Defense In Depth is a common terminology in modern-day cybersecurity practices. It is a strategy that employs a series of mechanisms, also known as controls, to stop an attack on your organization.
Each layer offers additional protection so that if one layer is breached, the next layer of protection will be in place to prevent further exposure of data to unauthorized parties.
The defense-in-depth approach to cybersecurity can be visualized as a collection of concentric circles with the data to be secured being the most inner circle. Each one of these provides a layer of security and provides multiple resistance levels to an attack and also provides useful information on how the attack was performed in order to improve the relevant security layers in the future.
As a security professional you will need to implement one or more of the CIA (confidentiality, Integrity, Availability) principles on each layer for optimum security.
Let’s have a deeper view of each of the layers.
Data sit at the inner part of the “Defense in Depth” structure. Most of the time during an attack the attackers are after data. There are many types of storage and those need to be mapped along with their location, for a cybersecurity strategy to work efficiently. Common storage types are:
- Disks on physical machines
- Disks on virtual machines
- On SaaS Applications (i.e. O365)
- Cloud storage (i.e. Amazon S3)
Security controls applied in the data layer include:
- backup and restoration strategies
- two-factor authentication
- enterprise rights management
- policies that ensure data is wiped from devices that are no longer being used or are being repurposed.
Proper storage considerations in the design phase of the application, or the acquisition phase if the app is not built within the organization, should be made. Sensitive information should be stored in safe locations which have the additional security controls of the data layer applied.
Application development is a crucial part of security integration. Developers must embrace a secure development life cycle and embed security controls in the application throughout it.
Additional teams should provide assurance that the applications are secure by conducting manual and automatic tests to check for possible vulnerabilities in the application.
Logging is essential both for the developers but also for the security teams. The amount and detail of the logging information should be sufficient to provide insights for both teams for further investigation and analysis of bugs, issues, activities, and communications.
Security controls applied in the application layer include:
- adopt a secure SDLC management process
- apply the principle of least privilege
- perform regular penetration testing and security audits
- patch management
- AAA controls and MFA
- encryption at rest and in transit
- input validation
- key management
- log management capabilities and monitoring
Access to the physical or virtual hosts should be secured, endpoint protection should be in place and systems should be patched and up to date in order to minimize exposure to security issues.
Security controls applied in the compute layer include:
- an accurate inventory of all devices their location, and their owners
- apply secure configuration for servers and endpoints (e.g. CIS benchmarks)
- restrict and monitor administrator accounts
- enable MFA where possible
- restrict server-to-server and server-to-client communication to the bare minimum, as needed for their business purpose
- apply encryption at rest and in transit
- perform regular backup and restoration tests
- perform penetration tests and vulnerability assessments
- activate audit log monitoring and log analysis
- employ endpoint protection
Communication between all types of resources (networks, systems, applications, databases) should be limited to the bare minimum. Only the absolutely required communication should be allowed and properly documented depicting the reasons for this permitted traffic.
All traffic from and to each node/application/network segment should be denied by default and internet access should also be denied or limited only inbound where there is absolutely a need for it. Traffic should explicitly be allowed whenever there is a business need, technically justified.
DDoS protection, IDS/IPS, and proper perimeter firewalls should be installed to alert and protect from attacks.
Physical Security Layer
A layer often neglected by the information security teams is the physical security layer. Physical control implementations should be deterrent, meaning they should prevent breaches but also detective, because through security cameras we can help the investigation of an incident after its occurrence.
Layers of Security and Threat Vectors
Sharing the Responsibilities
Securing the organization is a team effort and many parties should be involved in this common cause. There are many resources in numbers and types, to be created, administered, and protected. No successful information security program can succeed by involving the Infosec team alone.
- Developers should follow secure coding practices
- IT Architects should design IT environments and IT systems while coordinating with the Infosec team for proper control selection and placement.
- Network teams should install devices with the highest traffic restrictions and enforce the “deny-all” by default to all traffic.
- IT Teams should monitor their systems closely for errors that attackers can exploit (i.e. AV is disabled, Host IDS/IPS is not running)
Defense in depth ensures that even if one of your security controls, like firewall, WAF, or IDS, fails, other controls can still protect your information assets.
The principle of least privilege
Segregation of duties
Strong passwords and MFA
Privileged access management (PAM)
Patch and vulnerability management
Logging and monitoring
Secure coding principles and codebase security analysis
Defense-in-depth is a more holistic approach to cybersecurity. Layered security is only one aspect of defense-in-depth involving multiple defensive tools to detect and stop an immediate attack. Defense-in-depth assumes a broader scope of defense from incident to response through resolution.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.