Defense In Depth
Your Firewall Isn’t Enough
“We have a firewall and AV protection on every machine,” he says as he raps his fingers on the conference room table. “Knock-on-wood, but it would be virtually impossible for a bad guy to break into this environment. I’m confident in our ability to defend an attack.”
That’s a real quote from a CIO of a healthcare organization responsible for the care of a large geographic region in the United States. Of course, they hold sensitive customer data in their environment and they require 100% uptime in order to properly care for their patients. It’s truly life-or-death.
You might wonder, “Why is this guy complaining because they have a firewall and AV protection. That sounds like an impenetrable fortress!”
I would argue that a firewall and end-point protection is table-stakes. Those elements are the baseline of protection that you should include in your environment, but it is far from the pinnacle of security. These elements are akin to latching the screen door on your porch; it will block half-hearted attempts to compromise your environment. If an intruder has enough incentive and resources, they will breach your environment given enough time.
There is no silver-bullet for this problem. No vendor or product can guarantee your protection. It’s crucial that you adopt a Defense in Depth methodology to approaching this difficult challenge.
Defense in Depth
Our friends at Fortinet define Defense in Depth as the following:
Defense in depth is a strategy that leverages multiple security measures to protect an organization's assets. The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach. 1
A Defense in Depth strategy includes solutions, processes and architecture that creates an extremely resilient and hardened environment. This approach makes it very difficult for attackers to gain access to your environment without alerting you of the nefarious activity, while creating a bread trail for you to investigate. Our goal is to prevent the attacks from being successful, but wise enough to include analytics and visibility of your holistic environment.
Areas of Priority
This is not an exhaustive list, but here are a few areas of focus presented by ISACA.2
Malware & Ransomware Defense
Border Protection
Network Design
Proxy
3rd-Party Networks
Physical Security
Authentication
User Education
Testing
And more.
Each organization is different and requires a strategic vision for security that could introduce additional elements. Please do your own due-diligence in regards to the cybersecurity policies and posture of your organization.
Let’s Take This Home
Defense in Depth is a term borrowed from the military. It’s meant to convey the idea of expanding the scope of potential threats, which allows you to create a system and flexible policies. This concept was developed as a mechanism that reduced the likelihood that units were blindsided by attacks.3
In the same manner, you should take every step to ensure that your organization is not blindsided by an attack. A Defense in Depth strategy is a great place for you to start.