Defense in depth is a cyber security strategy that uses a series of layered, redundant defensive measures to protect sensitive data, personally identifiable information (PII) and information technology assets.
If one security control fails, the next security layer thwarts the potential cyber attack. This multi-layered approach reduces the cyber threat of a particular vulnerability exploit being successful, improving the security of the system as a whole and greatly reducing cybersecurity risk.
Simplicity in security is the opposing principle to defense in depth. It operates under the assumption that multiple security measures increases complexity and leads to gaps attackers can leverage.
Data centers, the Internet of Things (IoT) and remote working are all great examples of things that can increase organizational productivity and employee happiness that introduce security risks.
Organizations need to balance productivity and simple security solutions with defense in depth.
Table of Contents
- Where does defense in depth come from?
- How does defense in depth work?
- What are the elements of defense in depth?
- An overlooked part of defense in depth
- How UpGuard can improve your defense in depth strategy
Where Does Defense in Depth Come From?
Defense in depth comes from the National Security Agency (NSA). It was conceived as a comprehensive approach to information security and cyber security. The term was inspired by a military strategy with the same name.
In practice, the military strategy and the information assurance strategy differ.
Defense in depth as a military strategy revolves around having a weaker perimeter defense and intentionally yielding space to buy time to build a counter-attack.
As a cyber security strategy, defense in depth involves parallel systems of physical, technical and administrative countermeasures that work together but do not intentionally cede control to an attacker. A honeypot is akin to the military version of defense in depth.
Many people refer to defense in depth as the castle approach as it mimics the layering of defenses used by medieval castles. Before attackers could get to the castle, they had to beat the moat, ramparts, drawbridge, towers and battlements.
How Does Defense in Depth Work?
The most important thing to understand about defense in depth is that a potential attack should be stopped by several independent methods. This means security solutions must address security vulnerabilities over the life cycle of the system, rather than at one point in time.
The increasing sophistication of cyber attacks means organizations can no longer rely on one security product to protect them.
Security professionals need to apply defense in depth across all IT systems. From employee laptops needing protection from Wi-Fi based man-in-the-middle attacks to domain hijacking prevention with DNSSEC.
There is no one layer of security that protects against all cyber threats. Cybercriminals are becoming increasingly sophisticated in their attacks and organizations need to respond by improving their defense in depth.
Poor access control, phishing, email spoofing, ransomware, data breaches, data leaks, typosquatting and different types of malware can all be used in combination to attack your organization. The daily growth of CVE highlights how vulnerable every organization is.
Organizations need multiple security layers including firewalls, antimalware and antivirus software, intrusion detection systems, data encryption, physical controls and security awareness training to reduce the range of possible attack vectors.
What are the Elements of Defense in Depth?
There are three core parts of any defense in depth strategy namely:
- Physical controls: Security measures that prevent physical access to IT systems such as security guards, keycards and locked doors.
- Technical controls: Security measures that protect network security and other IT resources using hardware and software, such as intrusion protection systems, web application firewalls, configuration management, web scanners, two-factor authentication, biometrics, timed access, password managers, virtual private networks, at rest encryption, hashing and encrypted backups.
- Administrative controls: Security measures consisting of policies and procedures directed at an organization's employees and their vendors. Examples include information security policies, vendor risk management, third-party risk management frameworks, cyber security risk assessments and information risk management strategies.
Together physical, technical and administrative controls make up a basic defense in depth strategy. Additionally, many security professionals use security tools that continuously monitor them and their vendors for potential holes in their security defenses.
An Overlooked Part of Defense in Depth
Every organization wants to protect theirs and their customers sensitive data from data breaches and data leaks. However, many organizations fail to successfully manage third-party risk and fourth-party risk.
It's no longer enough to simply ensure your organization is secure. Many big data breaches are caused by third-party vendors. If you are outsourcing business functions or storing sensitive information on cloud providers, you need to think through how you are managing your vendors.
Your defense in depth strategy needs to look beyond the perimeter of your organization and properly vet third and even fourth-party vendors (the vendors of your vendors) to understand who has access to sensitive data and how good their cyber security is.
The 2013 Target data breach, which began at an air conditioning subcontractor, is a well known example, but the danger of third-party vendor risk has only increased. More third party breaches are being discovered than ever before. The discipline of third-party risk management (or TPRM) has evolved to help manage this new type of risk exposure.
How UpGuard Can Improve Your Defense in Depth Strategy
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.