Cybersecurity Defense in Depth Strategy

A Brief History on Defense in Depth 

Cybersecurity defense in depth dates to the 1990s, however it originated with the Roman Empire beginning roughly in 200 AD. Prior to this, the Romans utilized a forward defense, whereby they pushed their military into enemy territories to stop attacks before they even reached Roman soil. Forward defense ended up becoming too expensive to continue to utilize, and so largely out of necessity to bring costs down, they employed a defense in depth strategy. Their implementation of defense in depth utilized towers and fortified villas scattered across their borders. Yes, a large attacking army could overwhelm a single defensive point, however, they utilized a sophisticated information network of signals and communication. Upon attacking one tower, soldiers from nearby towers would come to join the fight to overwhelm and push the attackers back. If the attackers decided to skirt around a defense, they would find themselves facing a sortie; a defensive point attacking them from the rear. The defensive strategy proved to be successful. It was a difficult defense to breach and their costs were significantly reduced. And it helped defend Rome successfully for many years. But, eventually Rome did fall, and to some extent it was because of an ineffective implementation of their original defense in depth strategy. 

Today, the defense in depth concept is receiving considerable attention, and for good reason. The idea that one cyber security defense is enough to thwart an attacker has consistently been proven to not be sufficient. Relying on a firewall to protect an application that is only used internally doesn’t do enough to ensure the application and its data are secured. If the exploit originates from within your internal network, it doesn’t matter how well configured your firewall may be. 

Suggested Controls to help mitigate internal cyberattacks: 

• Screen new employees using background checks and provide regular security and awareness training. Include social engineering tests into your overall security and awareness training program. 
• Utilize effective Role Based Access Controls (RBAC) that ensures separation of duties and limits their scope of access, and even consider implementing an Identity Access Management (IAM) system. 
• Enforce complex passwords and require them to be changed routinely, and even consider implementing dual factor authentication. 
• Encrypt sensitive data both in transit and at rest. 
• Implement Data Loss Prevention (DLP) tools. 
• Implement email security software that detects and filters out phishing attacks from coming in and prevents sensitive data from being sent out. 

Simply having one technology or policy isn’t enough to ensure that your critical applications and data are safe. A multi-layered approach that ideally has an overlapping and redundant design is the best method of ensuring security. That way, if an attacker breaches one layer of your defense, there are many more obstacles the attacker must also overcome to compromise your business’ critical assets. Defining the best defense mechanisms, and the overall design of your defense in depth strategy is best done through a risk management approach. This includes defining what risks your business faces, determining the likelihood and impact, and running this against your risk tolerance. Understanding where your significant risks exist will help to effectively steer the design of your defense in depth strategy. 

Ultimately, what you want to avoid is introducing a single point of failure to your critical assets. Strictly speaking, no one piece of your overall defense in depth design is more important than another. Having a properly configured firewall may help keep out external threats introduced from the Internet, but if you have employees who are easily fooled, and are all too eager to be helpful to anyone that may call or walk in off the street, it really doesn’t matter. It’s vital that your defense in depth design is robust and removes any single points of failure. 

Defense in Depth is Important but It’s Not Enough 

Defense in depth has been around for some time and is widely considered common practice. However, the reality is that it’s often not enough. It may stop the majority of external attacks but a highly sophisticated attacker who has the ability to map out your entire defense in depth design will find a way in. There are many recommendations on how to remediate the risk of your unknown gaps, specifically at the perimeter of your network. 

One such way as proposed by Frank Mong in his article Does Defense in Depth Still Work against Today’s Cyber Threats? is through adopting a zero trust security policy where access in and through a network is based on “applications, data, and user information to establish policies” rather than “port and protocol-based security”, then to couple that with an automated Advanced Threat Protection (ATP) platform that utilizes near real time threat information to adjust those policies. This defense is similar to Rome’s implementation of defense in depth, which weakened and slowed attacks. Mong goes on further to recommend using Security Information and Event Management (SIEM) tools to help if your perimeter has been breached. This is also like Rome’s implementation where they relied heavily on information to be successful. A SIEM will help identify attacks and notify your cybersecurity professionals where to target their focus. Finally, like Rome’s implementation, utilizing effective communication and defining an effective incident response plan will be vital to your overall defense in depth strategy. 

Often times, defense in depth planning only includes technical controls keeping attackers out of your network, but too often the risk of an internal attack isn’t planned for, which leaves applications and data exposed and easily exploited. In summary, it’s important to take a holistic approach to defense in depth as the approach is only as good as its widest gap. It’s important to understand where these are and work to remediate them.