The concept of Defence in Depth is quite simple. Add multiple different security controls to make a cyber-attack difficult. However, in reality, in most businesses, this is not something that happens at the service design stage. It is often implemented as an afterthought or a knee-jerk reaction to a security breach. So how do you create a good defence in-depth strategy? Read on, and we’ll go over the main points.
Built in Security
I’ve worked in the IT industry for over ten years, and I know how often I’ve seen a statement of work outlining a solution for a client but seldom has a comprehensive, thought-out security plan to go with it. That’s not to say it’s not a secure solution; it’s just not part of the broader security strategy, and security is more of a prerequisite than an overall goal. Mostly, this is down to the commercials because fully considering a project’s entire security implications would often take considerable time.
Security should be ‘built in‘, not just for the project you’re working on, but as a part of the entire company’s security strategy. This is the foundation of defence in depth. Your whole organisation needs to work toward a common goal of security.
It’s common to speak with people who think the security product they purchased is the ultimate and only protection they need. Nothing could be further from the truth. There is no point in having the most secure safe in the world; somebody finds its backdoor – And they will.
Making security everyone’s job
One solution is to make security everyone’s responsibility. This is often easier said than done, and even if you have a security-conscious team, daily time pressures can often lead to post-project tasks being abandoned to ensure the deadline is met.
What simple things can we do to mitigate this? Well, you could make a conscious effort to ensure that a security review meeting is conducted at the beginning and end of every project to assess what changes to the security posture will and have occurred as a result of the project and identify any follow-up tasks that need to be completed before project completion. This is quite effective, and it’s something you can do right away to impact your company’s security posture positively.
But what about other people? How do we make security everyone’s responsibility? The answer here, in my opinion, is ‘culture’. It would be best if you made Cyber Security a part of your company culture. You have to continuously educate and encourage all of your staff to play their role in keeping security a top priority, and this challenge starts at the very top.
Getting ‘buy-in’ from upper management
Before you can educate and encourage the staff, you first must convince upper management or directors that this kind of posture is required. Unless, of course, you already have that buy-in, then you are one step ahead!
What is the most effective way to get buy-in? In my experience, there are two ways to do this.
A risk analysis helps highlight what risks are present, how many risks there are and how serious they are. This information alone will persuade some directors to act; however, sometimes, people need literal examples of the impact of risk to fully understand the consequences of not taking action.
The business impact analysis shows the consequences of not taking action on those risks. Sometimes, the lesser chances have a more significant impact on a business, and it could be those which tip the directorship into increasing the security budget.
Multiple layers of security
At a more hands-on level, defence in depth involves multiple technical and administrative controls. We’ve already mentioned that a good strategy is a foundation for this, but the execution is also critical.
Typically, the more sensitive the system or data you want to secure, the more layers of security you would like to deploy around it. It’s best to imagine that an attacker has already compromised your network and implement a solution preventing such a breach from compromising the protected system.
Lateral Movement and How to prevent it
Preventing lateral movement is a key in defence in depth. This technique is used by attackers to both get deeper into your network and also obfuscate any malicious activities.
The most common protection is to VLAN your networks into smaller segments. By segmenting your VLANs, you’re reducing your attack surface. However, there is limited protection from VLANs in that your servers and clients still need to communicate, so how do you police this traffic?
Layer 2 Firewalls
A very effective way of achieving protection from lateral movement is to deploy layer two firewalls (next generation). These firewalls inspect North-South traffic while blocking East-West traffic. Any East-West traffic required or allowed can be heavily restricted and have packet inspection enabled if the workload permits. This architecture is known as micro-segmentation.
Defence in depth is a vast topic, but I hope some of the ideas above will steer you in the right direction. Getting the basics right first should be your priority, however. Don’t focus on shiny solutions first. The foundation of a good strategy and culture should be your starting point.