defense in depth cybersecurity

When it comes to protecting your digital castle, you can never have too many walls. The days of relying on a basic cybersecurity strategy like anti-virus alone are long gone. Hackers and bad actors have gotten much more sophisticated, and to meet the defensive demands that it requires to protect your organization and information you need a multi-layered defense in depth cybersecurity strategy.

Cybersecurity threats get more advanced every day. And in response you need a defense strategy that addresses these evolving concerns at every level. So let’s discuss what a proper defense in depth cybersecurity strategy is, the components of it, and how each layer provides protection against the bad actors that want your valuable information.

In this article we will go over a range of methodologies for a defense in depth cybersecurity strategy. Not all of them will be salient to every organization, but it’s important to have a well-rounded understanding of the various levels of protection that are available.

Security awareness training

“The problem is usually between the chair and the keyboard…” It’s a common saying in the cybersecurity community. But if you think about it, it’s true. Even the most sophisticated walls can be breached if there are people who unknowingly put down a ladder for the enemy to get over them.

It can’t be overstated that most cybersecurity breaches happen due to user error. You can think of this as a sort of intentionally innocuous insider threat. But a threat nonetheless. When it comes to personally identifiable information (PII), classified information (CI), or personal health information (PHI) it’s called spillage.

Antivirus and antimalware (AV/AM)

Anti-virus/anti-malware software is probably the most familiar, as it’s been out for decades. This type of protection falls under the category of signature-based cybersecurity.

Anti-virus/anti-malware software performs on a number of levels to provide a base layer of security. They’re designed to detect, block, and remove malicious software elements like viruses, Trojans, worms, spyware, and more. Via active monitoring, theoretically they can identify and eradicate threats on the system before any damage is done.

Since they work via signatures, they only provide protection against known threats. This means that emerging and zero-day threats can make it past their detection. Aside from keeping data safe, they can also help boost machine performance, as malware is known to hog resources that create system slowdowns and crashes.

Generally, the interfaces are easy enough for even the least technology-savvy person to navigate. So regardless of if you’re using them for business or personal use, anti-virus and anti-malware programs are a great initial line of defense against cybersecurity attacks.

Endpoint detection response

EDR is one of the hottest concepts in the cybersecurity world. It stands for “endpoint detection and response”. This layer of security operates at the endpoint level which includes workstations, servers, even mobile devices. It identifies suspicious, behavior-based activity in real time to provide a more rapid threat detection and response.

EDR solutions work via a number of modalities including behavior analysis, detection of anomalies, and machine learning to identify known, emerging, and unknown threats as well as being one of the best defense mechanisms against zero-day attacks.

Most provide an audit trail that includes event timelines. This is very useful during incident response to establish the origin and scope of breaches which is an essential element of response, mitigation, and remediation.

They also use behavior analytics to identify activities that are suspicious or unauthorized. This helps to reduce dwell time if something malicious makes its way inside an endpoint or network.  

When it comes to threat containment different EDR solutions handle it in a variety of ways. Some use automation or offer manual ways to take action that includes device isolation from the network, killing processes, or system rollback.

EDR stacks well with other defense in depth cybersecurity elements like AV/AM, SIEM, and network security infrastructure. This type of proactive cybersecurity solution provides invaluable insight into user and system behavior for preventing threats and identifying them if and when they make their way inside.

Network security

If you look at your cybersecurity posture in terms of the castle allegory, network security would be the outer walls.  A good network security posture involves multiple factors.

Firewalls

Firewalls are one of the most familiar elements of physical network security. At their most basic they monitor incoming and outgoing network traffic. This allows system administrators to red light/green light data based on established security rules.

One of the most important elements to consider in the firewall conversation is rules and policies configurations. These define what traffic is allowed and what is blocked on the network.

Then there are web application firewalls (WAF). Soft firewalls are designed to protect web applications from all kinds of threats like cross-site scripting, SQL injections, and other types of web-based attacks.

Email security

Going together with security awareness training, email security is a simple but highly effective element of a strong defense in depth cybersecurity strategy.

There are a multitude of approaches to email security that include encryption, email filtering, digital signatures, spam filters, two-factor authentication, and integrated cloud email security.

Email is also one of the first lines bad actors will try to exploit. This occurs through methods like phishing, spear phishing, whaling, vishing, spoofing, and social engineering.

IDS/IPS

These types of systems go by many names. Intrusion detection system (IDS), intrusion prevention system (IPS), managed threat response (MTR), managed detection response (MDR), et al. And while they all perform slightly different activities, at their core they’re all designed to detect anomalous network activity and alert administrators about any suspicious or unauthorized network activity that could indicate a potential security breach.

Intrusion prevention systems take the concept to the next level and don’t just detect anomalous activity but actively block and mitigate cybersecurity threats in real-time. Like EDR solutions, this method of defense is noisy, so most companies offer a SOC team with their service to analyze and triage alerts so users are only getting actionable items.

Virtual private networks (VPNs)

VPNs are a private network architecture that create a secure encrypted connection when using an untrusted network. This ensures and maintains data confidentiality and integrity.

Some of the benefits of a VPN include establishing a secure and private connection to the internet, data privacy, anonymity, and IP address protection.

Access control and authentication

Controlling who can access the network and how is one of the most important factors when it comes to a well-rounded defense in depth cybersecurity posture. This is a multi-faceted approach that includes strong alphanumeric passwords, multi-factor authentication, and biometrics. These efforts work together to ensure only authorized users are accessing the resources of the network.

Network segmentation

Dividing a network into smaller segments to isolate them from one another limits the possibility of security breaches. Segmenting a network can also help to prevent lateral, east/west movement by bad actors and is a solid step against preventing attacks from spreading across the network and affecting unprotected devices.

