How to design security controls
You, a security consultant, wake up in medieval Europe.
You’ve been hired by a feudal lord, who has inherited a castle, some land, and a couple serfs, and is looking to secure his property. Luckily, right now, you just need to come up with a list of defensive security controls for him to put in place.
Here’s how I’d approach the problem.
Identify the threats
Regardless of whether you work in information security, national security, physical security, or another branch of security, you’re dealing with at least one active adversary.
Security is the only field — by definition — where this is true.
You need to identify your threats so you know what you need to protect against — but also so you know what you don’t need to protect against. After all, there’s no such thing as being “secure”— there’s only being secure against a particular threat.
Here are the threats we identify:
- Casual thieves that occasionally swipe our serfs’ crops
- Criminal gangs that attack our castle and steal our gold
- Rival lords who send their armies over in hopes of conquering our lands
Here are some threats that could occur, but we’ve decided, for whatever reason, that they’re rare and don’t warrant protecting against:
- Our king invading our territory to dethrone us
- Our knights staging a coup
Understand each threat
Of course, listing each threat is not enough. For each threat, I’d also ask:
- What motivates this actor?
- How capable is this actor?
- What are some attacks this actor has carried out?
- What are some tools this actor uses? Techniques?
Example: rival lords
Let’s go these questions for rival lords.
- Rival lords are motivated by a desire to increase their power and tax base through conquest.
- Rival lords have small armies of 20–30 knights and 200–300 foot soldiers.
- We’d detail attacks, tools, and techniques used by this adversary as well.
Think of measures that help prevent/detect/respond each threat
Now that we understand our threats, we can start thinking of defenses against them.
If you think about it, almost all defensive measures fall into three categories: prevention, detection, and response.
Think about a security tool. Chances are, its purpose is to either prevent, detect, or respond.
You can further break down “respond” into “contain”, “investigate”, and “remediate”, in my view.
Let’s go through some modern day examples:
- Prevent: BeyondCorp, firewalls, antivirus, email scanning
- Detect: EDR, threat hunting, SIEM, UEBA
- Respond: EDR, cyber risk insurance, SIEM
Example: Rival lords
Now, let’s apply this framework to help us brainstorm defenses against rival lords.
Prevent
- Establish alliances with rival lords so they (1) don’t attack us and (2) as deterrence against other lords
- Build up our military, also as deterrence
- Bribery
Detect
- Position guards around our borders
- Hire spies
- Develop an intelligence sharing program with other governments
- Install an alarm system throughout your lands
Respond
- Attack the invaders with your military
- Send a diplomat to try to end the battle without violence
You get the point…we can put in place a solid set of controls for defense in depth using this approach.
One thing I like to do is to break down prevent/detect/respond further, this way:
- Prevent: deter, stop attacks
- Detect
- Respond: delay, contain, investigate, remediate
Kill chains
Let’s go a step further.
We can draw out the kill chain for each of our adversaries, along with controls for preventing/detecting/responding to each phase in each adversary’s kill chain.
Example: rival lords
Say the rival lords’ kill chain looks like this:
- Hire spies to figure out the best time to attack you
- Recruit an army
- Take over and pillage the city
- Assassinate the king
Now, let’s think of some ways to defend against the first phase in this kill chain.
Defending against spying
- Deter: Punish the first few spies you catch harshly
- Stop: Place strict limits on who can access sensitive information
- Detect: Set up a counterintelligence program
- Delay: Ban suspected spies from leaving the kingdom for few months
- Contain: Not sure!
- Investigate: Log who viewed what information, and when
- Remediate: Not sure!
Before long, you’ll have a long list of controls you can start implementing!
Thanks for reading! If you like this, check out my GitHub repo on security engineering. It lists some other things I’d do if the goal was to secure the property, period, like minimizing attack surface and drawing an attack tree.
