understand the value of alerts coming from fewer places, thus reducing alert fatigue. We understand that quality trumps quantity every day.