What is Defense in Depth? Strengthen your Security

What is Defense in Depth?

The cybersecurity profession borrowed the concept of DiD from the military, which has historically created multiple physical perimeters around a target. A medieval castle, for example, had a moat, high stone walls, special windows designed for shooting arrows, and walkways atop the walls where defenders could pour boiling water on anyone climbing up the walls. The moat, the walls, the arrows—each was part of a defense-in-depth strategy. On their own, they might not work well, but collectively, they created a strong defensive barrier.

So it is in cybersecurity, give or take. An attack target, like a database, has a depth of defenses that include physical barriers against manipulation of hardware, network access controls, passwords, and threat detection systems. These are the equivalent of a military’s concentric perimeters. As a whole, these countermeasures create better security than they would on a standalone basis. That’s DiD.

How does Defense in Depth work?

There is no single, standardized way to implement DiD. It’s dynamic, changing as newer methods arise and workload requirements change. Different workloads and organizational security priorities will dictate how a security team will set up its DiD architecture. In general, though, DiD usually works through a combination of the following types of controls:

Physical — In this era of cloud computing, it’s easy to forget that hardware, including servers, storage arrays, network switches and the like, is vulnerable to physical interference. With physical access to a server, for example, an attacker could install a root kit on the spot and hijack the machine. To prevent this from occurring, data centers employ physical controls like biometric scanners, alarms, video surveillance, and so forth.

Technical — These include software- and hardware-based controls that mitigate network-borne threats like distributed denial of service (DDoS) attacks, malware, phishing, and ransomware. Technologies like firewalls, secure web gateways (SWGs), and extended detection and response (XDR) solutions help realize the technical controls that migrate threats coming over the network.

Administrative — This is the arena of security policy. Administrative controls include identity and access management (IAM) and password rules. If you’re managing an AWS environment for example, this would be your responsibility according to the Shared Responsibility Model. This model ironically is a great example of a DiD strategy.

What are the elements of Defense in Depth?

DiD takes shape as security managers apply the controls outlined above according to the dominant principles of cybersecurity. These are the core elements of DiD:

Least-privilege access — Setting a policy that a user should only have the fewest possible privileges is a way to execute a defense-in-depth strategy. This way, if a malicious actor gains access to the network, his ability to breach sensitive data or disrupt operations will be limited.

Secure development and supply chain — Software must be subject to security controls as it makes its way from development through testing and into production. This practice ensures that new software will not introduce vulnerabilities. The software supply chain must also be similarly secured. Blocking an attacker’s path through software adds a tier of defense in a DiD architecture.

Network segmentation — Separating sensitive applications and data onto different network segments is an effective way to bar malicious actors from “lateral movement” across a network. This practice acts like the castle walls. If an attacker crosses the moat, he still has to scale the wall.

Behavioral monitoring and analysis — Even with multiple tiers of countermeasures, attackers can still get through. Insiders also pose a threat. To mitigate this risk, it is necessary to engage in constant monitoring and analysis of user and system behavior. This process can identify anomalous events that could suggest an attack is underway.

Zero trust — With its foundational rule of “never trust, always verify,” Zero Trust prevents much unauthorized access. It adds to the effectiveness of a DiD architecture.

Resiliency — The ability to restore IT operations is another tier of DiD. With strong backup and restore functions in place, an organization can recover from even a serious cyber incident, such as a ransomware attack.

What is layered security?

Some people describe DiD as “layered security,” but while each area of DiD protection might be referred to as a layer, the term ‘layered security’ means something different in cybersecurity circles. Layered security refers to deploying multiple security tools to address a single area of security. For example, a firewall and an intrusion prevention system (IPS) both block unwanted access, but they achieve this goal in different ways. Each is a layer of security that works against network penetration.

How does layered security differ from integrated security?

Integrated security is an approach to cybersecurity that relies on connecting multiple security tools to achieve more effective overall threat detection and response. An integrated security model could complement a layered security architecture, connecting different layers into a coherent stack.

For example, firewalls and antivirus software can be integrated with a security incident and event management (SIEM) solution. The SIEM ingests and analyzes data from the firewall and antivirus software to detect threats that neither tool saw on its own. The SIEM may also be integrated with incident response platforms, such as security automation, orchestration, and response (SOAR)—enabling better responses to attacks than are not possible with piecemeal or overly manual processes.