Composing Defences: The Case for Building Defence in Height

Often, in the information security community, we bandy about terms like “defence in depth” or “layered defences.”  Most of the time, it’s just a platitude for “buy more stuff.” It’s worth exploring the way these terms evolved, and how we should think about defensive architectures in the world defined not by physical space, but by network connectivity.

“Our goal should be to create defence in height, where we know how our defences work together towards defeating adversaries.”

In the flat space of military defences in the pre-WWII area, defence in depth would refer to one of two concepts.  In the first mode, it was a set of defences which interlocked in some form — consider a castle wall, a moat, and a set of guards atop the wall.  Each of these defenses, individually, was trivially defeatable, but together, they multiplied. While an adversary was busy crossing the moat, they were easy to shoot at.  The moat made it hard to scale the wall. The wall gave defensive cover to the guards. In the second mode, it was about depth in distance – consider the depth of the Soviet terrain as they fell back in World War II, and the lengthening of the attacker’s supply lines as weather set in.  “Never get involved in a land war in Asia” is good advice for a reason.

Integrating defences relies on some basic features of the physical world.  Adversaries occupy space across a period of time. Defenders can trivially observe (Read more...)