Defense-in-Depth Security (DID)

The Five Laws of Cybersecurity:

If there is a vulnerability, it will be exploited.

Everything is vulnerable in some way.

Humans trust, even when they shouldn’t

With innovation comes an opportunity for Exploitation.

When in doubt, see Law Number 1

For any given security module or solution- one should adopt the (realistic) mindset that said solution falls into only one of two buckets:

Bucket #1:

A technology solution that hackers have already found ways to exploit or bypass.

Bucket #2:

A technology solution that hackers will eventually find ways to exploit or bypass.

All other proverbial buckets only exist in fairy tales.

DEFENSE-IN-DEPTH

Governance, Risk & Compliance. Continual assessments and improvements.

Tech Stack - End-user Security Awareness & Simulation Platform

Architecture & Tooling Strategies

Architect Around Threat Vectors

The simplest way to start conceptualizing defense in depth tooling is to start with a single threat vector and then architect your defenses against it. Malware, as a simplistic example, is a file-based vector of attack. The standardized N+1 strategy for defense in depth is deploying a firewall at the network edge that is capable of file inspection and hopefully a sandbox mechanism to check to see if any file, upon execution, attempts to initiate malicious process spawns. Realistically assuming that even top-of-the-line firewalls will eventually allow a malicious file through, we leverage an Endpoint Protection Platform (EPP) or Endpoint Detection and Response (EDR) on our endpoints to catch anything that evades the firewall.

Bring Identity into the Forefront

Another example to conceptualize would be securing remote access to corporate systems. We start with a tool such as a Virtual Private Network (VPN), Software Defined Perimeter (SDP), or Zero Trust Network Access (ZTNA) that allows for a remote host to securely access internal resources over an encrypted tunnel. The configuration of the tool and tunnel validates that it is a valid host connecting to the network. However, hosts get compromised, so we add additional layers of security to that remote access tool by not only authenticating and authorizing the host but also authenticating the user to whom the host belongs, generally with Multi-Factor Authentication (MFA).

Always Confirm the Integrity of Hosts & Systems

Additional layers can be added that further improve security validation and can be frictionless to the end user- examples can be device posture checks- making sure the host is on an adequately up-to-patch operating system and that it’s running the proper endpoint security software on it. At the end of the day, you want to be sure that 1.) This is indeed your host (and not a hacker), 2.) it is being driven by your user (not a hacker), 3.) Systems are secured from critical vulnerabilities, and 4.) Systems are running proper protections.

Manage Access and Entitlements

By this point, most companies that allowed users to VPN or Domain Join and get full network access to large amounts of system resources (whether their job required access or not) on a large, flat network have learned from their mistakes by now… Networks must be properly segmented, but more importantly, access must be mapped to a Principal of Least Privilege framework- only allowing access, authentication, and authorization to those that must be entitled to a given resource. An easy rule to follow: if a user doesn’t need access to a given private system resource, they should never be able to ping its IP address.

Adapt to the Cloud-First World

Just because you don’t have an infrastructure layer of control over a SaaS app that your company uses doesn’t mean that the security of said service is off your plate. It is our responsibility as Security and IT professionals to make sure we are bringing the principles of least privilege and Zero Trust frameworks into our cloud security practices. At a minimum, authentication and authorization to cloud-based applications must be solved with a cohesive strategy. As a rule: if a user doesn’t require access to a given cloud resource or SaaS tool, they should not be given a login, and further- they should never be able to successfully log in to said system with another employee’s valid credentials.

Set Appropriate Guard Rails

While many businesses are diligent about Phishing Simulation training, we still leverage an email security tool in tandem- why? It goes back to rule #3, humans trust, even when they shouldn’t. For any given defense-in-depth strategy, we must architect around both human error as well as insider threats. On the private access side, we may use advanced Privilege Access Management (PAM), and Data Loss Prevention (DLP) controls. Many businesses must speed up their adoption of similar controls for the cloud world with cloud-native Security Service Edge (SSE) tools such as a Cloud Application Security Broker (CASB) that prevent abuse within systems managed by third parties.

Select the Right Tools

Every business is different, and no Security and IT budget are going to be unlimited. There’s a fine balance that must be struck between going ‘best of breed’ for any given security module- which can often result in a proliferation of complexity from having ‘too many tools with too many portals’ and consolidation of multiple modules into a single tool- where one must make sure they aren’t sacrificing the efficacy of their defenses for the sake of agent/device/vendor consolidation.

Readiness to Respond

Most are Understaffed and Underfunded

Cybercrime is one of the most significant threats to organizations in the 21st century. In 2020, 62% of security teams reported being underprepared, underfunded, and understaffed.

Recent surveys conducted by IBM found that almost 70% of Cyber Responders are seeking mental health assistance due to work stress. 40% of respondents reported their mental health challenges as high to extreme.

Talent Shortage

As of 2022, Companies and Government agencies are unable to fill almost 70% of needed security roles. This issue is even worse in large commercial metros, where job vacancies can be as high as 80%.

Be Realistic On What Your Team Can Handle

Cybersecurity is hard.

We must do everything right- all of the time, whereas hackers only need to be right once. Additionally, most breaches occur on nights and weekends- which are times that most companies don’t staff adequately, if at all. While many tools have become more robust in their ability to autonomously block and remediate different types of attacks, we must live under the assumption that evading defenses is not an “if” but a “when” and when it happens, are we prepared, or have we chosen the right security partners who will be ready?

The Defensive Methodology

Our in-depth approach to cyber security will follow a proven and effective method. We evaluate tools, people, and processes to create a tailored solution for your business needs, objectives, and budget. Our methodology adheres to MITRE ATT&CK coverage to classify and describe cyberattacks to set technical and achievable goals.

Once we’ve analyzed your organization’s security setup, we’ll provide detailed feedback. Our reports will highlight areas to improve with better tool sets, training, playbooks, automation, outsourcing, or recruiting additional headcount.

Speak to the Defensive team about a Defense-in-Depth security analysis to provide your business with the best solutions and services completely tailored to the needs and budget of your business.

Request a Demo

Why Defensive Networks?

Defensive is a Next Generation Solution Provider for a Cloud-First World. We exist to take the guesswork out of Cybersecurity and Information Technology procurement and adoption.