What is Defense in Depth in Cybersecurity
Defense in Depth is a Respected Cybersecurity Strategy. Learn What It Consists of.
Defense in depth is a cybersecurity strategy that uses a variety of security measures to defend an information technology (IT) infrastructure. The purpose of a defense in depth strategy is to protect against a wide range of threats while integrating redundancy in the case of one system failing or becoming vulnerable to exploits.
The Origins of the Defense in Depth Model
The notion of defense in depth originates from the ancient military strategy of the same name, which was famously used by Carthaginian general Hannibal Barca and the Late Roman army. The main gist of this battle tactic was to slow down the advance of an attack instead of focusing all available manpower in one strong line of defense. This is more or less how the information security practice works as well.
The Two Architectural Approaches to Defense-in-Depth
In cybersecurity, defense in depth functions on a layered architecture that is divided into two main categories, namely control layers and security layers.
In terms of control layers, there are:
- physical controls,
- technical controls,
- and administrative controls.
Concerning the category of security layers, five subcategories exist:
- data protection,
- access measures,
- system monitoring,
- endpoint protection,
- and network protection.
You can read here a more in-depth article about the defense in depth layers.
The Elements of a Modern Defense-in-Depth Cybersecurity Strategy
In this section, I will go over the main elements that go into the concept of DiD. Integrating more than one of the following components into your organization’s IT environment represents an instance of defense in depth cybersecurity.
Antivirus software is the cornerstone of a holistic defense in depth cybersecurity strategy due to its ability to not only prevent but also detect and remove malware. While initially designed to combat computer viruses only (hence its name), nowadays an antivirus is a jack of all trades, defending users from Trojans, worms, spyware, adware, and other common examples of malicious code.
A firewall is another essential piece of a successful approach to defense in depth that goes hand in hand with antivirus software nowadays. A firewall monitors both incoming and outgoing network traffic, detecting malicious activity according to a predetermined set of rules.
You might be wondering why I chose to mention both these elements under one section by now. The reason for this is simple: today’s next-generation antivirus (NGAV) software, such as our Heimdal™ Next-Gen Endpoint Antivirus, usually integrates both. Using an NGAV eliminates the need for separate modules of traditional antivirus and firewall, combining the benefits of the two and more under one convenient roof for better endpoint protection.
Intrusion Prevention System
An intrusion prevention system (IPS) is a security component that monitors network traffic, preventing and detecting malicious activity. It sits directly behind the firewall and creates an additional layer of security that catches any threats that the initial barrier might have missed.
As opposed to a simple intrusion detection system (IDS), the IPS does more than just set off alarms when threats are spotted. It can also block traffic from the source, reset the connection, and drop the malicious packets. For this reason, it is also known as an intrusion detection and prevention system (IDPS).
A practical example of how this works is our Heimdal Threat Prevention Network cybersecurity solution, specifically the Network module. Heimdal™ Threat Prevention filters online network perimeter traffic at the level of the DNS, preventing, detecting, and responding to incoming cyber-threats promptly.
What is more, the module tracks the history of threats that were previously unidentified, but become identified. This is critical in the detection and prevention of traffic-sniffing attacks. In addition to this, Heimdal Threat Prevention keeps the network perimeter safe when employees bring in their personal and potential devices as permitted by the office BYOD policy.
Heimdal Threat Prevention also comes in an Endpoint module, which greatly improves the capabilities of your defense with machine-learning technology. The two modules are available both separately and concurrently, depending on what your information security needs are.
While we’re on the topic of the online network perimeter, another element of defense in depth strategy to consider integrating is network segmentation. The term refers to an IT practice that involves splitting a large network into multiple subnetworks that are focused on various business needs. For example, your company can have a network for human resources, one for the finance department, one for C-level execs, and so on.
Network segmentation can be implemented through either physical or logical methods. In the case of the former, the firewall can act as the subnetwork gateway to control incoming and outgoing traffic. The latter relies on network addressing schemes or virtual local area networks (VLAN). It is more effective than its counterpart, but also requires a lot more technical resources.
Patch management is a process that first involves scanning devices to identify missing software updates and vulnerabilities. Subsequently, the procedure continues by applying said updates to software, applications, or the operating system of the machine as soon as they are deployed by the manufacturer.
Outdated applications represent a huge liability for your enterprise. On the authority of data-driven defense evangelist Roger Grimes, unpatched software was the cause behind 20 to 40 percent of breaches in2020. In fact, Grimes declared the second largest threat after phishing campaigns, which sometimes exploit these very system vulnerabilities anyway.
To ensure that all security gaps are closed on time, I recommend streamlining the process with an automatic software updater such as Heimdal Patch & Asset Management.
When it comes to the concept of password security, there are four main aspects that you should consider:
- password strength,
- multi-factor authentication,
- password hashing,
- and a password manager.
But let’s take them one at a time. Password strength determines how hard a password is to guess or how well it can hold its own against a brute force attack. Strong passwords generally contain both uppercase and lowercase letters, as well as numbers and symbols. They are not tied to easily identifiable information about the users, are not shared and are not subject to other common password mistakes.
Multi-factor authentication is a verification method that allows a user to login into an account only after presenting two or more pieces of evidence. Popular steps include device confirmation, PIN codes, or biometric data such as facial recognition or fingerprint scanning. As for password hashing, it represents an encryption process that turns the credential into a scrambled version of itself that is nearly impossible to read or decipher.
Finally, in terms of password managers, everyone knows LastPass is an enterprise favorite. However, there are other options available online as well, and one of them might suit your organization better. My colleague Vladimir wrote an excellent in-depth article on the four best password managers out there, so make sure to give that a read for a detailed review of each one.
Privileged Access Management
Let’s first consider the principle of least privilege (POLP). An essential cybersecurity concept, it entails granting a user the minimum access rights that are necessary for them to pursue their daily activities. POLP is the foundation on which privileged access management (PAM) operates.
PAM is an information security defense strategy that relies on monitoring the accounts on a network and preventing the abuse of admin rights. It can be quite a time and resource-consuming affair, which is why tools such as our Heimdal Privileged Access Management will make your network admin’s life a lot easier.
Heimdal Privileged Access Management allows network admins to easily manage user permissions, as well as approve or deny escalation requests on the go. In addition to this, our PAM solution also provides automatic de-escalation of rights if a threat is detected in the system.
The final aspect of a complete defense in depth cybersecurity strategy is cybersecurity education in the form of Internet Security Awareness Training (ISAT). This is recommended in any enterprise setting, regardless of whether the company is large, medium, or small. It should consist of three main topics:
- how to protect sensitive company data,
- how to recognize common cyber-threats,
- and what the consequences of an attack are.
By doing so, you are adding a layer of security for your company at the employee level. Human error is still very dangerous, which is why having well-informed members of staff can help you prevent critical situations.
Defense in depth cybersecurity entails multiple elements, but a minimum of two is required for the strategy to be successful. Antivirus software, firewall, intrusion prevention systems, network segmentation, patch management, password security, privileged access management, and cybersecurity education are all part of a successful approach to your corporate security.
All the Heimdal cybersecurity solutions are built on a modular and layered structure as part of a comprehensive, modern defense-in-depth strategy.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Do you practice defense in depth in your company? Which elements do you implement for it? As always, I would love to read your opinions in the comments below!