Products + Services Data Centers Industries Learn About
Updated: April 20, 2023
When it comes to securing modern technology environments, it’s common for practitioners to seek a magical silver bullet that will remedy all their security problems. This might take the form of a new “blinky box” such as a firewall, a security information and event management (SEIM) solution, or a cloud-hosted endpoint defense and response (EDR) solution. Unfortunately, these kinds of services and technologies never quite live up to their promises. Security holes remain to be exploited, or attack patterns evolve past the current state of protection.
A more effective approach is to look at security from a holistic perspective and build a system that minimizes the impact of any one protection being bypassed. Defense in Depth (DiD) is a mindset along those lines. It builds multiple layers of controls that complement each other in protecting critical data.
The main idea behind DiD is that if any one security control protecting critical systems or information is compromised, another control is in place to stop or limit the impact of the attack. This is also referred to as “layered security.” Still, the DiD model is generally more thorough because it requires looking at how systems work together to offer protection, rather than simply putting one control behind another.
Thinking of this in terms of a basic network, this could mean having the following controls in place that must be bypassed to compromise critical data:
With this many security controls, adversaries face a complex obstacle course to navigate from the network edge into the inner sanctum. Included are different types of controls — preventive, detection and responsive, providing multiple choke points to contain the threat, or at a minimum, providing alerts that malicious activity is occurring.
This highlights the main advantage that defenders have when it comes to the security posture of their organizations: the network (or systems) can be built to be hostile toward attackers. These additional defenses, each with a different strength or perspective, increase the amount of work it takes attackers to get to what they want, resulting in a security win for the organization.
A defense-in-depth strategy is a layered approach to cybersecurity you can apply to all levels of your IT systems. The premise of a DiD strategy is that no single layer of security can fully protect an entire organization. As there are multiple cyber threats, there must be numerous solutions.
Hackers are adept at finding vulnerabilities in any system, so the DiD model uses a series of defenses to close the gaps created by a single solution. By building layers of security, you can reduce the chance of a single breach occurring within your systems. If malicious actors get through your defenses, the damage is minimized by preventing further access.
The defense-in-depth model consists of a multifaceted cybersecurity approach, providing additional defenses for your critical data. The layers you see in our defense-in-depth diagram include:
As the name suggests, this layer of security is similar to the perimeter of a house. Many cyber attacks are internal — intentional or unintentional — and come from within the organization's internal network. Perimeter defense network security systems include routers, proxy servers and firewalls.
This layer of protection focuses on mitigating the potential threats found in workstations connected to your business network. Host protection helps prevent anyone from attacking from within the network and protects the data at the workstation from anyone who manages to break through the firewall.
Endpoint security protects end user devices' endpoints — or entry points. The devices your team uses daily, such as laptops, mobile phones and desktops. As these devices are connected to your network, cyber attacks could cause massive damage to your entire system. Protecting these commonly used endpoints includes malware, ransomware and zero-day threat mitigation.
Access to operating systems can result in compromised network security. Depending on your organizational needs, traffic is regulated at the perimeter, but the applications that use the traffic run on different web servers. The applications and web servers run on operating systems.
Users with access to the OS can put the integrity and availability of the firewall at risk, exposing critical network resources to internal and external security threats. Weak points in the operating systems and servers need patching. Applying all appropriate and available security features to this integral layer is critical to overall network security.
On-premise security is paramount, but your valuable data needs to be protected when your team takes their personal computers off the premises. Data protection is broken down into the following categories:
Implementing a defense-in-depth security strategy has many benefits for businesses handling sensitive data, like:
An email gateway filters out phishing emails based on various sets of rules, heuristics and other more advanced means such as Machine Learning or artificial intelligence. While these systems are good at eliminating commodity-grade SPAM from inboxes, they can still be bypassed by spear phishing attacks or other social engineering campaigns.
Link tracking technology is a newer control that helps defenders by allowing for visibility into the links that are clicked within email messages. For example, an email with a malicious link makes it past the email gateway and a user clicks that link. The purpose of link tracking is to be able to determine retroactively who within the organization may have visited that site.
