Let’s for a moment rewind back in time and put ourselves in a hypothetical situation. Let’s say you’re a 15th-century king or queen looking to defend your castle from an enemy attack. What will your strategy look like? Most likely, soldiers and horses on your castle’s perimeter, followed by a hard-to-penetrate door, men with weapons on your castle’s elevated areas, some of your best men guarding the doors to push the enemies away, and a backup plan when things go awry. You will choose such a layered security approach hoping that one of these strategies would thwart or weaken the enemy onslaught. Well, the same can be extended to today’s fight against cyberattacks, where a multi-layered approach can prevent malicious codes and hackers from gaining entry into your network and resources. This strategy is called defense-in-depth or DiD.
What is a defense-in-depth (DiD) approach?
A defense-in-depth (DiD) is a cybersecurity strategy where multiple layers of defense control are implemented across the entire infrastructure to prevent hackers from gaining access to your resources.
This approach comprises multiple security layers in the hope that one of them can prevent the hacker from entering your system and provide redundancy even if one of the layers fails. This is a huge advantage, especially when you are dealing with sophisticated hacking strategies.
Further, the impact of the attack weakens with every layer, so even in a worst-case scenario where the attacker passes through every layer, the effect can be minimal.
Defense-in-depth (DiD) architecture
The architecture of DiD is broadly divided into three aspects or layers, and they are:
The physical layer includes the different physical elements kept in place to prevent intruders. These include security guards, CCTV surveillance cameras, locked doors, biometric verification systems, fences, dogs, and more.
The administrative layer includes all the policies, procedures, audits, standards, and guidance that reduce the chances of an attack. A good example is an organization’s password policy that determines the length and difficulty of the password, frequency of change, multifactor authentication, employee actions, regular training, and more.
This layer includes all the hardware and software resources used to thwart or mitigate a cyberattack.
Some examples of technical layer components are:
- Antivirus software
- Password protection tools
- Vulnerability scanners
- Monitoring tools
- Network segmentation
- Intrusion detection systems
- Auditing tools
- Deep packet inspection tools
- Endpoint detection and response software
- Anti-malware tools
- Data integrity checking tools
- Behavioral analysis tools
- Patch management tools
All these three layers are essential for DiD. In fact, hackers find it difficult to attack systems when you have more layers spanning across these three broad areas.
That said, keep in mind that more layers mean more upfront and maintenance costs. So, choose the appropriate tools and decide on the number of layers you need to balance your budget and security needs.
Are there any drawbacks to DiD?
So far, we discussed the benefits of DiD and how it’s implemented. Are there any drawbacks to it?
Unfortunately, nothing is perfect, so here are things to consider while deciding on your DiD strategy.
False sense of security
DiD’s many security layers tend to make organizations complacent by giving them a false sense of security. As a result, organizations may stop investing in new technologies, and before long, the existing DiD can become outdated and ineffective.
Since many layers are involved, identifying problems and debugging issues across these layers will be difficult.
Further, certain gaps can emanate between these layers, especially when they are not implemented well or have not been updated in a while. Hackers can leverage these gaps easily.
DiD implementations are expensive to implement and maintain, and can be out of reach for many small and medium businesses. Even for large enterprises, it can consume a significant part of IT budgets, thereby constraining other areas of operation.
Thus, these are some of the prominent drawbacks of DiD to consider before deciding on its adoption.
Should you implement DiD?
Now that you understand the pros and cons of DiD, should you implement it?
The simple answer — it depends on your organization’s needs.
Use DiD when you want to:
- Avoid denial-of-service (DoS) attacks.
- Ensure integrity for data transmitted through the network.
- Protect your computing environment.
- Have to meet mandatory compliance.
- Defend the boundaries of your network.
- Operate efficiently in sensitive industries such as the financial sector that are susceptible to attacks.
On the other hand, DiD may not be useful if you’re:
- Grappling with limited budgets.
- Deploying advanced technologies such as encryption as a part of your application stack.
- A business that doesn’t have user actions across multiple levels.
These lists are not exhaustive but just to give you an idea of how you can decide on DiD implementation for your organization.
Use cases of defense-in-depth
Let’s run through some use cases of defense-in-depth.
According to the CISSP Study Guide (Second Edition), a company employing about 12,000 people a year was getting about 250,000 emails per day. The majority of these emails were malicious and contained anything from spam to viruses and trojans. Further, the attackers were using different techniques to infiltrate the company’s network.
The organization deployed a defense-in-depth strategy to thwart these threats. It set up UNIX mail servers with auto-updating antivirus and antimalware to filter incoming emails and send the “clean” ones to an internal Microsoft Exchange mail server with advanced antivirus software. After this filtering, the mail was sent to the client desktops that had another antivirus software.
In all, every email went through four rounds of antivirus software. Still, a few emails seeped through all the four antivirus software, so the organization implemented intrusion detection systems and incident handling practices to identify and clean the infected emails.
All these measures together eliminated the malware threat.
The Center for Internet Security came up with an elaborate plan to secure election offices with DiD.
Accordingly, election offices installed security cameras and locks to protect the election equipment and other related infrastructure. The technical layer included cloud security options, cryptography, multifactor authentication, patch management, endpoint protection, antimalware software, and more.
Besides these, election offices followed an established set of practices for hiring qualified personnel and providing appropriate training as needed. Also, these offices created a disaster recovery plan along with a list of possible attacks and actions to mitigate them.
As you can see, both the above use-cases implement the different layers of DiD that are customized to meet their specific needs.
Final thoughts on DiDs
In all, DiD’s multiple layers undoubtedly protect your systems and resources from cyberattacks, but they also come with certain drawbacks such as costs and operational difficulties. Understanding the advantages and disadvantages of DiD in the context of your organization’s goals and operations is the key to a sound decision.
So, will you choose a defense-in-depth strategy for your organization? Why, and why not?
Please share your thoughts with us.
Featured image: Shutterstock