Defense in depth is acyber securitystrategy that uses a series of layered, redundant defensive measures to protectsensitive data,personally identifiable information (PII)and information technology assets.
If one security control fails, the next security layer thwarts the potentialcyber attack. This multi-layered approach reduces thecyber threatof a particularvulnerabilityexploit being successful, improving the security of the system as a whole and greatly reducingcybersecurity risk.
Simplicity in security is the opposing principle to defense in depth. It operates under the assumption that multiple security measures increases complexity and leads to gaps attackers can leverage.
Data centers, the Internet of Things (IoT) and remote working are all great examples of things that can increase organizational productivity and employee happiness that introduce security risks.
Organizations need to balance productivity and simple security solutions with defense in depth.
Table of Contents
- Where does defense in depth come from?
- How does defense in depth work?
- What are the elements of defense in depth?
- An overlooked part of defense in depth
- How UpGuard can improve your defense in depthstrategy
Where Does Defense in Depth Come From?
Defense in depth comes from the National Security Agency (NSA). It was conceived as a comprehensive approach toinformation securityand cyber security. The term was inspired by a military strategy with the same name.
In practice, the military strategy and the information assurance strategy differ.
Defense in depth as a military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time to build a counter-attack.
As a cyber security strategy, defense in depth involves parallel systems of physical, technical and administrative countermeasures that work together but do not intentionally cede control to an attacker. A honeypot is akin to the military version of defense in depth.
Many people refer to defense in depth as the castle approach as it mimics the layering of defenses used by medieval castles. Before attackers could get to the castle, they had to beat the moat, ramparts, drawbridge, towers and battlements.
How Does Defense in Depth Work?
The most important thing to understand about defense in depth is that a potential attack should be stopped by several independent methods. This means security solutions must address securityvulnerabilitiesover the life cycle of the system, rather than at one point in time.
The increasing sophistication of cyber attacks means organizations can no longer rely on one security product to protect them.
Security professionals need to apply defense in depth across all IT systems. From employee laptops needing protection from Wi-Fi based man-in-the-middle attacksto domain hijacking prevention withDNSSEC.
There is no one layer of security that protects against allcyber threats. Cybercriminals are becoming increasingly sophisticated in their attacks and organizations need to respond by improving their defense in depth.
Poor access control,phishing,email spoofing,ransomware,data breaches,data leaks,typosquattingand differenttypes of malwarecan all be used in combination to attack your organization. The daily growth ofCVEhighlights how vulnerable every organization is.
A great example for the need for defense in depth was the spread of the WannaCry. It highlights how poorglobalcyber resilienceis.
Organizations need multiple security layers including firewalls, antimalware and antivirus software,intrusiondetectionsystems, data encryption, physical controls and security awareness training to reduce the range of possible attack vectors.
What are the Elements of Defense in Depth?
There are three core parts of any defense in depth strategy namely:
- Physical controls:Security measures that prevent physical access to IT systems such as security guards, keycards and locked doors.
- Technical controls:Security measures that protectnetwork securityand other IT resources using hardware and software, such as intrusion protection systems, web application firewalls,configuration management,web scanners, two-factor authentication, biometrics, timed access, password managers, virtual private networks, at rest encryption, hashing and encrypted backups.
- Administrative controls:Security measures consisting of policies and procedures directed at an organization's employees and their vendors. Examples includeinformation security policies,vendor risk management,third-party risk management frameworks,cyber security risk assessmentsandinformation risk management strategies.
Together physical, technical and administrative controls make up a basic defense in depth strategy. Additionally, many security professionals usesecurity toolsthatcontinuously monitor themandtheir vendorsfor potential holes in their security defenses.
If your organization is new to cybersecurity, a great place to start is with the NIST Cybersecurity Frameworkand ourwhitepapers.
An Overlooked Part of Defense in Depth
Every organization wants to protect theirs and their customerssensitive datafromdata breachesanddata leaks. However, many organizations fail to successfully managethird-party riskandfourth-party risk.
It's no longer enough to simply ensure your organization is secure. Manybig data breachesare caused by third-party vendors. If you are outsourcing business functions or storing sensitive information on cloud providers, you need to think through how you are managing your vendors.
Your defense in depth strategy needs to look beyond the perimeter of your organization and properly vet third and even fourth-party vendors (the vendors of your vendors) to understand who has access to sensitive data and how good their cyber security is.
The 2013 Target data breach,which began at an air conditioning subcontractor, is a well known example, but the danger ofthird-party vendor riskhas only increased.More third party breaches are being discoveredthan ever before. The discipline ofthird-party risk management(or TPRM) has evolved to help manage this new type of risk exposure.
How UpGuard Can Improve Your Defense in Depth Strategy
UpGuardhelps companies likeIntercontinental Exchange,Taylor Fry,The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA protect their data and prevent data breaches.
Ourdata breach researchhas been featured in theNew York Times,Bloomberg,Washington Post,ForbesandTechcrunch.
UpGuard can monitor your organization's and its vendor's websites for issues relating toDNSSEC,SSL,email spoofing,typosquatting,man-in-the-middle attacksandvulnerabilities.
UpGuard BreachSightcan help combattyposquatting, preventdata breachesanddata leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
