The concept of “defense in depth” dates back to ancient times, epitomized by the ramparts, draw-bridge, towers, and battlements surrounding a medieval castle. Cybersecurity’s adaptation of the idea — multiple layers of security controls to protect data and systems forces intruders to “get it right” over and over before reaching their goal — has long been a cornerstone of strategic planning and is considered a best practice.
However, as major cybersecurity vendors like Microsoft, Palo Alto, Okta, and CrowdStrike fill gaps in their portfolio to provide “complete and comprehensive” security coverage, it’s time to consider a complementary strategy: “defense in diversity”. Defense in Diversity emphasizes the importance of using different vendors at different layers of defense to mitigate the risk of a compromise due to insular thinking or a singular, fatal flaw. Diversity in the context of this article means being composed of differing vendor sources, operating characteristics, defensive philosophies, and fundamental principles, rather than a political concept.
The Risks of Vendor Homogeneity
The recent successful attack on Microsoft has starkly illuminated the risks associated with relying on a single vendor for all layers of security. When Microsoft’s Azure cloud services were compromised, the breach extended beyond the immediate impact, affecting multiple security layers that depended on Azure. This incident underscores a critical flaw in security strategies that depend heavily on one provider: the interconnected nature of services offered by a single vendor means that vulnerabilities in one area can expose weaknesses across the entire system, leading to potentially catastrophic breaches.
Imagine, for a moment, the expression on the king’s face when his prized keep, surrounded by nothing but an elaborate series of moats, is besieged by invaders equipped with boats, pontoons, and portable bridges.
Diversifying security vendors when deploying a multi-layered defense strategy can mitigate this risk by ensuring that a breach in one layer does not automatically compromise others. This approach not only enhances resilience but also reduces the likelihood of widespread disruption in the event of a targeted attack on a primary security vendor.
The Positive Impact of Diversity: An Analogy
The importance of defense in diversity can be likened to the positive impact of diversity in decision-making and organizational makeup. Diverse teams are proven to be more innovative and better at problem-solving. They bring together different experiences, viewpoints, and ideas, which can lead to more creative solutions and better decision outcomes. Organizations that embrace diversity in their workforce tend to be more adaptable and resilient. Diverse organizations are better equipped to handle challenges because they can draw on a wider range of experiences and perspectives.
Just as diverse teams bring varied perspectives and strengths to the table, creating a more innovative and resilient organization, a diverse set of security vendors creates a more robust defense against cyber threats. Each vendor brings unique strengths and capabilities that can cover the gaps and weaknesses of others, resulting in a more comprehensive security posture.
Embracing Defense in Diversity
The counterpoint to defense in diversity is largely an economic one. With enterprise suites including a full complement of security platforms, it’s important to weigh the financial benefits of a single vendor bundle versus the benefits of a diverse approach. Selling senior leaders who are more comfortable talking about the bottom line than reviewing the risk register will likely need additional convincing as to why the additional investment makes sense. Following are the benefits of a diverse approach to assembling your cybersecurity stack.
Reduced Risk of Systemic Failures
Using different vendors for different security layers ensures that a vulnerability in one system does not necessarily compromise others. For instance, if your identity management is handled by Okta and your cloud security by another provider, a breach in Okta would not directly affect your cloud security, and vice versa. This segmentation reduces the risk of a single point of failure causing widespread damage.
Leveraging Best-of-Breed Solutions
Different vendors excel in different areas. By diversifying your security providers, you can take advantage of best-of-breed solutions for each specific layer of defense. For example, you might use a specialized vendor for endpoint security, another for network security, and yet another for identity and access management. This approach allows you to tailor your security architecture to your specific needs and threat landscape.
Enhanced Detection and Response Capabilities
Different vendors often have unique detection and response capabilities. By leveraging multiple vendors, you can benefit from a wider range of threat intelligence and incident response mechanisms. This diversity can help in identifying and mitigating threats more effectively, as different tools may detect different aspects of an attack.
Avoiding Vendor Lock In
The obvious danger of vendor lock in rests with the loss of leverage an organization’s experiences when tightly coupled to a single provider. The less obvious impact is the organizational brain drain as resources get trained on a single suite, participate in road mapping from a single source, are hired or promoted for their specific platform experience, etc. Over time, the vendor’s technology strategy becomes the organization’s technology strategy and other perspectives are no longer considered.
Conclusion
In today’s threat landscape, a diverse and multi-layered defense strategy is not just a good practice—it’s essential. The recent attacks on Microsoft and Okta have shown that relying on a single vendor for multiple layers of security can leave organizations vulnerable to systemic failures. By embracing a defense in diversity approach, you can build a more resilient and robust security posture that is better equipped to withstand the complexities of modern cyber threats. Just as diversity in decision-making and organizational makeup leads to stronger and more innovative outcomes, a diverse set of security vendors creates a more resilient and effective defense. Remember, in cybersecurity, diversity is strength.
About the Author
Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Global Security, and Oracle Web Center. Craig can be reached online at LinkedIn and at our company website https://www.inversion6.com/.
Source: www.cyberdefensemagazine.com