No, really ... Is Defense in Depth still a thing?
In one of our recent CINS Army Briefs, we asked this same question: Is Defense in Depth still a thing?
You know, it’s the old castle analogy. You have a wall, you have a moat, you have towers and archers on the towers, you have boiling oil if anyone makes it past all that, and you have knights with swords inside. You’re not taking any chances. Well, not much has changed in the way humans secure what’s valuable to them over the years, at least not in principle. Yes, Defense in Depth is still very much “a thing” in security and will be so long as there’s a need to protect the things we prize.
It’s just that the definition has changed over the years, incorporating concepts like visibility and goals like Zero Trust.
Old vs. New Defense in Depth
If we’re not careful, “Defense in Depth” can be considered an outmoded term. Not so, although particulars have changed. In the old approach, your strategy may have included a Firewall, a SIEM device, and endpoint protection.
Our proverbial castle has since evolved, and the new security landscape is much more nuanced, layered, and wide-ranging in scope. We now include:
- Soft skills like employee security awareness training and a culture of cybersecurity
- Visibility into all areas of a network (on-premises, cloud, and hybrid)
- Disaster recovery plans and threat mitigation techniques
- Threat intelligence integration into edge tools for proactive control
- Identity and Access Management that functions in all environments
- Cyber hygiene like those outlined in the CIS Controls (notably controls 1 & 2)
In essence, the “new” Defense in Depth approach is a layered security solution that supports and verifies the new-ish idea of Zero Trust. The fun part now is how we get there. To do that, it helps to review basic principles.
Layers of Security
So, what are some of the new “layers” that combine to create a modern Defense in Depth approach? Let’s look at a few in a little more detail … Some of these sound like the layers of old, and some don’t sound like “layers” at all; more like areas on which to focus.
The Perimeter
Also known as the “edge.” And, there’s plenty of evidence out there that the “edge” is disappearing. Well, sort of. It moving, in some cases, closer to or into the Cloud, of course. But there are plenty of organizations that are unable or unwilling to move their perimeter from their traditional network edge at the datacenter or ISP handoff. In any case, the tools of the trade remain the same: Traditional or virtual firewalls, inline IPS, threat intelligence gateways, and the like.
The Network
While everyone focuses on protecting endpoints and capturing logs from devices across the network, is anyone watching the actual traffic passing between the devices? That’s where Network Detection and Response (NDR) tools come in to play. An independent view of the network traffic, because packets don’t lie. This can supplement or make up for gaps in endpoint solutions (IoT, we’re looking at you!) and can even act as a substitute for complicated SIEMs.
Behavioral analytics
No one is throwing out their traditional signature-based security approaches, but there’s an obvious need for more sophisticated tools that rely on heuristics, and yes, the over-hyped but very real evolution of AI/ML. These new tools can not only spot anomalous behavior from a security perspective, but can also let you know when the network is having trouble.
Integrity of data
Confidentiality, integrity, and availability. The above methods cover the bookends, but without ensuring your data is what it should be, it’s not worth protecting in the first place. This step is essential, and the reason for which all the other layers exist. This is where code signing comes in, reliable backups (the 3-2-1 Backup Rule – yes, it still works), secure file transfer methods, and digital rights management.
Anti-malware and Anti-ransomware
Ultimately, all these layers are there to combat what everyone fears the most: Ransomware and malware. This is a focus of every layer: from the endpoints with EDR and Next Generation Antivirus (NGAV) tools, to the network with NDR, to the edge with secure SD-WAN, firewalls, and inline IPS. And if those don’t work – which sometimes they won’t – it’s all about data integrity in the form of soliid back ups and dependable disaster recovery.
Implementing Defense in Depth
A Defense in Depth approach ultimately comes down to organizing your controls. You have administrative controls, which include policies and the “big picture” for your security environment. Then there are physical controls, which range from locking your PCs up at night to having employees badge them. It seems too simple, but the obvious answers are the ones we overlook (and hackers know that). Lastly, we take all of the security layers outlined above and implement them as part of our technical controls – where the rubber hits the road.
One thing that’s good to keep in mind as you build out your network security architecture is to diversify your security stack. Don’t put all your eggs in one basket. While some security conglomerates can provide a tool for every trouble, it’s good to go with specialists. See who’s best at what. It’s hard to be best in class at everything, and you also want a fallback should that company, or anything related to it, experience any trouble in the space.
Reach out to different providers, and draw on their different perspectives and expertise. When it comes to Defense in Depth, the real foundational principles are diversification and fallbacks. A “zero trust” approach to your Zero Trust, if you will.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.