Defense-in-Depth: Applying Multiple Layers of Security for Protecting Business Assets
As a former U.S. Marine, I can remember many sleepless nights and early morning exercises practicing with our unit to establish our defense position(s), and fortify our camp-site perimeter against the enemy. While going through the exercise I can also remember knowing that the enemy we were “guarding” against was another Marine-unit just like our own, who was very prepared for what we were about to throw against them. However, no matter how well prepared they were for defenses, the more “layers” of it we established, the slower their assault became…..thus leading to us being able to apply a remarkable defense of our position.
One thing that remains a constant for security practitioners around the globe is that today’s threats are ever-evolving and persistent. In addition to this, security engineers also have to face threats originating from multiple places, in multiple forms, and with a wide variety of targets. Protecting your business assets has quickly surpassed the days of simply updating your anti-virus or installing patches. Defense-In-Depth strategy by definition is providing multiple layers of protection for multiple threats. With it, each layer of protection is designed to address a specific type of threat and if one security measure is bypassed or fails, the next layer steps in to defend the system.
Deploying multiple security measures to an existing infrastructure takes a great deal of planning, resources, and often financial commitment. However, if taken in steps any organization can layer their security and improve their overall security posture without much financial impact or the need for high-impact/ high-cost solutions.
Step One – Security Starts with Personnel
Security must start with the employees. End-users are the backbone of security to an enterprise environment and must be involved with, and informed about security practices and policies. Properly training and understanding of employees role in relation to security can be very effective. Develop Acceptable Use Policies that formally assign security responsibilities. Communicate policies for notification when a user observes improper behavior or receives suspicious emails. Awareness in your user base can improve understanding of the importance of security and be effective in early response to potential malicious activity.
Step Two – File it Away
An often overlooked aspect of security is actually built-into every operating system utilized in today’s business world. File-level protection can be managed and proven valuable (especially for smaller budgets) in protecting critical business information. Apply appropriate permissions to protect confidentiality and integrity with role-based access considerations. Log access to files and monitor users to ensure permissions are effective. Implement appropriate backup and recovery capabilities.
Step(s) Three & Four – Do We Have a Patch for that Virus?
I like to pair these two separate security measures together because in some ways they become dependent on one another. While an anti-virus solution protects against unwanted bugs from penetrating our networks, it requires periodic updates to protect against the latest threat. The same can be said about many of the applications running on our business networks. Failure to properly patch applications can lead to the same disastrous consequences as failing to update your anti-virus. The first step is developing a patch management process and metric that drives timelines for patching security risks. The process should also address patches by priority and severity. As always patches should be tested before implementation to reduce risks of impacting system availability.
Step Five – Fire on the Perimeter
Many harmful incidents can be prevented at the perimeter of our networks. I cannot tell you how many times my colleagues and I have performed an incident review or security-breach analysis only to find that the incident could have been prevented if the firewalls in place had been properly patched and/or configured. Firewall rules should deny by default and permit by exception. Performing periodic review of your network perimeter devices and rules on a yearly basis is a practice that pays dividends. Additionally, on a regular basis validate network device configurations to ensure they have not drifted from the directives specified by your configuration standards.
Step Six – What Size Monitor is that?
Our final step in implementing easy (yet successful) defense-in-depth solutions is monitoring. Almost everything that infects, corrupts or breaches our security can be detected if proper monitoring is being practiced. Whether it is a manual review of system log files or obtaining services from a low-cost Managed Security Service Provider (MSSP), such as Praetorian Secure (insert small company plug), 24/7 protection can be gained and detection of threats can be real-time.
As you can see, development of a Defense-in-Depth strategy doesn’t have to be an overwhelming task with an astronomical budget. When done carefully and correctly, many organizations can implement a layered defense quickly and affordably. Some of the best implementations of Defense-In-Depth strategy are based on routine risk evaluation and prioritizing layered defenses to impact risk reduction.
I have realized many parallels between the cybersecurity “Defense-in-Depth” approach, and that of the “layered-defenses” implemented by my military brethren. Now, as CEO of Praetorian Secure, I am faced with many sleepless nights and early morning exercises thinking of new and creative ways to protect some of our customer’s most sensitive assets. While our counterparts trying to attack from the outside are no longer “friendly”, the majority of them are highly-skilled and “very prepared for what we are about to throw against them.” Now, if we slow them down enough with multiple layers of security, what a “remarkable defense of our position” we will have.