The Fallacy of Impenetrable Walls

Justin Jackson - Director, Revenue Operations
​Sometimes marketer. Aspiring analytics nerd. Donut lover.

German soldiers parade on the Champs Élysées on 14 June 1940 (Bundesarchiv)

The Bottom-Line Up Front: Don't assume your defenses are effective; instead, continuously test and probe them for weaknesses, because that is what your adversary is doing. These are lessons that have been painfully learned, both in the annals of military history and corporate conference calls following a major data breach.

​It's hard to imagine today, but on the eve of World War II, French confidence in their ability to defend against a German attack was at an all-time high. Even after the Germans smashed through Poland, the commander of the French Armed Forces, General Maurice Gustave Gamelin, quipped that he would "be happy to make the Germans a gift of one billion francs if they would do him the favor of taking the initiative in an attack."
 
Of course, the Germans obliged, and within weeks the French ceded their independence – an event virtually unprecedented in modern French history. 
 
With the fortune of hindsight, it is easy for us to look back and criticize French overconfidence. But the truth is, French leadership suffered the same misjudgment that befalls many companies today: The Fallacy of Impenetrable Walls. 

The Fallacy of Impenetrable Walls:
​
​A static, single-layer defense can and will be exploited by a determined enemy

​LESSONS FROM "THE GREAT WAR"

​The French learned a lot from World War I. Aside from growing mistrust of their neighbors to the East, they concluded that a strong defense was the key to deterring future invasions. The French military leadership, in turn, ditched the idea of offensive warfare, opting for a defensive strategy dubbed bataille conduit. This concept of "methodical battle" placed a premium on centralized command and control with heavy investment on defensive capabilities. 

​This strategy's manifestation was the seemingly impenetrable Maginot Line, an ambitious endeavor that enabled the French to allocate resources where they thought the Germans were most likely to attack. 

But the enemy got a vote. So when German Panzers smashed through the Ardennes Forrest – the one place the French thought impossible to traverse undetected – the French command was paralyzed with complete shock. 

The impressive Maginot Line was defeated – not by brute force – but by a cunning adversary who also learned a valuable lesson from World War I. The French had no idea their gap was the Ardennes. The Germans did. 

So, as history would have it, the French had fallen victim to the Fallacy of Impenetrable Walls. 

​STATIC, SINGLE-LAYER MINDSETS IN CYBERSECURITY TODAY

The mistake the French made wasn't investing in defensive capabilities. In fact, the Maginot Line did precisely what it was intended to do by forcing the Germans through limited avenues of approach. In that sense, it was a brilliant defensive strategy and one well worth its effort.

Where the French leadership erred was relying on an outdated assumption that the Ardennes was impenetrable, and the German's would attack as they did in a long-ago war. The ensuing false sense of security resulted in a fatal exposure. In this way, the French violated the critical concept of defense-in-depth – an oversight from which the French would never recover. 

Many companies make the same mistake today. They pour hundreds of thousands of dollars into cybersecurity solutions and think they can "set it and forget it." This is unfortunate because cyber adversaries have access to the same solutions and never stop maneuvering to defeat them. And as they slip quietly past modern-day digital versions of the Ardennes, all of the investment made into those security programs is effectively nullified. For the cyber adversary, the fast road to Paris is paved by overlooked vulnerabilities.

WHAT CAN BE DONE?
​
So much of cybersecurity strategy today borrows from proven military defensive concepts, including the foundational idea of defense-in-depth. Defense-in-depth is fundamental to the design of a secure network. It stems from the certainty that software has flaws, people make configuration mistakes, and hardware/software devices fail.

​Therefore, it is vital to deploy multiple layers of protection to account for the eventuality that one or several layers will fail.  ​​

Cybersecurity Defense-in-Depth Concepts

• Layer 1: Architecture - Separating the network and systems into several discrete sections affords protection to crown jewel assets (segmentation)
• Layer 2: Passive Defense - Configuring the firewall to restrict how traffic crosses section boundaries 
• Layer 3: Detection and Alerting - Inspecting the traffic as it traverses section boundaries and alerting on detections
• Layer 4: Active Defense - Hunting for adversary behavior at the chokepoints (digital Ardennes) that the network architecture enforces and evades automated detection tools

​
Penetration testing is a popular way to validate the quality of cyber defenses, but it is only one aspect of fully understanding defense-in depth readiness. To get a complete picture of potential and actual breaches, companies must consider external cyber risk assessments and threat hunts.  

Effective external risk assessments take a threat-based view of a company's defensive posture enriched with an industry-specific analysis to gain insights into actual and potential exposures based on threat activity. Companies can leverage this intelligence to validate current defenses against likely threats and close the gaps they have. 

Cyber threat hunting is a proactive security measure that takes information from a variety of sources, including penetration tests and external risk assessments, to conduct evidence-based investigations that aggressively uncover and contain damage related to a breach. Threat hunts get inside a company's defense and validate that a breach has not occurred. This is particularly important since the average breach remains undetected for over nine months, resulting in millions in preventable financial damage.   

WHERE IS YOUR COMPANY'S ARDENNES?

Guarding against the Fallacy of Impenetrable Walls requires a minor mindset shift. Don't assume your defenses are effective; instead, continuously test and probe them for weaknesses, because that is what your adversary is doing.

Better that you uncover your vulnerabilities first, an investment that is a mere fraction of the breach cost. It is also a more efficient use of funds when compared to the cost of the "next-generation" enterprise security solutions, and, when done well, can be instrumental in illuminating unseen gaps in a company's digital defense. 

Yet the reality remains. Every network has its attack vectors. And so every company has its own Ardennes. As much as things have changed, so much still remains the same.

There is nothing wrong with investing in your company's Maginot Line. But you can't get complacent – cover your gaps, probe for weaknesses, and test defenses regularly. And never, under ANY circumstance, bet your enemies a "billion francs" to take the initiative to attack. 

They just might try (and probably already are).

---

Pathfynder is a service-disabled veteran-owned small business with offices in Washington, D.C and Bozeman, Montana. Shaped by decades of US military and intelligence community experience, we provide cybersecurity expertise and solutions trusted by small and medium-sized businesses as well as Fortune 50 companies.

What is your company's cyber risk?

FIND OUT NOW