What do an ancient military tactic and cybersecurity have in common? The notion of defense in depth strategy. We’ll cast some light on the topic in this article, so continue reading to find out how you can use it to the benefit of your company.
Defense in Depth Strategy – An Overview
As my colleague Alina said in one of her articles,
Defense in depth (DiD) is a cybersecurity concept in which a series of security protocols and controls are layered throughout an IT network to preserve its integrity and privacy. The purpose of defense in depth cybersecurity is to protect against a wide variety of threats while integrating redundancy in the case of one system failing or becoming vulnerable to exploits. […] The notion of defense in depth cybersecurity originates from the ancient military strategy of the same name, which was famously used by Carthaginian general Hannibal Barca and the Late Roman army. The main gist of this battle tactic was to slow down the advance of an attack instead of focusing all available manpower in one strong line of defense.
The main layers of a defense in depth cybersecurity approach are control layers (physical, technical, administrative) and security layers (data protection, access security, system monitoring, endpoint protection, network protection).
According to Homeland Security, a good defence in depth strategy should include various elements that can benefit companies from many industries:
- Risk management is important because understanding what may happen, what are the threats that lurk in the cyberspace and how they can affect your business allows you to be one step ahead of them.
- The cybersecurity architecture of your company should respect the basic standards, recommendations and policies and be proactive by having procedures in place in case attacks occur.
- Physical security is, of course, equally important in keeping your employees, customers and systems safe and intruders out. You should consider facility access control, multifactor authentication for physical access, visitor procedures.
- Network architecture can help create a strong layer of defense, “offering the administrators more opportunities for information and resource control, as well as introducing cascading countermeasures […]”.
- When talking about network perimeter security, we’re interested in firewall solutions, access and authentication control, BYOD.
- A secure network also requires host security, because your employees may connect to the network from outside its trusted boundaries.
- As Homeland Security notes, “monitoring and detection capabilities are essential to the Defense-in-Depth concept of protecting critical assets. […] The concept of Defense in Depth says a system must detect and alert an organization of an intrusion early on so they can take defensive action before critical assets are breached.”
- Vendor management should be an important part of any defence in depth strategy. Pay extra attention to supply chain management and outsourcing and cloud services.
- No cybersecurity strategy should fail to consider the risks that the human element poses: “Large and complex systems are susceptible to mistakes made by inexperienced or untrained personnel, as well as the activities of malicious insider threats.” You need policies, procedures, training and awareness.
Heimdal™ Security can also help you with many aspects of the defense in depth strategy, due to the nature of our products suite, since we offer:
Email communications are the first entry point into an organization’s systems.
MailSentry
is the next-level mail protection system which secures all your
incoming and outgoing comunications
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters which protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise (BEC);
Offer valid only for companies.
Defense in Depth Strategy – “Limitations”
For some, defense in depth strategy has limitations or is considered inadequate to cybersecurity, since the online medium is so different from the real world for which this strategy was originally created:
Defense in Depth was developed to defend a kinetic or real-world military or strategic assets by creating layers of defense that compel the attacker to expend a large amount of resources while straining supply lines. The tactical goal is to delay and render the enemy attack unsustainable. This strategy results in leaving the attacker vulnerable to counter-attack. The defender is then able to counter-attack the enemy and eliminate the threat. […]
What is practised in the civilian sectors cannot be called Defense in Depth because the civilian sector can never fulfil the original intent of the strategy and counter attack to destroy the enemy.
For one, a Counter-attack would not be legal and secondly, the ethics of a counter-attack would be questionable at best. Thirdly, at the minimum, counter-attacking would not be cost-effective or practical for those practising Cyber-Defense with their existing challenges and strained resources. A counter-attack from the public sector would not have a return on investment, would likely result in an escalation of the attack and increase costs with little to no measurable benefit for the effort. […]
Prescott Small adds that defense in depth is appropriate for the real world because the rules of physics apply there and nobody can walk through solid barriers, unlike what happens online: “In the cyber-world nothing is real; it is all a sea of 1’s and 0’s performing tasks on real-world hardware. The Cyber-World has rules in place but those rules aren’t laws that are demonstrated in the physical world; that is what is exploited. The Cyber-World is rife with anomalies, bugs, gaps and holes that allow an attacker to disguise traffic or even make the traffic invisible; simply passing straight through People, Process and Technology. In the Cyber-World activities and actions can be taken that in the kinetic world would be physically impossible […].”
I believe that the supporters of this theory look at defence in depth cybersecurity from the wrong angle. Nobody said that the virtual and real worlds are or should be completely similar and that what works in one of them can also be applied to the other one for A to Z.
In our opinion, prevention is the only reasonable counter-attack that a possible victim of a cyber attack can have against malicious actors. The point is not to strike attackers back, but to be as protected as possible and to do everything that is up to you to make sure that you don’t become a victim in the first place.
For this reason, a good defense in depth strategy (a concept that it’s only borrowed from the kinetic world) and its layered security really is the key for outstanding cybersecurity.
Defense in Depth Strategy – Recommendations
How can the defense in depth strategy be improved for better cybersecurity?
- IT security professionals can share attack-related information.
- cooperation with federal authorities, because they can only work with what they know.
- IT security professionals and their clients must “learn to live in a persistent state of Sustained Cyber-Siege and manage risks as continuous and evolving”.
- focus on making getting data out of a network harder than getting into the network.
- understand the cybercriminals’ mindset and increase their level of effort and costs.
Defense in Depth Strategy – Wrapping Up
Adopting a defense in depth strategy will greatly enhance the cybersecurity of any company due to its proactive nature.
Whatever you choose for protecting yours, please remember that Heimdal™ Security always has your back and also that our team is here to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!
