Defense in Depth is a strategy using multiple security measures to protect the integrity of information. This way of thinking is used to cover all angles of business security - intentionally being redundant when necessary. If one line of defense is compromised, additional layers of defense are in place to ensure that threats don’t slip through the cracks. This method addresses the security vulnerabilities that inevitably exist in technology, personnel, and operations within a network.
As cyberthreats continue to evolve and tactics become more malicious and automated, Defense in Depth provides a solid, comprehensive approach to modern security for IT professionals.
This is critically important when you consider recent data from the Verizon 2020 Data Breach Investigations Report (DBIR). This year’s report analyzed more than 32,000 security incidents and nearly 4,000 confirmed breaches worldwide. Here are just a few alarming updates:
- More data breaches: Data breaches doubled since the 2019 DBIR.
- Attacks on the cloud: Web application attacks increased to 43%, double the previous year.
- Financially motivated attacks: A staggering 86% of data breaches were for financial gain (71% in the prior DBIR.)
- Email and credentials: 67% of the attacks involved phishing, business email compromise, and credential theft.
Defense in Depth’s value is its approach to combining advanced security tools to protect critical data and block threats before they reach endpoints and networks. Endpoint protection, including antivirus and firewalls, are still instrumental elements of complete security; however, a Defense in Depth strategy is seeing significant adoption as these methods of network security alone are no longer enough to protect the modern workforce.
The security risks are even more magnified today as work-from-home mandates continue at various levels for businesses across the globe. The reality is, as remote workers access and share data via cloud apps and work outside the traditional network perimeter, this not only impacts the success of digital transformation initiatives, but introduces new attack risks.
As IT and security professionals will agree, the Internet has become the new office perimeter and it must be defended in a new and comprehensive way. And this is where the concept of Defense in Depth shines as it takes cybersecurity a step further by acknowledging the macro controls needed for ultimate protection including physical, technical, and administrative aspects of the network.
These three controls build the architecture of a Defense in Depth strategy:
Physical Controls are the security measures that protect IT systems from physical harm. Examples of physical controls include security guards and locked doors.
Technical Controls are the protection methods that secure network systems. Hardware, software, and network level protection is included within a company’s specific technical controls. Cybersecurity efforts including layered security live in this category.
Administrative Controls are the policies and procedures put in place by an organization, directed at the employees. Training employees to make certain to label sensitive information as “confidential” or keep private files in proper folders are examples of administrative control.
What is the history and origin of Defense in Depth?
Defense in Depth, as a concept and phrase, originated as a military strategy that referred to barriers that were put in place to slow the progress of intruders while giving troops time to monitor the intruders’ movements and develop a response. The goal of this method was to slow or delay the advance of the attacker instead of retaliating immediately.
Before the work-from-home transition and the reliance on the Internet as the central point of everything, businesses relied only on physical data centers that were protected by many tangible layers. The office building was unlocked only for employees with a badge and you needed an active directory account and corporate laptop with permissions to access files. The worst case scenario was typically if someone from the marketing department accidentally gained permissions to an engineering folder. This has quickly and dramatically changed.
What are the modern cybersecurity challenges?
As the shift towards digital transformation accelerates, our livelihood and business processes live online and in the cloud. And while the principles of a Defense in Depth strategy remain critical, it requires far more advanced technical controls to keep companies and workforces safe online.
Large cloud service providers have top-notch security in place and standardized processes — but they are only as secure as employees and users make it. Users often fall victim to phishing scams and malicious links online which expose the network to criminals who are scouring the Internet in search of private data to exploit. In the cloud, users don’t need an employee badge or a specific corporate device to access files — it can be as easy as a few clicks to expose your network to threats lingering on the World Wide Web.
Common holes in cybersecurity strategies
- Discovery of viruses or malware is taking too long
- Employees are falling victim to phishing tactics that open up the network to threats
- Known flaws are not being patched and updates are ignored
- Security policies are not enforced or well known by employees and users
- Missing or poorly implemented encryption
- Lack of malware protection
- Work-from-home mandates are introducing new risks for remote employees connecting to unsecure networks and exposing data
- Physical security flaws
- Business partners or supply chains are not always fully secure
How does defense in depth help?
A single layer of security simply won’t be effective with today’s rapidly changing and intelligent cybercrime landscape. The Defense in Depth strategy builds a more secure network by layering and even duplicating certain protection methods to minimize the probability of a breach.
By layering a series of different defenses, such as firewalls, antivirus, intrusion detection, port scanning, secure gateways, and more, businesses are able to fill gaps and close loopholes that would otherwise exist if the network relied on only one layer of security. As an example, if the network protection layer is compromised by a hacker, defense in depth gives administrators and engineers additional time to deploy updates and countermeasures while the antivirus and firewall layers are in place to block further entry.
How does Defense in Depth relate to layered security?
Layered security for small and medium businesses (SMBs) uses a combination of several cybersecurity solutions that are designed to reduce a network’s attack surface and protect it from all angles.
This approach comes with the rise of mobile working, IoT devices, and the increased reliance of businesses on the Internet in general. Endpoint devices, cloud services, and web applications now hold the key to data that cybercriminals see as dollar signs. Back when data was protected in a locked building, one or possibly two layers would have sufficed.
Today, SMB attack surfaces are growing rapidly as new devices are introduced and added to make operations more efficient. Data is then collected and stored in third-party applications or the cloud. Avenues for attack are now basically endless. One firewall is no longer enough.
Layered security is an essential part of the technical controls’ aspect of defense in depth. It is focused on cybersecurity and fully protecting endpoints and networks, while Defense in Depth acknowledges the idea that total security isn’t realistic, but slowing a threat until it is no longer a danger is the most effective way to secure businesses. Defense in Depth offers a higher level of protection as it also focuses on the administrative and physical controls that a business should regulate to stay secure, in addition to cybersecurity.
What security layers does an SMB need?
To determine what layers are needed, it’s best to lay out what sensitive data you have, where it is located, and who has access to it. Devices, data, and people are often the keys to assessing your security risk. Once you’ve identified your at-risk data or devices, it is easier to decide which layers you need and how they fit into your entire security approach.
Some of these security services and products below may seem repetitive or are actually already included in the features of another security layer; they are listed here separately because they either perform an important function on their own or repetition is needed for increased protection.
What are the recommended cybersecurity layers for SMBs?
The cybersecurity products and services below are considered “core” for an SMB because they protect against major threats that could quickly cause unnecessary downtime, costs, and reputational damage to a business.
- Secure Web Gateway
- Secure Internet Gateway
- Patch Management
- Backup & Recovery
As workforces continue to access company networks remotely, and businesses grow and adopt additional cloud services and expand offerings, these security layers below become equally important:
- Two-Factor Authentication
- Intrusion Detection and Prevention Systems
- Data Loss Prevention*
- Virtual Private Network (VPN)
*Depending on your market sector and according to your compliance requirements