Moving Beyond “Blinky Box” Security to Defense-in-Depth Security

March 13, 2020
IT Security

Written by Nick Defoe, OSCP, Director of Information Security, US Signal

When it comes to securing modern technology environments, it’s common for practitioners to seek a magical “silver bullet” that will remedy all their security problems. This might take the form of a new “blinky box” such as a firewall, SEIM, or cloud-hosted EDR. Unfortunately, these solutions never quite live up to their promises. Security holes remain to be exploited or attack patterns evolve past the current state of protection.

A more effective approach is to look at security from a holistic perspective and build a system that minimizes the impact of any one protection being bypassed. Defense in Depth (DiD) is a mindset along those lines. It builds multiple layers of controls that complement each other in protecting critical data.

What is Defense in Depth?

The main idea behind DiD is that if any one security control protecting critical systems or information is compromised, another control is in place to stop or limit the impact of the attack. This is also referred to as “layered security,” but the DiD model is generally more thorough in that it requires looking at how systems work together to offer protection, rather than simply putting one control behind another.

Thinking of this in terms of a basic network, this could mean having the following controls in place that must be bypassed to compromise critical data:

  1. A firewall on the network edge that restricts data to certain ports
  2. An IPS system that detects potential attacks and blocks attackers
  3. Network traffic analysis on the internal network to detect and alert on threats
  4. A segmented internal network which limits access to internal systems
  5. Authentication on internal systems using strong passwords
  6. Logging and alerting on systems near the ‘crown jewels’ that monitor unusual or unexpected activity

Having this many security controls provides an adversary a complex obstacle course to navigate from the network edge into the inner sanctum. Included are different types of controls — preventive, detection, and responsive, providing multiple choke points to contain the threat. This highlights the main advantage that defenders have when it comes to the security posture of our organizations: the network (or systems) can be built to be hostile towards attackers. These additional defenses, each with a different strength or perspective, increase the amount of work it takes attackers to get to what they want and results in a security win for the organization.

US Signal Defense in Depth Graph

Phishing Through the Lens of Defense in Depth

In an email phishing attack, a single click can lead to disaster. So how can controls be architected so that if any one is circumvented, the system remains safe? Let’s look at different security controls that can be in place in a modern email environment to see how they work together.

  • Email Security Gateway – Preventive Control

An email gateway filters out phishing emails based on various sets of rules, heuristics, and other more advanced means such as Machine Learning or artificial intelligence. While these systems are good at eliminating commodity-grade SPAM from inboxes, they can still be bypassed by spear phishing attacks or other social engineering campaigns.

  • Link Tracking for Email – Detective Control

Link tracking technology is a newer control that helps defenders by allowing for visibility into the links that are clicked within email messages. For example, an email with a malicious link makes it past the email gateway and a user clicks that link. The purpose of link tracking is to be able to determine retroactively who within the organization may have visited that site.

  • User Awareness Training – Preventive Control

Since email gateways aren’t perfect, it’s necessary to educate end users on how to identify malicious emails. Especially where social engineering is involved, it can be challenging for automated systems to verify threats. Ideally, users also need a mechanism for reporting malicious messages that make it into their inboxes.

  • Automated Email Pullback – Responsive Control

Let’s say another email gets through the email gateway, but it’s identified by a user as malicious. It’s flagged as a potential phish. Usually the act of flagging removes the email from the inbox to prevent further interaction with the message. Taking this a step further, some email systems will then look for the same message in other user’s inboxes and pull it back in order to protect those other users from clicking.

  • Two-Factor Authentication – Preventive Control

Even the best security mechanisms sometimes fail. Let’s say a social engineering email made it past all of the protections in place, and a user entered his or her credentials into an Office 365 credential phishing website. That could be disastrous. But if that user’s inbox requires two-factor authentication (2FA), the attacker wouldn’t be able to get into the email.

  • Browser Isolation – Preventive Control

A newer type of protective control that’s been gaining traction is browser isolation. In a scenario where a malicious email gets delivered to a user who clicks the link, browser isolation can protect the system. It will open the link in a remote web browser rather than on the actual user’s own system. This moves the risk of compromise away from the more sensitive information on the user’s PC.

  • Endpoint Protection Software – Preventive Control

Let’s say that a user downloaded a malicious attachment from an email that got past the email gateway and tries to run it on his or her PC. This is an opportunity for endpoint protection software to step in and stop the execution of the malicious code.   

  • SSL Decrypting Firewall and Network Traffic Analysis – Detective Control

Consider this scenario: a malicious payload made it past the email gateway and the user’s suspicions. It evaded the endpoint protection when run on the user’s PC. There are still opportunities to halt this malicious activity. If the network has SSL decryption and network traffic analysis in place, the defenders should be able to identify the Command and Control (C2) traffic on the network and remediate the problem swiftly.   

You can see how different mechanisms layer together to form a much stronger overall security posture than when any one technology sits in one point in the mail flow, looking at things from a single perspective. That’s the essence of DiD.

US Signal is Here to Help

The solutions that US Signal offers can be a part of your DiD strategy and contribute to a more resilient architecture. Our newly upgraded Cloud-Based Advanced Security platform offers some of the next generation technologies mentioned in this post, including SSL decryption, traffic monitoring, and malicious file examination. For more information, call us at (866) 274-4625 or email [email protected].