Defense in Depth

What is Defense in Depth?

Defense in depth is a strategy using multiple security measures to protect the integrity of information. This way of thinking is used to cover all angles of business security - intentionally being redundant when necessary. If one line of defense is compromised, additional layers of defense are in place to ensure that threats don’t slip through the cracks. This method addresses the security vulnerabilities that inevitably exist in technology, personnel, and operations within a network.

Today’s cyberthreats are evolving and growing rapidly. Defense in depth is a solid, comprehensive approach to utilizing a combination of advanced security tools to protect critical data and block threats before they reach endpoints. Endpoint protection, including antivirus and firewalls, are still instrumental elements of complete security; however, a defense in depth strategy is seeing significant adoption as these methods of network security alone are no longer enough.

The concept of defense in depth takes cybersecurity a step further by acknowledging the macro controls needed for ultimate protection including physical, technical, and administrative aspects of the network.

These three controls build the architecture of a defense in depth strategy:

Physical Controls are the security measures that protect IT systems from physical harm. Examples of physical controls include security guards and locked doors.

Technical Controls are the protection methods that secure network systems. Hardware, software, and network level protection is included within a company’s specific technical controls. Cybersecurity efforts including layered security live in this category.

Administrative Controls are the policies and procedures put in place by an organization, directed at the employees. Training employees to make certain to label sensitive information as “confidential” or keep private files in proper folders is an example of an administrative control.

History and Origin

Defense in Depth, as a concept and phrase, originated as a military strategy that referred to barriers that were put in place to slow the progress of intruders while giving troops time to monitor their movement and develop a response. The goal of this method was to slow or delay the advance of the attacker, instead of attempting to retaliate immediately with one strong line of defense.

Before the internet became the central point of everything and businesses relied only on physical data centers, they were protected by many tangible layers. The building was unlocked only for employees with a badge, and you probably had to have an active directory account and corporate laptop with permissions to access files. The worst case scenario was typically if someone from the marketing department accidentally gained permissions to an engineering folder.

Today, our livelihood and business processes live online and in the cloud. And defense in depth requires far more advanced technical controls to keep companies safe online.

Large cloud service providers have top-notch security in place and standardized processes - but they are only as secure as your employees and users. Users are often falling victim to phishing scams and malicious links online, which expose the network to criminals who are scouring the internet in search of private data to exploit. In the cloud, users don’t need an employee badge or a specific corporate device to access files - it can be as easy as a few clicks to open your network up to threats lingering on the World Wide Web.

Common holes in cybersecurity strategies

• Discovery of viruses or malware is taking too long
• Employees are falling victim to phishing tactics that open up the network to threats
• Known flaws are not being patched and updates are ignored
• Security policies are not enforced or well-known by employees and users
• Missing or poorly implemented encryption
• Lack of malware protection
• Remote employees are connecting to unsecure networks and exposing data
• Physical security flaws
• Business partners or supply chains are not always fully secure

How does defense in depth help?

This strategy builds a more secure network by layering and even duplicating certain protection methods to minimize the probability of a breach. A single layer of security won’t be effective with today’s rapidly changing and intelligent cybercrime landscape.

By layering a series of different defenses, such as firewalls, antivirus, intrusion detection, port scanning, secure gateways, and more, businesses are able to fill gaps and close loopholes that would exist if the network relied on only one layer of security. As an example, if the network protection layer is compromised by a hacker, defense in depth gives administrators and engineers additional time to deploy updates and countermeasures while the antivirus and firewall layers are in place to block further entry.

How does it relate to layered security?

Layered security, regarding small and medium businesses (SMBs), uses a combination of several cybersecurity solutions that are designed to reduce a network’s attack surface and protect it from all angles.

This approach comes with the rise of mobile working, IoT devices, and the increased reliance of businesses on the internet in general. Endpoint devices, cloud services, and web applications now hold the key to data that cybercriminals see as dollar signs. Back when data was protected in a locked building, one or possibly two layers would have sufficed.

Today, SMBs’ attack surfaces are growing rapidly as new devices are introduced and added to make operations more efficient. Data is then collected and stored in third-party applications or the cloud. Avenues for attack are now basically endless. One firewall is no longer enough.

Layered security is an essential piece of the technical controls aspect of defense in depth. Layered security is focused on cybersecurity and fully protecting endpoints and networks, while defense in depth acknowledges the idea that total security isn’t realistic, but slowing a threat until it is no longer a danger is the most effective way to secure businesses. Defense in depth is higher-level, as it also focuses on the administrative and physical controls that a business should regulate to stay secure, in addition to cybersecurity.

What layers does an SMB need?

To determine what layers are needed, it’s best to layout what sensitive data you have, where it is located, and who has access. Devices, data, and people are often the keys to assessing your security risk. Once you’ve identified your at-risk data or devices, it is easier to decide which layers you need and how they fit into your entire security approach.

Some of these security services and products below may seem repetitive or actually appear in the features of another security layer. They are listed separately because they either perform an important function on their own or repetition is needed for increased protection.

Recommended Cybersecurity Layers for SMBs:

Core Layers:

These cybersecurity products and services are considered “core” for an SMB because they protect against major threats that could quickly cause unnecessary downtime, costs, and reputation damage to a business.

• Antivirus
• Secure Web Gateway
• Secure Internet Gateway
• Firewall
• Patch Management
• Backup & Recovery

As your SMB grows and adopts additional cloud services and expands offerings, these security layers become more important:

• Two-Factor Authentication
• Intrusion Detection and Prevention Systems
• Encryption*
• Data Loss Prevention*
• Virtual Private Network (VPN)

*depending on your vertical and according to your compliance requirements