Let's say I had a hypothetical large scale environment to secure with an unlimited budget. I could choose any form of countermeasures I wanted, provided that nothing I purchased remained unused. How would I choose to apply defense in depth?
When defining the required compensating controls for threat management, context is important. URL filtration isn't very exciting for a server that no one logs on to. Neither is database activity monitoring for the PC's in my call center, or a WAF for a sales person's laptop.
In addition to ensuring that the technology fits the role, it also has to provide a complimentary 'threat funnel' with little overlap. Each piece of the puzzle would have to provide some form of value against external or internal threats.
Here are the technologies I would deploy and where:
| Perimeter | Desktops | Laptops | Servers | |
| Firewall | ||||
| Network Anti-Malware (HTTP, SMTP, etc.) | ||||
| File-Based Anti-Malware | ||||
| Network IDS/IPS | ||||
| System IDS/IPS | ||||
| Anti-Spam | ||||
| Anti-Phishing | ||||
| URL Filtering & Web Threat Protection | ||||
| Hard Drive Encryption | ||||
| VPN | ||||
| WAF | or |
|||
| DLP | ||||
| System/Application Log Forwarding (To SI/EM) | ||||
| File Integrity Monitoring | ||||
| DAM and Database Security | ||||
| Directory Integrity Monitoring |
You'll likely see a few things missing (most notably NAC). Working within my no-shelfware condition I would likely have to pass on several technologies that are too hard to deploy, manage, or provide niche protection.
I would want to manage carefully the balance between best-in-breed and vendor sprawl. Ideally all of these functions could be accomplished by 2-3 vendors and in all cases reporting back to my SI/EM. I would compliment these point products with vulnerability scanning, risk management, patch management, event correlation and change control.
The problem is, no one has a fantasy budget of unlimited money and more importantly, time to assess, configure and monitor all of the controls they really need. Defense in depth is complicated, expensive and does require a very diverse feature mix. We are constrained, unable to create our dream suite of protection.
When it comes to enterprise threat management, I can't help but feel we are in over our heads.
