Written by Nick Defoe, OSCP, Director of Information Security, US Signal
Updated: June, 2024
When it comes to securing modern technology environments, it’s common for practitioners to seek a magical silver bullet that will remedy all their security problems. This might take the form of a new “blinky box” such as a firewall, a security information and event management (SEIM) solution, or a cloud-hosted eXtended detection and response (XDR) solution. Unfortunately, these kinds of services and technologies never quite live up to their promises. Security holes remain to be exploited, or attack patterns evolve past the current state of protection.
A more effective approach is to look at security from a holistic perspective and build a system that minimizes the impact of any one protection being bypassed. Defense in Depth (DiD) is a mindset along those lines. It builds multiple layers of controls that complement each other in protecting critical data.
What Is Defense-in-Depth?
The main idea behind DiD is that if any one security control protecting critical systems or information is compromised, another control is in place to stop or limit the impact of the attack. This is also referred to as “layered security.” Still, the DiD model is generally more thorough because it requires looking at how systems work together to offer protection, rather than simply putting one control behind another.
Thinking of this in terms of a basic network, this could mean having the following controls in place that must be bypassed to compromise critical data:
An EDR solution that uses continuous monitoring, real-time visibility, behavioral analysis and threat intelligence applied to endpoints to prevent an incident from turning into a breach.
A firewall on the network edge that restricts access to certain ports or limits what data can leave the network.
An IPS system that detects potential attacks and blocks attackers.
Network traffic analysis on the internal network to detect and alert on threats moving inside the network.
Multifactor authentication on any systems that are internet-facing or have administrator privileges.
A segmented internal network which limits access to internal systems.
Authentication on internal systems using strong passwords.
Logging and alerting on systems near the ‘crown jewels’ that monitor unusual or unexpected activity.
With this many security controls, adversaries face a complex obstacle course to navigate from the network edge into the inner sanctum. Included are different types of controls — preventive, detection and responsive, providing multiple choke points to contain the threat, or at a minimum, providing alerts that malicious activity is occurring.
This highlights the main advantage that defenders have when it comes to the security posture of their organizations: the network (or systems) can be built to be hostile toward attackers. These additional defenses, each with a different strength or perspective, increase the amount of work it takes attackers to get to what they want, resulting in a security win for the organization.
How Does Defense-In-Depth Work?
A defense-in-depth strategy is a layered approach to cybersecurity you can apply to all levels of your IT systems. The premise of a DiD strategy is that no single layer of security can fully protect an entire organization. As there are multiple cyber threats, there must be numerous solutions.
Hackers are adept at finding vulnerabilities in any system, so the DiD model uses a series of defenses to close the gaps created by a single solution. By building layers of security, you can reduce the chance of a single breach occurring within your systems. If malicious actors get through your defenses, the damage is minimized by preventing further access.
The Layered Defense-in-Depth Model
The defense-in-depth model consists of a multifaceted cybersecurity approach, providing additional defenses for your critical data. The layers you see in our defense-in-depth diagram include:
1. Perimeter Security
As the name suggests, this layer of security is similar to the perimeter of a house. Many cyber attacks are internal — intentional or unintentional — and come from within the organization's internal network. Perimeter defense network security systems include routers, proxy servers and firewalls.
2. Network Security
This layer of protection focuses on mitigating the potential threats found in workstations connected to your business network. Host protection helps prevent anyone from attacking from within the network and protects the data at the workstation from anyone who manages to break through the firewall.
3. Endpoint Security
Endpoint security protects end user devices' endpoints — or entry points. The devices your team uses daily, such as laptops, mobile phones and desktops. As these devices are connected to your network, cyber attacks could cause massive damage to your entire system. Protecting these commonly used endpoints includes malware, ransomware and zero-day threat mitigation.
4. Application and OS Security
Access to operating systems can result in compromised network security. Depending on your organizational needs, traffic is regulated at the perimeter, but the applications that use the traffic run on different web servers. The applications and web servers run on operating systems.
