On the Relationship Between Cheese and Risk
In cybersecurity, there is a lot of talk of “defence in depth”, but sometimes it is unclear what people mean… or why you should care.
This post answers questions about the concept of “defence in depth”, with unexpected help from a famous cheese family.
What is defence in depth?
Like many concepts in cybersecurity, defence in depth is an extrapolation of a military strategy.
Defence in depth is a defensive strategy where terrain is given up to an attacker to prevent casualties and delay the attack. The delay ultimately enables the attacked party to mount a counterattack.
In the cybersecurity world, attackers are not permitted to attack a system. To better understand the metaphor from the physical world, we need to talk a bit more about the tactics.
Defence in Depth (DiD) Tactics
To implement defence in depth, especially if facing off against cavalry units, the command unit must set up multiple levels of redundant defences. As one line of defence is breached, it falls to allow a second line to advance. When the second line falls, a 3rd advances, and so on. If the command unit relies on a single line of defence, it becomes vulnerable to exploitation (another military term used in the cyber realm). When exploited, fast moving units breach the line of defence and attack from behind or cut the supply lines. The unit must rely on redundant defences to avoid catastrophic failure. It is this concept that inspired what cybersecurity calls “defence in depth”.
Unfortunately, the term defence in depth may mean something different depending on the vendor you are talking to.
A network segregation equipment (firewall) vendor will talk about defence in depth in terms of setting up multiple perimeters. If one perimeter is breached, it will not compromise the entire network.
To another vendor, defence in depth will mean setting up multiple countermeasures to address the same risk, like having an AV solution and an EDR tool on the same machine.
Cybersecurity and Diminishing Returns
In the previous post in this risk management series, we looked at how risk is reduced by applying countermeasures. Investment in countermeasures includes a tipping point, where protection against residual risk generates diminishing returns.
Investing in a defence in depth cybersecurity solution certainly invokes the law of diminishing returns; so much so, in fact, that companies prefer to risk a breach. I like to call it the “belt and suspender” approach to cybersecurity. If you choose either a belt or suspenders, your pants will surely not fall down. When it comes to cybersecurity, belt or suspenders won’t suffice. You need both.
That’s where the cheese comes in.
Industrial risk management explains a series of aligned failures using the Swiss cheese model of accident causation.
Swiss cheese is full of holes; however, with a thick enough block, you will not look through a hole and see daylight out the other side.
How is it possible that cheese full of holes blocks the view? When sufficiently dense, it is unlikely that all the holes in the cheese will align.
By stacking layers of protection, even if the layers are “full of holes”, an incident is unlikely to occur. In fact, it will only occur if all the holes in the Swiss cheese are lined up.
This is exactly what we try to achieve by using defence in depth.
Defence in depth is especially important in cybersecurity where all countermeasures have known bypasses (there is a lot of holes in that cheese). Layering different types of defences is important to achieve levels of risk reductions we can live with.
Layered Risk Management: Preventing the Holes from Aligning
Does that mean your business should run multiple AV tools?
Unfortunately, that won’t do much. In order for multiple defences to be effective, they need to have different types of failure modes. In other words, the holes in the cheese must not align.
There are classes of attacks that are failure modes for a majority (or the entirety) of AV brands. For example, many AV tools cannot detect living –off–the–land (LoL) malware because it is based on malicious binary detection. LoL attacks use known, good binaries that are part of the operating system. Three different brands of AV might all miss an LoL attack.
A preventative approach requires tools with different failure modes.
That is why using two passwords does not count as two-factor authentication or mounting two switches in the same rack does not provide redundancy against fire.
Rate of Countermeasure Failure
Based on the theory of risk, this makes a lot of sense.
If we consider that countermeasure 1 has a chance to fail of f1 and countermeasure 2 has a chance to fail of f2, the chance that both of them will fail (F) is the conjunction of these risks:
(1) F = f1 x f2
If we say that f1 is 1 in 100 and that f2 is 3 in 100, the chances that both on them will fail at the same time would be 3 in 10 000 (0.03%).
The combination of both countermeasures is a massive upgrade in probability reduction from the 1% with countermeasure 1 alone or 3% from countermeasure 2 alone. That means layered countermeasures also contributed to risk reduction since risk = probability x impact.
However, this only holds true if the two probabilities are statistically independent.
If the risks are correlated, the combination of the multiple countermeasures provides absolutely no gain. Since the calculus becomes much more complicated, people usually assume risks are statistically independent.
The bottom line: choose cybersecurity solutions that address existing failure modes. Don’t assume a different vendor will address a new issue.
How Bad Can Risk Correlation Be?
Assuming risks are independent, they can be very damaging.
Take, for example, a bank lending money for mortgages. The bank loans Alan $500,000. The bank anticipates a 10% gain in earnings over the course of the loan. However, there is also a 3% risk that Alan will default on the loan.
With this in mind, the expected value of that loan is defined by the following risk equation:
(2) EV = (100%-3%) x (10% x $500,000) + 3% x –$500,000 = $33,500
$33,500 is a pretty good return. However, there is still a big risk that Alan defaults on the loan, leaving the bank out $500,000. So, let’s say the bank bundles one hundred borrowers (like Alan) in some form of financial instrument (let’s call them CDOs for the fun of it).
If, and that’s a big if, the risk of default between the various borrowers is due to random chance (they get sick, their money is eaten by a badger, etc.), their chance of default is statistically independent.
The probability of all the borrowers defaulting at the same time is very small. The bank is extremely unlikely to lose the value of all its loans (3%^100, which is 0.[151 zeros]5%).
The probability that the bank will lose money on the bundle is very small. The sequence of different borrowers can be modelled as a binomial distribution, where we do 100 draws with a 3% chance of “success”. Since each non–default nets 50,000$, but each default costs 500,000$, at least ten borrowers must default on their loans for the bank to lose money (90 x $50,000 – 10 x $500,000 is – $500,000).
Plugging the number in a binomial distribution calculator shows a 0.0874% chance of losing any money. This is a solid investment for sure.
When Default Rates are Correlated
When default rates are correlated, catastrophic risk is possible.
When loans depend on the interest rate, or when they can be affected by a global economic downturn or a downward turn in housing valuation, the chances of catastrophic failure are much higher. If loan defaults are perfectly correlated, the bank would have a 97% chance of making $5,000,000. However, the bank would also have a 3% chance of losing $50,000,000.
My expected return is the same in both scenarios. However when risk is unrelated, the investment can be incredibly safe. When risks are correlated, a healthy dose of catastrophic risk is likely.