Segmentation splits the network into smaller subnetworks. This network isolation reduces the attack surface and inhibits lateral movement. And in the event of an attack making its way onto the network, network segmentation helps to isolate the damage.

Security incident event management (SIEM)

SIEM tools ingest, aggregate, and analyze log data from sources like routers, switches, and servers in real-time to identify and respond to security events. They use predetermined rule sets and threat intelligence feeds to define threats and throw alerts.

This allows in-house and third-party security teams to correlate events and provide incident response as needed. They’re a great security layer for businesses of all sizes, from small business to large enterprise. In fact, the larger the organization the more important it is to have a SIEM system in place.

Like EDR, SIEM systems are “noisy” and produce a lot of alerts. That’s why the companies that offer them usually pair it with manual triage from their in-house security operations center (SOC).

Honeypots

These security mechanisms are utilized to lure attackers in so cybersecurity professionals can stay abreast of their tactics and behaviors. Designed to detect, sidestep, and in theory counteract outside attempts by adversaries to gain unauthorized network access.

Honeypots create a false target for attackers so cybersecurity professionals can learn information about their tactics and methodologies. They also distract bad actors from other targets. Structurally they resemble an authentic network system with data that is desirable to hackers.

Honeypots are a more sophisticated cybersecurity practice and not necessarily useful to all organizations. It requires a skilled security team to operate them correctly, and many cybersecurity firms roll it into their portfolio of service offerings.

Penetration testing and vulnerability scanning

Penetration testing is a practice where a cybersecurity expert (also known as a “white hat” or “ethical hacker”) tries to gain access to a network by finding and exploiting any existing vulnerabilities. This exercise simulates an attack and identifies any weak spots in the network that bad actors could exploit.

Vulnerability scanning is software, sometimes including a hardware component, that’s designed to scan networks, endpoints, and applications for documented weaknesses. It identifies and creates a bill of materials for all systems on the network that are in the scope of the scan.

After the inventory is created, the vulnerability scanner checks each item against databases of known vulnerabilities. A report is then generated that signals what assets have security flaws or out of date or known malicious software among other items.

Depending on the industry, many compliance regulations mandate periodic penetration testing and vulnerability scanning.

Application whitelisting

This isn’t necessarily a new concept, but it’s still entirely valid. In simple terms, application whitelisting is a “red light, green light” approach that restricts the usage of applications that haven’t been approved or “whitelisted”.

Going off of the zero-trust concept, application whitelisting operates under the principle that none of an organization’s resources can interact with its system(s) without express and explicit permission. It only allows approved software to run on a system, which reduces the viable attack surface. This makes it much harder for unauthorized and malicious software to gain access and execute on a system and compromise it.

It also helps to protect against the dreaded zero-day threats. Since security layers like anti-virus and anti-malware functions on signatures – known threats – application whitelisting services have great efficacy guarding against zero-day threats because they analyze how applications behave and how trustworthy they are instead of focusing on documented attack patterns.

They also help as far as insider threats are concerned. By only allowing approved applications to run on a system they aid in preventing users from accidentally or intentionally running executables that could contain malicious or unauthorized code.

Ransomware and malware are two of the most critical threats to be aware of. They both operate by executing unauthorized code. Whitelisting applications provide great protection against these two types of cybersecurity threats by blocking their execution in the first place.

Configuring application whitelisting

Setting up application whitelisting software is a front-loaded effort. This means that most of the “heavy lifting” to get it up and running is performed initially. Once all known applications are approved, they drastically reduce the level of effort for monitoring and responding to alerts.

When it comes to configuration control whitelisting applications allow for strict policy enforcement. This means only secure, authorized, and up-to-date software can be accessed within the environment. Due to this, system performance and stability becomes more consistent which is a key factor in maintaining uptime and business continuity.

Application whitelisting also helps maintain compliance in regulations like HIPAA, PCI, and more. They also make it easy to perform audits and software bill of materials assessments. These save critical time during incident investigation and response.

Customization is key and most whitelisting applications allow for bespoke rules and policies that adhere to each organization’s specific needs.

Mobile device management

Mobile device management is one of the newer cybersecurity layers. It’s become increasingly more important regardless of what an organization’s mobile device policies are. These are one of the easiest attack vectors to exploit. MDM ensures they adhere to mandated security policies by providing encryption, enforcing password requirements, and protecting sensitive data in the event a mobile device is lost or stolen.

MDM applications provide protection in a number of ways. They promote data containerization that separates corporate and personal data and enforce multi-factor authentication (MFA) to provide an additional layer of cybersecurity beyond passwords.

The solution also promote application management, controlling which apps are allowed on mobile devices. They can also install/uninstall apps, lock the device remotely, or sandbox corporate apps to prevent data spillage and leakage.

Asset management is a key factor in business operations. MDM provides visibility into all mobile devices on a network that helps with tracking, inventory management, and compliance with security and licensing policies.

MDM provides multiple types of restrictions and policy enforcement related to how mobile devices are used, function, access and share data, and interact with the network. This is key when it comes to adhering to company and compliance regulations. They can push software updates that ensure up-to-date security which reduces vulnerabilities.

Personal defense in depth cybersecurity

The concept of defense in depth cybersecurity isn’t just a business and commercial concept. It extends to personal use as well. Some of the methods here don’t apply to home networking, but some are critical.

Security awareness, proper firewall protocol, and anti-virus and anti-malware installs are some of the primary ways for everyday users to protect themselves against the threats that linger on the internet.

Conclusion

Your cybersecurity strategy should always be evolving. Threats definitely are. A defense in depth cybersecurity strategy is a multi-faceted approach, with multiple layers that provide a distinct type of protection.

From individual endpoints to the network overall, ensuring you have stop-gaps in place at every level goes a long way toward data and systems security.