Users with access to the OS can put the integrity and availability of the firewall at risk, exposing critical network resources to internal and external security threats. Weak points in the operating systems and servers need patching. Applying all appropriate and available security features to this integral layer is critical to overall network security.
5. Data and Information Protection
On-premise security is paramount, but your valuable data needs to be protected when your team takes their personal computers off the premises. Data protection is broken down into the following categories:
Operating system security: This branch of data protection covers standard operating systems and service best practices.
Sensitive data storage: Sensitive data storage covers server-based data and any data on a laptop or desktop.
Data encryption: Encrypting data ensures if hackers access it, they still can’t decode and use it.
The Benefits of a Defense-In-Depth Cybersecurity Strategy
Implementing a defense-in-depth security strategy has many benefits for businesses handling sensitive data, like:
Eliminating redundancy: As your system comprises multiple layers, a well-executed defense-in-depth method will remove redundancies in your system. Each layer of the system has a role, preventing systems from competing for resources in the event of an attack.
Promoting efficiency: Defense-in-depth is an efficient method of countering threats. The layers in place will prevent or slow cyber attacks, so IT teams have plenty of time to devise countermeasures and protect sensitive data.
Managing diversity: With multiple layers of security targeting different threats, your business can handle various threats at any system element.
Minimizing human error: Human error is a significant concern for any business, whether unintentional or not. If there is an error in one section of your system, your defense-in-depth security will prevent it from spreading to other systems.
Taking a preventive approach: The best defense-in-depth systems can do more than prevent an ongoing attack — they can recognize behaviors that might result in a breach and stop them early. Proactive approaches like intrusion detection can save your business time and money in the event of an attack.
Email Security Gateway – Preventive Control
An email gateway filters out phishing emails based on various sets of rules, heuristics and other more advanced means such as Machine Learning or artificial intelligence. While these systems are good at eliminating commodity-grade SPAM from inboxes, they can still be bypassed by spear phishing attacks or other social engineering campaigns.
Link Tracking for Email – Detective Control
Link tracking technology is a newer control that helps defenders by allowing for visibility into the links that are clicked within email messages. For example, an email with a malicious link makes it past the email gateway and a user clicks that link. The purpose of link tracking is to be able to determine retroactively who within the organization may have visited that site.
User Awareness Training – Preventive Control
Since email gateways aren’t perfect, educating end users on identifying malicious emails is necessary. Especially where social engineering is involved, it can be challenging for automated systems to verify threats. Ideally, users also need a mechanism for reporting malicious messages that make it into their inboxes.
Automated Email Pullback – Responsive Control
Let’s say another email gets through the email gateway, but a user identifies it as malicious. It’s flagged as a potential phish. Usually, the act of flagging removes the email from the inbox to prevent further interaction with the message. Taking this a step further, some email systems will then look for the same message in other user’s inboxes and pull it back to protect those other users from clicking.
Two-Factor Authentication – Preventive Control
Even the best security mechanisms sometimes fail. Let’s say a social engineering email made it past all of the protections in place, and a user-entered his or her credentials into an Office 365 credential phishing website. That could be disastrous. If that user’s inbox requires two-factor authentication (2FA), the attacker couldn’t access the email box. Microsoft has advised that 99.9% of O-365 account compromise attempts are stopped when multifactor authentication is used.
Browser Isolation – Preventive Control
Browser isolation is a newer type of protective control that’s been gaining traction. In a scenario where a malicious email gets delivered to a user who clicks the link, browser isolation can protect the system. It will open the link in a remote web browser rather than on the actual user’s own system. This moves the risk of compromise away from the more sensitive information on the user’s PC.
Endpoint Detection and Response – Preventive Control
Let’s say that an attacker sends a phishing email prompting the end user to visit a website, designed to look legitimate, and input his or her credentials. If the attacker successfully gains the user’s credentials and then tries to use it to log in, the EDR monitors the activity, identifies it as suspicious based on AI and machine learning, sends an alert, and prevents any malicious activity before it occurs — even when it is under the guise of a legitimate login.