Since email gateways aren’t perfect, educating end users on identifying malicious emails is necessary. Especially where social engineering is involved, it can be challenging for automated systems to verify threats. Ideally, users also need a mechanism for reporting malicious messages that make it into their inboxes.
Let’s say another email gets through the email gateway, but a user identifies it as malicious. It’s flagged as a potential phish. Usually, the act of flagging removes the email from the inbox to prevent further interaction with the message. Taking this a step further, some email systems will then look for the same message in other user’s inboxes and pull it back to protect those other users from clicking.
Even the best security mechanisms sometimes fail. Let’s say a social engineering email made it past all of the protections in place, and a user-entered his or her credentials into an Office 365 credential phishing website. That could be disastrous. If that user’s inbox requires two-factor authentication (2FA), the attacker couldn’t access the email box. Microsoft has advised that 99.9% of O-365 account compromise attempts are stopped when multifactor authentication is used.
Browser isolation is a newer type of protective control that’s been gaining traction. In a scenario where a malicious email gets delivered to a user who clicks the link, browser isolation can protect the system. It will open the link in a remote web browser rather than on the actual user’s own system. This moves the risk of compromise away from the more sensitive information on the user’s PC.
Let’s say that an attacker sends a phishing email prompting the end user to visit a website, designed to look legitimate, and input his or her credentials. If the attacker successfully gains the user’s credentials and then tries to use it to log in, the EDR monitors the activity, identifies it as suspicious based on AI and machine learning, sends an alert, and prevents any malicious activity before it occurs — even when it is under the guise of a legitimate login.
Consider this scenario: a malicious payload made it past the email gateway and the user’s suspicions. It evaded the endpoint protection when run on the user’s PC. There are still opportunities to halt this malicious activity. Suppose the network has SSL decryption and network traffic analysis in place. In that case, the defenders should be able to identify the Command and Control (C2) traffic on the network and remediate the problem swiftly.
You can see how different mechanisms layer together to form a much stronger overall security posture than when any one technology sits in one point in the mail flow, looking at things from a single perspective. That’s the essence of DiD.
The countless benefits of DiD security may require considerable changes to your existing systems. DiD strategies need a layered security architecture that focuses on all control measures, from physical controls to significant network security. Working with a data center service provider could be the most effective method of implementing such a complex and comprehensive strategy.
Together with your IT service provider, your DiD strategy will take the following into account:
Once you have designed your DiD strategy, you must implement it throughout every level of your business. Consider the following steps to get started:
The solutions that US Signal offers can be a part of a comprehensive DiD strategy and contribute to a more resilient architecture. Among the services to consider — Vulnerability Management as a Service, Endpoint Detection and Response, and Managed Firewall.
Assessing your organization's current security posture is a good place to determine what is needed to fortify your overall defenses. US Signal’s advisory and assessment services are available on a one-time basis or can be set up as an ongoing engagement. They include:
Founded in 2001, we at US Signal have consistently expanded our solutions portfolio to align with the ever-changing technological business space. Our services are powered by our robust, secure fiber network. Partnering with US Signal grants you access to expert support 24/7, all year round.
US Signal can help you architect a security solution to maintain your competitive edge. Call us at (866) 274-4625 or contact us online today, and someone from our sales team will reach out with all the information you need to get started.
It used to be that an organization’s IT disaster recovery (DR) plan entailed simple data backup (on disk or tape) or, budget-allowing, a secondary data center that it could failover to if a disaster occurred. The introduction of cloud DR has expanded the options. Choosing what’s best for your company requires [...]
Expect to see the cybersecurity landscape continue to change throughout 2024. There will likely be increased regulatory scrutiny at the federal and state levels over the coming year as government authorities seek to encourage prompt, accurate, and complete disclosure of security threats and management-level preparedness. [...]
A majority of our daily lives involve interacting with various technologies. And in the course of those interactions, most of us seldom think about the actual technologies involved — unless they aren’t working or need to work better or faster. In those instances, we expect some form of “tech support” to help. [...]