samedi 11 mai 2013
One more lesson from History: Limes/Adrian's Wall.
Like the Maginot Line or the Chinese Wall, the fortified frontier built by the Romans never prevented barbarians intrusions.
But it had another more important mission: preventing or at least hindering their return with their spoil.
During several centuries before the Germanic tribes invaded and toppled the Roman Empire, small bands of them attacked the Roman fortified frontier.
It was rather easy for them to penetrate the Empire, as they chose the exact place of their attack after long observation of the defense weaknesses, and always by surprise.
Once in Roman territory, they wandered at will, as there were few if any in depth defenses.
But they were followed and tracked by their victims or some Roman scouts. So their way back to the frontier and to their own territory was guessed, reinforcement brought to the place, and it was far more difficult for the Germanic warriors to pass the Limes back.
The legend of the Rhine Gold comes from this, they say: so much of this stolen gold and goods was drought in the frontier river, it seemed the gods had cast a curse on it.
Nowadays, in Information Security, it is well known a perimeter defense like the Roman (fire)wall is not sufficient.
Most of Defense in depth techniques are also in a difficult straight.
Recent Advanced Persistent Threats proved Data Loss Prevention is not efficient or even not implemented at all.
Maybe we should overturn our priorities, just like the Romans did (and it worked well for three or four centuries):
- Monitor and log and focus our SIEMs on what happens INSIDE our infrastructure.
- Focus on what tries to GET OUT instead of on what tries to GET IN.
- Implement this monitoring and alert everywhere in the infrastructure: servers, network devices, desktops/laptops and mobile devices.
- Surely many more to do, educating users not the least...
Let's face it: I was probably an insider threat as well as most of us, even if we never noticed it. It's so easy to introduce a malware inside our perimeter by simply browsing a compromised web site or app store.
Comments and critics welcome! :)