SSL Decrypting Firewall and Network Traffic Analysis – Detective Control
Consider this scenario: a malicious payload made it past the email gateway and the user’s suspicions. It evaded the endpoint protection when run on the user’s PC. There are still opportunities to halt this malicious activity. Suppose the network has SSL decryption and network traffic analysis in place. In that case, the defenders should be able to identify the Command and Control (C2) traffic on the network and remediate the problem swiftly.
You can see how different mechanisms layer together to form a much stronger overall security posture than when any one technology sits in one point in the mail flow, looking at things from a single perspective. That’s the essence of DiD.
How Do Businesses Implement and Execute a DiD Strategy?
The countless benefits of DiD security may require considerable changes to your existing systems. DiD strategies need a layered security architecture that focuses on all control measures, from physical controls to significant network security. Working with adata center service provider could be the most effective method of implementing such a complex and comprehensive strategy.
Together with your IT service provider, your DiD strategy will take the following into account:
Physical controls: These security measures are designed to prevent access to physical infrastructure, such as alarm systems and security guards.
Technical controls: Specialized hardware or software, including firewalls and anti-virus programs, help protect assets within your network systems and resources.
Administrative controls: These are the policies and procedures of an organization, such as rules and regulations for employees to abide by when handling data.
Access measures: These systems prevent unauthorized parties from accessing your network using authentication controls, timed access, biometrics and VPNs.
Workstation controls: Each workstation represents a potential threat to your entire network, so workstations have defense measures to prevent phishing and malware, such as anti-spam and anti-virus software.
Perimeter defenses: These include intrusion detection and prevention systems and firewalls.
Monitoring and prevention: Identifying network activity patterns helps you recognize suspicious activity, like logging network activity, auditing network activity, scanning for vulnerabilities and sandboxing.
Steps to Implement Defense-In-Depth Strategies
Once you have designed your DiD strategy, you must implement it throughout every level of your business. Consider the following steps to get started:
Provide training: Your employees need to know how to access your network safely and prevent unintentional security breaches.
Add physical security: If you host your server or people can access sensitive data on-site, consider what physical security measures you can take to protect it. You could include video surveillance, security guards and firewalls, depending on your needs.
Provide technical controls: Implement data encryption and an intrusion detection system to protect your internal network, antivirus software and security certification for your client-facing website.
Create a security policy: Develop and refine your security policies and procedures to meet your business objectives and align with your needs. Communicate these well-defined procedures to every member of staff.
Audit your system: Alongside your IT provider, audit your system carefully to measure its performance. Identify opportunities for improvement and remember, your system is a work in progress.
US Signal Is Here to Help
The solutions that US Signal offers can be a part of a comprehensive DiD strategy and contribute to a more resilient architecture. Among the services to consider — Vulnerability Management as a Service, Endpoint Detection and Response, and Managed Firewall.
Assessing your organization's current security postureis a good place to determine what is needed to fortify your overall defenses. US Signal’s advisory and assessment services are available on a one-time basis or can be set up as an ongoing engagement. They include:
NIST Cyber Security Framework ("CSF") Assessment
Cyber Security Program Maturity Assessment
Security Framework Gap Analysis
Phishing-Social Engineering Assessments
Risk Assessments
Ransomware Assessments
Plan and Execute Your Defense-In-Depth Security Strategy With US Signal
Founded in 2001, we at US Signal have consistently expanded our solutions portfolio to align with the ever-changing technological business space. Our services are powered by our robust, secure fiber network. Partnering with US Signal grants you access to expert support 24/7, all year round.
US Signal can help you architect a security solution to maintain your competitive edge. Call us at (866) 274-4625 or contact us online today, and someone from our sales team will reach out with all the information you need to get started.