Jiu Jitsu vs InfoSec: Layers of Defense

Dover Castle

This is part of a series comparing Jiu Jitsu with InfoSec.

In BJJ, there are layers upon layers of defense (see Jiu Jitsu vs InfoSec: Chess). Moves and counter-moves, many of which have been developed in the last few years — it’s still an evolving sport. Some movements are even more beneficial for certain body types. For example, tall and lanky BJJ players may excel at spider guard while heavy players may excel at more of a grind game.

Your BJJ game styles may also be dependent upon your opponent. Maybe you are good at De La Riva Guard, but your opponent has seen it before and knows escapes. Maybe you like to pull guard, but your opponent immediately goes for heel or leg locks. It’s good to be fluent in several different styles of game play so that when you discover one defense is ineffective, you have another as a backup ready to go. Don’t be a one trick pony.

InfoSec is no different.

It’s 2017, if you still think that “next gen firewall” is keeping all the hackers out … well, stop reading this article and correct that falsehood. That’s not to say you should throw that product out. Instead, if you’ve been around the InfoSec game awhile, you’ll know just how important layers are. We deploy firewalls, segment networks, inspect ingress and egress traffic, yet we still deploy endpoint security controls, log as much as we can, and test for gaps in our security stacks. The fact that we often call them “stacks” is a direct indication of the layered approach. We liken this to the how modern ocean vessels can have a compartment of their hull breached and sealed off, keeping the entirety of the ship afloat and limiting the damage.

When we read about breaches, we tend to notice that either no defensive layers were in place for the given exploit chain, or several layers failed to contain the attack. InfoSec pros who Monday Morning Quarterback the breach will wax about how the affected org should have introduced X security control — another layer in the approach.

It’s no different than watching a BJJ match and “in the know” spectators commenting how the winning player performed an offensive move for which the losing player had no additional defensive layer ready to go. Get your layers in place.

Read more: Jiu Jitsu vs InfoSec: Competition vs Self-Defense

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter