The Myth of Security is Layers

scottalanmiller

Do you hear people say that you need "security in layers?" I bet you do, often in reference to trying to sell you something like a UTM. Yet, the term means nothing. All security is in layers, always has been. Your OS, password, filesystem, system firewall, main firewall, antivirus, antimalware, user awareness, company policies... all things that have always existed, are on every network everywhere... are the layers. Layered security, is nothing but a meaningless reference to all of these things.

So beware of people using this term and try to determine what they mean by it. Active Directory, LAN based security, UTMs... none of these are implied by the term layered security. It's important to understand that security, all security by concept, comes in layers, but it's a silly thing to discuss and means literally nothing in the context of someone telling you that they have or that you need "layered security". It's just empty words.

Mike Davis

When talking with a customer you bring up this term when they say something like "Do I need a firewall or antivirus?"

scottalanmiller

@mike-davis said in The Myth of Security is Layers:

When talking with a customer you bring up this term when they say something like "Do I need a firewall or antivirus?"

I wouldn't because it means nothing. It's a FUD term. If they knew what it meant, they'd point out that they already have layered protection. Since they already have the thing that you are saying that AV or firewall's provide, it would have the reverse effect.

Dashrender

@scottalanmiller said in The Myth of Security is Layers:

@mike-davis said in The Myth of Security is Layers:

When talking with a customer you bring up this term when they say something like "Do I need a firewall or antivirus?"

I wouldn't because it means nothing. It's a FUD term. If they knew what it meant, they'd point out that they already have layered protection. Since they already have the thing that you are saying that AV or firewall's provide, it would have the reverse effect.

eh - hold on... Just because you have layered security, doesn't mean you have the additional layers that AV and a firewall add. In that case, they'd simply be additional layers on the layers that you already layered together.

Dashrender

How many times can I say layers.

scottalanmiller

@dashrender said in The Myth of Security is Layers:

How many times can I say layers.

Layered discussions come in layers.

PenguinWrangler

Shrek: For your information, there's a lot more to ogres than people think.
Donkey: Oh, you leave 'em out in the sun, they get all brown, start sproutin' little white hairs...
Shrek: [peels an onion] NO! Layers.

Mike Davis

@scottalanmiller said in The Myth of Security is Layers:

@mike-davis said in The Myth of Security is Layers:

When talking with a customer you bring up this term when they say something like "Do I need a firewall or antivirus?"

I wouldn't because it means nothing. It's a FUD term. If they knew what it meant, they'd point out that they already have layered protection. Since they already have the thing that you are saying that AV or firewall's provide, it would have the reverse effect.

Your client and mine are probably very different. I have to take the time to explain that just because they have a firewall doesn't mean they don't need antivirus.

Dashrender

@mike-davis said in The Myth of Security is Layers:

@scottalanmiller said in The Myth of Security is Layers:

@mike-davis said in The Myth of Security is Layers:

When talking with a customer you bring up this term when they say something like "Do I need a firewall or antivirus?"

I wouldn't because it means nothing. It's a FUD term. If they knew what it meant, they'd point out that they already have layered protection. Since they already have the thing that you are saying that AV or firewall's provide, it would have the reverse effect.

Your client and mine are probably very different. I have to take the time to explain that just because they have a firewall doesn't mean they don't need antivirus.

Sure, I totally get needing to explain that they serve different purposes, but saying they are layers doesn't really help them understand things. If anything, it might make them think they can/should do without one or the other because, meh, I only need one layer of protection, not two or more.

scottalanmiller

@dashrender said in The Myth of Security is Layers:

@mike-davis said in The Myth of Security is Layers:

@scottalanmiller said in The Myth of Security is Layers:

@mike-davis said in The Myth of Security is Layers:

When talking with a customer you bring up this term when they say something like "Do I need a firewall or antivirus?"

I wouldn't because it means nothing. It's a FUD term. If they knew what it meant, they'd point out that they already have layered protection. Since they already have the thing that you are saying that AV or firewall's provide, it would have the reverse effect.

Your client and mine are probably very different. I have to take the time to explain that just because they have a firewall doesn't mean they don't need antivirus.

Sure, I totally get needing to explain that they serve different purposes, but saying they are layers doesn't really help them understand things. If anything, it might make them think they can/should do without one or the other because, meh, I only need one layer of protection, not two or more.

Right, that was my point, you risk anyone saying "oh good, so I already have layers".

Obsolesce

Just because they are things you should already have in place doesn't mean it can't be referred to as a layer.

You certainly don't need a firewall or antivirus to function.

Dashrender

@tim_g said in The Myth of Security is Layers:

Just because they are things you should already have in place doesn't mean it can't be referred to as a layer.

You certainly don't need a firewall or antivirus to function.

OK fine, but really, what benefit do you gain by calling it a layer? I've given you one of the detriments.

Obsolesce

@dashrender said in The Myth of Security is Layers:

@tim_g said in The Myth of Security is Layers:

Just because they are things you should already have in place doesn't mean it can't be referred to as a layer.

You certainly don't need a firewall or antivirus to function.

OK fine, but really, what benefit do you gain by calling it a layer? I've given you one of the detriments.

None. Just sayin.

Mike Davis

I see what you're saying. What's the alternative then? How do you explain to a non technical client you need a firewall at the gateway and a firewall on the computer?

Obsolesce

@mike-davis said in The Myth of Security is Layers:

I see what you're saying. What's the alternative then? How do you explain to a non technical client you need a firewall at the gateway and a firewall on the computer?

Has nothing to do with layers. They serve completely different functions.

Mike Davis

@tim_g said in The Myth of Security is Layers:

Has nothing to do with layers. They serve completely different functions.

Correct. What analogy would you use to talk to a non technical person about all the things we do in the name of security?

scottalanmiller

@mike-davis said in The Myth of Security is Layers:

I see what you're saying. What's the alternative then? How do you explain to a non technical client you need a firewall at the gateway and a firewall on the computer?

Well ideally you don't explain technical things to non-technical people, that's why you are there, to do the tech pieces. Any need to explain tech to people who don't know tech means the business has failed.

Once in that failed position, the only real option is "because they aren't teh same thing and you need both, do you want to be secured or not"?

scottalanmiller

@mike-davis said in The Myth of Security is Layers:

@tim_g said in The Myth of Security is Layers:

Has nothing to do with layers. They serve completely different functions.

Correct. What analogy would you use to talk to a non technical person about all the things we do in the name of security?

Mention examples from non-tech perhaps.

Like a store. Do you lock the door? Yes. Do you still hire a guard? Yes. Do you still have an alarm? Yes. Do you still call the cops if those things fail? Yes.

If AV means you don't need a firewall, then doesn't a door lock mean you don't need a guard or cops or alarms? Same thing here... each does a different function. Just because you locked the front door doesn't mean that you can not also lock the safe or employ a guard or have an alarm.

bigbear

IDK, Has anyone here ever watched Mad Men?

Its not a "wheel"... its a "time machine".

bigbear

Also @scottalanmiller I am not so sure you are right. The government has at least layers of firewall you have to hack down before you gain access...

Youtube Video