Saturday, January 27, 2007

Defense in Depth

My wife and I got married at the Plaza Hotel in New York on Saturday February 2nd, 2002.

It almost didn’t happen. Three hours before the wedding was supposed to start, I found myself the wrong side of a police line, trapped in a dinner suit and bow tie among three hundred anti-globalists demonstrating against the World Economic Forum meetings taking place in the hotel.

As the demonstrators chanted, I pushed my way through to the front and positioned myself in front of one of the NYPD riot police. “Look,” I said, pointing to my Brioni dinner suit. “I’m not a demonstrator. I’m here to get married. I just went out to get some cuff-links.”

“You have ID? A room key?” The NYPD cop said. “No,” I said. “I left them upstairs because I’ve put on ten pounds since I bought this suit and I can’t fit a playing card in any of the pockets, let alone my wallet. All I have is twenty dollars and change.”

The cop looked me up and down. I certainly didn’t look like any of the protesters. He sighed and lifted the rope.

I thanked him and ran around through the snow to the main entrance as the demonstrators kept up their chanting. A Plaza doorman in a red coat and gloves stopped me and asked me for my room key. I told him the same story, adding that we had booked the White and Gold room for our wedding. He looked me up and down and waved me up the stairs.

I dashed to the elevator, keen to ensure that the room was ready and pressed the button for the second floor. The door opened and I stepped out and walked ten feet to the White and Gold room and opened the door - and suddenly found myself face to face with the Russian President, Vladimir Putin.

He was seated at a long table with many other men and women in suits. He looked up at me like he expected me to be delivering some form of urgent news. The bodyguards looked at me wide-eyed like I was a terrorist (this was NYC, barely four months after 9/11, after all, and I was wearing a dinner suite from 007’s tailor). The nearest Russian grabbed me by the elbow and hustled me out of the room.

“I am supposed to be getting married in this room in less than two hours,” I told him is a forced whisper, as he closed the door. He stopped and scrutinized my face. Then he smiled. His shoulders dropped. The bodyguard in him relaxed.

“We will be finished soon,” he said.

“You promise?” I said.

“I promise,” he said.

I nodded and turned back to the lift, tailed by two more Russians. I got in, went and had a coffee, and came back forty minutes later to find the room full of flowers. One hour and fifteen minutes later, we were married.

Which brings me to the point of this story: none of this should have been possible. This conference should have been impregnable. The fact that it did happen is not the fault of any one individual - it just shows that the security architects of the conference did not use a coordinated Defense in Depth strategy.

Let’s examine. In an environment known to have hazards (post 9/11 New York City), two forms of perimeter security protecting some extremely important assets (world leaders) were compromised in a matter of minutes by a guy without any authorized right to access the perimeter, using a relatively easy-to-rent form of dress (a tuxedo), a well-engineered story (the wedding), and some relevant knowledge (the White and Gold room). The final form of security (let’s call Putin’s security detail the “end point security” to complete the analogy) was caught by surprise - I suspect because of the proximity of the elevator, and the fact that I looked like a waiter.

Defense in Depth is not difficult to conceive in theory, but it’s a hard thing to implement in practice. It requires layering of integrated “best of breed” technologies, and effective communication between the detection mechanisms and the reporting framework. There are very few companies that enable this, and no other companies that I know that can do this “out of the box”.

Peter Laakkonen, one of the founders of F-Secure and now Kaspersky Labs’ main executive in the US, dropped by our offices to say “hi” last week. We like Kaspersky’s antivirus technology - so much so, that we just became licensees. One of the reasons we did was so we can extend the Authentium ESP platform to include multiple “best of breed” antivirus approaches. Doing this enables “Defense in Depth” - the ability to stop viruses using multiple methods and multiple databases, at different places on the network.

I’ve been in this business a long time now. So has Peter. Our firms have two of the largest malware databases in the world, and our engines are both super-efficient, professional-grade solutions. Before Peter left, we agreed that combining Authentium and Kaspersky antivirus technologies at different points on the network is a great way of enabling Defense in Depth.

No comments: