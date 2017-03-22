Boston -- Complete with swords and golden goblets and suited knights, this year's Secure World conference in Boston decided to turn back time -- to fortified castles in medieval times -- in order to highlight the strategies of defense in depth that have transcended time and generation.

In his presentation, "Surviving the Siege: Medieval Lessons in Modern Security", John O'Leary, president of O'Leary Management Education, talked about protecting castles then and now.

Asking participants to adopt a medieval mindset, O'Leary had the audience place themselves in the position of a defender sitting high above the hilltop entrenched in the defensive fortifications of their castles.

The vantage point allowed them to see what the peasants were up to and afforded them the chance to, "Crush dissent before it was problematic."

As it does now, security of old demanded agility. O'Leary said we saw the evolution of materials go from building with wood to constructing with stone, a reassurance of safety because it couldn't be burned to the ground. Stone, said O'Leary, allowed them to withstand long sieges, dissuaded potential invaders, augmented the natural terrain defenses.

Key to defending the castle were the, "High thick walls with multiple defense positions that minimized the chance of breaches and allowed defensive fire from all positions," O'Leary said.

The concentric ring architecture was used to keep the most valuable things and people protected, to delay besiegers, to recover from the shock and strength of the initial assaults, and to trap invaders in those circles, said O'Leary.

All of these structures from the moat to the drawbridge and the portcullis and the gatehouse were what is now known as defense in depth. Given that the most vulnerable point was someone getting in the door, the passageways were filled with traps, and the ceilings filled with murder holes through which the defenders would pour boiling oil down on attackers.

"Can you do that with hackers today?" O'Leary asked, to which many in the audience offered a unanimous, "We wish."

So what was the point of this journey through time?

Enterprise security today is remarkably similar to surviving a siege in Medieval times.

The needs of the knights were little different from the needs of today's security practitioners. The digital gatehouse still demands winding passageways and gates and doors and traps that are designed to be impassible.

The success of defense in depth, though, relies on the availability of materials, proper construction of technology, willing and able workers, and advances in weaponry as O'Leary said.

"But there are fallbacks," O'Leary said. "You have to have concealed valuables and escape routes, which are all good, but are also exploitable weaknesses. If you can go out that way, you can come in that way too," said O'Leary.

The demands of today's information security practitioners, though, are far more complex when it comes to the challenges of protecting against intrusions, compromise, data destruction or manipulation, human mistakes--intentional or unintentional, and targeted or random attacks.

Unlike those who were trying to survive a castle siege, today's defenders are challenged by the fact that the attack surface is not confined to perimeter. Security practitioners now have to worry about the number of entry points, the number of open ports, third-party connections, and trusted access privileges, all without ever pulling up the drawbridge.

Today's security must support agility and allow for quick changes without allowing the knights to go out and plunder other castles, said O'Leary.

For those who are new to security, the best advice to come from O'Leary's presentation is to understand that the old philosophy of "defend to the death is not realistic for most 2017 businesses."

Understanding that no one product or service will protect the whole castle is critical to knowing how to stack your defenses. O'Leary said, "Look in all directions, including internally. Assume the bad guys are in the castle, so there will be no loud noises and no signs of forced entry."

Then he encouraged all to go out and slay some dragons.

