It bothers me when cybersecurity advice is given with good intentions, but omits useful context or practical considerations in an effort to simplify the message.
I understand why simplification matters. It allows us to reach a wider audience. But if we’re not careful with how we present certain ideas, we run the risk of misleading the people we’re hoping to help.
And I’m definitely not against simplifying things. My concern is that we’re removing the context that people actually need to make informed decisions.
A Well-Intentioned Example
I’m bringing this up now because I recently took a free online course on cybersecurity strategy. The target audience is persons responsible for cybersecurity oversight and management. Given that the course is accessible, it’s safe to assume that persons with a range of experience levels might have taken it.
In one section, a few “simple” cybersecurity rules were listed. Regarding layered defenses, it said:
…never depend on a single control, always have multiple controls. Having 10 controls that are 50 percent effective is better than having a single control that’s 99 percent effective. A lot of people obsess about the single control that’s extremely effective when they are far better off deploying a number of controls and fallback controls to avoid problems. Having multiple approaches to your defenses is always critical.
At first glance, it might be easy to agree as the concept of defense in depth is foundational. Context is missing here though and this can create problems.
simpler isn’t always better
Why Context Matters
In an ideal world, where the controls are independent in that the failure of one doesn’t change the probability of another failing, it would be correct to say that 10 controls that are 50 percent effective are better than having a single control that’s 99 percent effective.
The math checks out.
The probability of a single failure for each of our ten controls is 0.5. The probability of ten sequential failures is 0.5^10, which is 0.001. That gives those ten layered controls a cumulative effectiveness of 0.999 (99.9%). This just marginally beats out the one control at 99%.
A few problems exist with this scenario though, particularly as the course’s goal was to help practitioners to build, deliver and implement a cybersecurity strategy.
First off, I’d be surprised if you could find 10 entirely independent cybersecurity controls. I’d argue it’s impossible.
The scenario also ignores operational realities – ten controls creates significantly more management overhead and despite their effectiveness this may not be a fair trade off. We’d be multiplying alerts by ten, forcing much more noise into the environment and requiring teams to be proficient with ten different tools.
Those ten controls may also be significantly more expensive to maintain than the one and a large part of strategy is in being able to make the most of your resources.
All good advice isn’t great advice
Layered defenses have benefits. That’s good advice. Suggesting that more means better is not great advice. For readers that lack the insight to pick up on the missing context, this is bad advice.
It would have been more helpful had the example indicated that:
- Control effectiveness is a useful measure, but it must be considered against the cost of controls. In the one versus ten example, we had a less than one percent increase in effectiveness. How much more are we willing to pay for such a marginal increase? What other initiatives might be cut to implement what seem to be eight unnecessary controls?
- Controls create friction and there may be diminishing returns. It is not always better to have more. Every additional monitoring tool comes with a likely increase in alert volume and complexity. Every additional agent based tool competes for system resources. Every additional administrator platform creates an additional target for attackers.
- An effective layered defence requires an understanding of how controls work together to achieve an objective. It’s possible to have multiple controls where some of these work so well that they make others irrelevant or ineffective. A reasonably well designed perimeter defence coupled with solid endpoint protection may make a honeypot significantly less valuable in terms of ROI.
So while layered defenses have benefits, it matters how they’re implemented. If we’re recommending this approach, it benefits the reader that we provide context. Otherwise we risk persons running off with the idea that it’s purely a numbers game and that more tools means more protection.
Final thoughts
My advice to those reading cybersecurity advice (this post included), is to critically assess what you’re reading. There is a lot of well-intentioned advice out there. But context matters!
It benefits us to slow down and think through how any particular piece of advice applies under real conditions.
We also shouldn’t automatically discard good advice because it isn’t great as despite the small snafu in the course, I did find it to be interesting.
Leave a Reply