Are you defending the Maginot Line?

February 13, 2019

The Maginot Line in World War II was the French defense against invading German forces. It covered almost the entire perimeter of the country, was impervious to attacks from the air or ground, and had backup supply lines on the inside of the perimeter. It was well staffed with trained and experienced soldiers. It was hugely expensive, state-of-the-art, and considered impenetrable. It had been built by the world's most powerful military at the time, and they spared no expense.

Sound familiar? I'll bet it sounds like your own corporate network, as seen by management.

Now the French did leave one tiny gap... but it was only exposed to a trusted third party and not directly to the enemy. The French expected that if that ally got breached, there would be enough notice to secure that part after the third party ~~vendor~~ nation went down.

Sound familiar yet?

Now the Germans knew this defensive line was up. They also knew there was a way around if they only could breach the perimeter of Belgium and the Netherlands. Of course that would set off alarms, but they were prepared for that too. A section of the German army stood as a decoy along the Maginot Line so when the tanks rolled through Belgium and into France, the French were too busy defending against a decoy attack on the already impenetrable part of their defenses and spent no time at all watching the weakest link. The Germans strolled right past. And after the German tanks were in and the French forces moved to fight them, no one was defending the Maginot Line. One month from the time the Germans reached the Belgian border, Paris was captured and all was lost.

One of the most successful denial of service attacks of all time.

We can learn a lot from history, even in information security. Is your company's perimeter a Maginot Line? Well defended (except in the parts it's not) yet easily distracted? Every firewall deny alert you respond to from your SIEM could be the enemy forces distracting you. That's exactly how DoS breaches happen. Your SIEM becomes useless, your firewall overwhelmed, your analysts distracted... and then they turn your vendor-facing firewall into Belgium circa 1940.

How much money did you spend on your Maginot Line? How much time do you spend watching attacks that are already being blocked? And how many actual attacks do you miss because of it?