Defense in Depth for the Imperfect Startup
Let's be honest, you're going to mess up. That's okay.
This week, GoDaddy revealed that they were the subject of a 3 year long intrusion into their network. Over the last 3 years, possibly longer, one specific (supposedly “advanced”) threat actor stole… just about all of the worst possible things a hacker can steal from GoDaddy. Passwords, EMail addresses, encryption keys, certificates, source code, you name it.
These hackers just… pilfered GoDaddy. For 3 years.
This isn’t another post beating up on GoDaddy, though from the sound of it they probably deserve it. I also don’t have any particular insight into who the attackers were, how they did what they did, etc.
This is however a great opportunity to talk about defense in depth and how it can be applied to startup ecosystems.
Defense in depth is an approach to cyber security that, for lack of a better phrasing, assumes you are going to screw up somewhere. It’s an approach that eschews silver-bullet mythologies that snake oil (read: EDR) salesmen will sell you about a one-box, one agent approach solving all of your cyber security needs. It’s an approach that nicely complements an “assume breach” mentality to cyber security where your cyber security organizations and technology leadership assume that an attacker has already breached your network and expends their efforts hunting out the attackers and rooting them out.
Essentially, defense in depth states that security is not a one-wall solution, it is a series of layered security technologies, policies and strategies that complement each other. It might best be explained by example.
If you install a web application firewall (WAF) in front of your SaaS web app, do you decide not to encrypt your customers’ passwords, since you’ve already “done” security? If you have a WAF and encrypted passwords already, do you instruct your leadership to not worry about phishy emails from unknown senders? Okay, you do your email security training, you have a WAF and your passwords are encrypted… do you decide against a software update policy that keeps the libraries and servers your app runs on up to date?
Defense in depth is an approach of layering several, complementary security solutions (WAF, firewalls, EDR, etc.) and strategies (encryption, phishing training, software update policies, etc.) on top of each other to ensure if (read: when) one solution or approach fails to stop an attacker, you have several other layers of defense underneath it.
Defense in depth is a realistic, logical approach to cyber security
I’ve worked for and with many cyber security solution vendors over the years, some with less than wholesome marketing tactics and slogans. Not a single one of them offered a real, “silver-bullet” solution for their customers. Most of them were good, but all of them were flawed. That said, most of them were great complementary layers to other solutions and strategies as part of a more holistic cyber security program. There is one simple, logical reason they never held up to the silver-bullet hype.
They are all flawed, and they will all eventually fail.
If you spent a batrillion dollars on your one, silver-bullet approach hoping that you’d never have to worry about security again, I’ve got some bad news and an ocean front property in Kansas to sell you. However, if you want to avoid being the next GoDaddy, I’d make sure that a couple mistakes don’t lead an attacker to pilfer all of your Crown Jewels over a three year period.