Measuring and Improving the Effectiveness of Defense-in-Depth Postures

Published: January 26, 2017


Peter M. Mell, James Shook, Richard Harang


Defense-in-depth is an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is 'deep', containing many layers of security, and 'narrow', the number of node independent attack paths is minimized. Unfortunately, accurately calculating both depth and width is difficult using standard graph algorithms because of a lack of independence between multiple vulnerability instances (i.e., if an attacker can penetrate a particular vulnerability on one host then they can likely penetrate the same vulnerability on another host). To address this, we represent known weaknesses and vulnerabilities as a type of colored attack graph. We measure depth and width through solving the shortest color path and minimum color cut problems. We prove both of these to be NP-Hard and thus for our solution we provide a suite of greedy heuristics. We then empirically apply our approach to large randomly generated networks as well as to ICS networks generated from a published ICS attack template. Lastly, we discuss how to use these results to help guide improvements to defense-in-depth postures.
Proceedings Title: ICSS '16: Proceedings of the 2nd Annual Industrial Control System Security Workshop
Conference Dates: December 6, 2016
Conference Location: Los Angeles, CA
Conference Title: 2nd Annual Industrial Control System Security Workshop (part of the 2016 Annual Computer Security Applications Conference)
Pub Type: Conferences


attack graph, defense in depth, measurement, security
Created January 26, 2017, Updated November 10, 2018