What does “Defense In Depth” mean?

The quick answer – We make layers upon layers upon layers of security around your data.  An authorized user has to pass through each layer in the correct way (protection) to access the data; or we’ll know about it (detection / monitoring) and then we’ll deny access or send an alert to an admin (respond).

————————————————————–

Defense in Depth is made up of three activities:

PROTECT         —           DETECT          —         RESPOND

Across at least three pillars:

PEOPLE           —            TECHNOLOGY        —       OPERATIONS

Defense in Depth means that we implement security like layers of a cake, or layers of an onion – You have to go through each layer of security to get to the prize.  At each layer, there are protective measures (safeguards that keep bad guys out), there are detective measures (monitoring that lets us know if things aren’t right), and there are responsive measures (like alerts that make us aware or automated actions that counteract a threat).

We practice these methodologies across the three components of an organization – People, Technology, and Operations.

  • People are our biggest challenge, because they naturally want to trust people and fix problems.  Attackers use this to their advantage with Social Engineering techniques.  Social Engineering is simply tricking people into doing something that the attacker wants them to do.
    • The BEST defense in this case is a good offense – specifically annual user security training and regular internal social engineering exercises are a great start.
      • TRAINING:  A few hours of classroom training once a year and a ‘best practices’ cyber newsletter go a LONG way in helping people stay aware.
      • SOCIAL ENGINEERING:  Try dropping a thumb drive outside your front door before work starts and see if somebody plugs it into one of the computers on the network.   Create a fake email account and send people to a website you control…. See how many people fall for it.  Social Engineering failures make GREAT teachable experiences.  Use each one to your advantage.  Don’t shame people, encourage them that they just learned how to help themselves and the company in the future.  They’ll tell everyone they know and spread the word!
  • Technology –  If anyone says “install this magic box on your network and everything will be fine”, don’t believe them!  Technology is only one component of the overall strategy.  Of course there are a ton of great companies and devices out there that do amazing things (like Forthright Security!), and those are all part of a layered Defense In Depth strategy to help protect, detect, and respond to threats.   There are literally thousands of different protections that you can put into place (sometimes also referred to as ‘controls’ or ‘security controls’) and each one should contribute to ‘adequate security’.  Adequate security means that you’re not spending a dollar to protect a dime, but you’re spending no more than a dime to protect a dime.  It means not over protecting, not under protecting – Just right…. Like Goldilocks!
    • Some of the key items you really need to look at are:
      • Kill as many admin accounts as possible!  This is the #1 way an attacker walks across your network.
      • Get a good firewall (Fortinet, Cisco ASA, etc.)
      • Get a good forward and reverse web proxy (Zscaler, Bluecoat, Cisco, etc.)
      • If the proxy device doesn’t do it, get a web application firewall (Imperva, F5, Citrix, Barracuda) .  70% of attacks are against a company’s outward facing web applications.  Attackers will send exploits against your application and they’ll go right through the firewall because it’s legitimate traffic.  Web application firewalls can sniff out a rat, and they block traffic that doesn’t meet approved and standardized traffic requirements.
      • Outsource your Cyber monitoring (Forthright Security MSSP service)
        • Honeypot files to spot malicious insiders and unusual behavior (like netflow &
        • Baseline normal vs. abnormal.  This is very difficult to do inside your own organization because things happen and are accepted incrementally as normal.
        • Implement Network based and Host based IDS/IPS
        • Capture logs for historical & forensics use.  Prevents attackers from erasing the evidence.
      • Patch your systems.  Unpatched systems are a HUGE open door for attackers to walk through.
      • Use reputation based outsourced email services, or get an email appliance (like Proofpoint, Cisco, Microsoft, or Symantec).  The take away here is to eliminate viruses and unsafe email that are meant to socially engineer your users into doing bad things.
      • Host Isolation – EVERYTHING should be on it’s own private VLAN if possible, and every host should only be allowed to talk to the services/systems it needs to do it’s job.  DENY BY DEFAULT instead of allow by default.  An attacker can’t walk across your network if he has to go through a hardened and monitored interface each time….  This makes attacking harder and detection easier!
      • Multi-Factor Authentication.  This means using at least two of the three ways to identify yourself – something you have (phone, USB Key, smart card, token, etc.), something you know (Username/password, pin number, code generator, etc.), or something you are (biometrics, like retina scan, fingerprint, voice, cognitive puzzle, etc.).  It’s easy to install a key logger to obtain a username/password, and no one will know the difference… But it is MUCH more difficult to obtain TWO forms of identity.  Some of the best examples of this technology is the Facebook code generator, Google’s text code after username/password login, and DoD’s PKI smart card.
      • Then Everything else – Permissions, logs, auditing, group policies, security hardening of the OS & network, enforcing logon hours, user rights assignments, password policies, antivirus, anti-malware, etc.
  • Operations – The operations element of the strategy focuses on all activities required to sustain an organization’s security posture on a day-to-day basis.  This one is really specific to the organization.  Many operational items include physical security (gates, guards, guns, etc.), however operations security also include Operational Security (OPSEC) programs designed to address an organization as an adversary sees it in order to expose, identify, and fix any weaknesses discovered.
    • OPSEC programs cover security programs, social media use, telecommunications use, operational procedures, company culture, inbrief/debrief, identification and enforcement of standards, readiness reviews, compliance mandates, and many many other facets of operational security.
    • Operational security programs are designed to keep the company viable, prevent competition or bad actors from obtaining company secrets, keeping people safe, complying with the law, and being adaptable to address any new challenges that impede on the priorities above.

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Due Diligence is the act of investigating and understanding the risks a company faces. Due Diligence pertains to best practices that a company should follow to keep itself secure. If a company fails in implementing these measures, it might face an attack but might not be legally liable. Due Diligence basically means setting a standard and working your hardest to make sure you meet that standard. Proper Due Diligence shows Due Care.

Due Care is the development and implementation of policies and procedures to aid in protecting the company, it’s assets, and it’s people from threats. The lack of due care (knowing the risks and not doing anything about the risk) is often considered negligence, and in most countries is actionable under law.