Article's content
106.5k views
App SecurityEssentials
What is Defense-in-depth
Defense-in-depth is an information assurance strategy that provides multiple, redundant defensive measures in case a security control fails or a vulnerability is exploited. It originates from a military strategy by the same name, which seeks to delay the advance of an attack, rather than defeating it with one strong line of defense.
Defense-in-depth cybersecurity use cases include end-user security, product design and network security.
An opposing principle to defense in depth is known as simplicity-in-security, which operates under the assumption that too many security measures might introduce problems or gaps that attackers can leverage.
Defense-in-depth architecture: Layered security
Defense-in-depth security architecture is based on controls that are designed to protect the physical, technical and administrative aspects of your network.
Defense in depth, layered security architecture
- Physical controls– These controls include security measures that prevent physical access to IT systems, such as security guards or locked doors.
- Technical controls– Technical controls include security measures that protect network systems or resources using specialized hardware or software, such as a firewall appliance or antivirus program.
- Administrative controls– Administrative controls are security measures consisting of policies or procedures directed at an organization’s employees, e.g., instructing users to label sensitive information as “confidential”.
Additionally, the following security layers help protect individual facets of your network:
- Access measures– Access measures include authentication controls, biometrics, timed access and VPN.
- Workstation defenses– Workstation defense measures include antivirus and anti-spam software.
- Data protection–Data protection methodsinclude data at rest encryption, hashing, secure data transmission and encrypted backups.
- Perimeter defenses– Network perimeter defenses include firewalls,intrusion detection systems and intrusion prevention systems.
- Monitoring and prevention– The monitoring and prevention of network attacks involves logging and auditing network activity,vulnerability scanners, sandboxing and security awareness training.
Upcoming Webinar
Register Now
Defense-in-depth information assurance: Use cases
Broadly speaking, defense-in-depth use cases can be broken down into user protection scenarios and network security scenarios.
Website protection
Defense-in-depth user protection involves a combination of security offerings (e.g.,WAF, antivirus, antispam software, etc.) and training to block threats and protect critical data.
A vendor providing software to protect end-users from cyberattacks can bundle multiple security offerings in the same product. For example, packaging together antivirus, firewall, anti-spam and privacy controls.
As a result, the user’s network is secured againstmalware, web application attacks (e.g.,XSS,CSRF).
Network security
- An organization sets up a firewall, and in addition, encrypts data flowing through the network, and encrypts data at rest. Even if attackers get past the firewall and steal data, the data is encrypted.
- An organization sets up a firewall, runs an Intrusion Protection System with trained security operators, and deploys an antivirus program. This provides three layers of security – even if attackers get past the firewall, they can be detected and stopped by the IPS. And if they reach an end-user computer and try to install malware, it can be detected and removed by the antivirus.
See how Imperva Web Application Firewall can help you with Defense-in-Depth.
Request demo Learn more
Imperva defense-in-depth solutions
Imperva offers a complete suite of defense in depth security solutions, providing multiple lines of defense to secure your data and network.
Our data security solutions includedatabase monitoring,data maskingand vulnerability detection. Meanwhile, our web facing solutions, i.e.,WAFandDDoS protection, ensure that your network is protected against all application layer attacks as well as smoke-screen DDoS assaults.
Certainly! The article covers various aspects of defense-in-depth, an information assurance strategy leveraging multiple layers of defense to safeguard systems against cyber threats. Here's an in-depth breakdown of the concepts used:
Defense-in-Depth Strategy
Origin and Philosophy:
- Definition: It's a strategy employing redundant defensive measures to counteract potential security control failures or exploits.
- Origin: Derived from a military strategy aiming to delay an attack's advance instead of relying on a single line of defense.
Use Cases in Cybersecurity:
- End-User Security: Protecting individual users through security measures like antivirus, firewalls, and user training.
- Product Design: Implementing security measures within products or applications to thwart attacks.
- Network Security: Safeguarding networks via controls targeting physical, technical, and administrative aspects.
Principles and Counterpart:
- Opposing Principle: "Simplicity-in-Security," advocating against excessive security measures that might introduce vulnerabilities.
Defense-in-Depth Architecture
Layers of Security:
- Physical Controls: Measures preventing physical access, like security guards and locked doors.
- Technical Controls: Specialized hardware or software safeguarding network systems, e.g., firewalls or antivirus programs.
- Administrative Controls: Policies or procedures for employees, such as labeling sensitive information.
Additional Security Layers:
- Access Measures: Authentication controls, biometrics, timed access, VPNs.
- Workstation Defenses: Antivirus, anti-spam software.
- Data Protection Methods: Encryption (data at rest), hashing, secure data transmission, encrypted backups.
- Perimeter Defenses: Firewalls, intrusion detection, and prevention systems.
- Monitoring and Prevention: Logging, auditing, vulnerability scanners, sandboxing, security awareness training.
Defense-in-Depth Use Cases
User Protection Scenarios:
- Website Protection: Combining security offerings (WAF, antivirus, anti-spam) and training to block threats and protect data.
Network Security Scenarios:
- Firewall Deployment: Encrypting data flow and data at rest to secure against attacks.
- Multiple Layers of Security: Using a firewall, intrusion protection system (IPS), and antivirus for enhanced protection against different attack vectors.
Imperva's Defense-in-Depth Solutions
- Data Security Solutions: Database monitoring, data masking, vulnerability detection.
- Web-Facing Solutions: WAF (Web Application Firewall), DDoS protection against application layer attacks and DDoS assaults.
This comprehensive strategy aims to create a fortified defense, ensuring robust protection against diverse cyber threats across networks, systems, and individual user endpoints.