Jiu Jitsu vs InfoSec: Defense in Depth

Tim MalcomVetter
3 min readJul 29, 2020

This is part of a series comparing Jiu Jitsu with InfoSec.

Castles: Layered Defense in Depth

I already discussed this a little bit here, but I wanted to tease out a little more nuance.

In InfoSec, we don’t just rely on a single defensive control. We all know that. A modern email borne phish probably goes through something like this: SMTP sender validation, DNS domain categorization, message velocity throttling, previously unseen sender quarantines, content inspection (signatures, heuristics, and machine learning), attachment checking, link checking, document “detonation” (opening the document in a sandbox), behavioral analysis in that sandbox … then eventually landing on the endpoint, Anti-Virus, Endpoint Detection Response monitoring tools, metadata analysis of any executables or created processes, etc., etc. (and probably more secret sauce controls) all before the malware gets to execute, then it may also have outgoing/egress controls, more domain categorization checks, DNS/firewall blocks, etc.. This is DEFENSE IN DEPTH and pretty much required table stakes for any decent security program these days.

In Jiu Jitsu, it’s very similar, starting at the farthest distance you can keep your opponent to the point when your opponent is right on top of you. First it’s posture and grips as your opponent approaches. Then Open guard. Then framing up with feet on hips/shoulders before switching to a stronger frame like leg lasso, De La Riva, or X-guard, etc. As your opponent passes those, maybe it’s knee shield, and hopefully closed guard or at least half guard, but if not, at least you can still put in frames so that you can eventually make space, shrimp out, and escape. As each layered defense is broken and passed, you can fail downward to the next defensive guard strategy.

As a white belt, you may not have as many layers (maybe just one!), so when your opponent passes open guard, maybe they can prevent you from putting in a new frame and it’s just time for you to enjoy side control bottom for the next 6 minutes!

The same is true for “white belt” level security programs. Maybe all you have is really simple Anti-Virus, and you wonder why your adversary took control of your environment — not that you noticed until they deployed ransomware everywhere. That would be equivalent to not realizing your jiu jitsu guard was passed until the submission was fully in place. Yet, we read news articles about this happening to organizations every single week.

Layers give you more time

When your leg lasso guard gets passed, maybe you can fall back to knee shield quick enough to buy time and come up with a new strategy to submit, or maybe at least to wait until your opponent plays into a sweep you know so you can gain a dominant position.

When your email ingress stack catches some attempted phishes and throws them in the trash, but you take time to peruse what is discarded to collect some intelligence, maybe you can see your opponent telegraphing to you what they plan on doing next — maybe the only reason the phish failed is the send velocity was too high. Scary! If they had sent fewer emails, maybe the entire attack chain would have worked. Appreciate the opportunity to find these holes in your “guard,” tighten up, and layer up some more.

No security control is perfect. No BJJ guard is perfect (probably — I’m still learning). Do yourself a favor and add more layers.

Continue this series: Jiu Jitsu vs InfoSec — Mean Time to Detect.