A defense-in-depth strategy, aka a security-in-depth strategy, refers to a cybersecurity approach that uses multiple layers of security for holistic protection. A layered defense helps security organizations reduce vulnerabilities, contain threats, and mitigate risk. In simple terms, with a defense-in-depth approach, if a bad actor breaches one layer of defense, they might be contained by the next layer of defense.
The defense-in-depth concept was originally conceived by the U.S. National Security Agency [NSA] and takes its name from a common military strategy. [A defense-in-depth cybersecurity strategy is also sometimes referred to as a castle approach because it is similar to the layered defenses of a medieval castle with moats, drawbridges, towers, etc.]
The NSA defense-in-depth strategy covers people, technology, and operations. It provides guidelines and best practices for securing physical infrastructure, organizational processes, and IT systems.
The Evolution of Defense-in-Depth Strategies
Historically, most businesses developed defense-in-depth strategies around traditional perimeter-based security models designed to protect on-premises IT infrastructure. A classic defense-in-depth security implementation contains a wide range of security elements including:
- Endpoint security solutions – antivirus software and endpoint detection and response [EDR] tools to protect threats originating from PCs, Macs, servers, and mobile devices; and endpoint privilege management solutions to control access to privileged endpoint accounts.
- Patch management tools – to keep endpoint operating systems and applications up-to-date and address common vulnerabilities and exposures [CVEs].
- Network security solutions – firewalls, VPNs, VLANs, etc. to protect traditional enterprise networks and conventional on-premises IT systems.
- Intrusion detection/prevention [IDS/IPS] tools – to identify malicious activity and thwart attacks aimed at traditional on-premises IT infrastructure.
- User identity and access management solutions – single sign-on, multi-factor authentication, and lifecycle management tools to authenticate and authorize users.
Defense-in-Depth Strategies for the Digital Era
Traditional perimeter-based IT security models, conceived to control access to trusted enterprise networks, aren’t well suited for the digital world. Today, businesses develop and deploy applications in corporate data centers, private clouds, and public clouds [AWS, Azure, GCP, etc.] and they also leverage SaaS solutions [Microsoft 365, Google Workspace, Box, etc.]. Most businesses are evolving their defense-in-depth strategies to protect cloud workloads and defend against new attack vectors accompanying digital transformation.
Whether applications are hosted on-premises or in the cloud, history shows sophisticated attackers can breach networks and fly under the radar for weeks or longer. The 2020 SolarWinds supply chain attack, for example, went undetected for nine months, impacting over 18,000 organizations.
In response, many enterprises are adopting a Zero Trust “assume-breach” mindset and adapting their security strategies, using a combination of preventative controls and detection mechanisms to identify attackers and stop them from reaching their goals once they do penetrate a network. The key tenets of a modern defense-in-depth strategy include:
- Protect privileged access – use privileged access management solutions to monitor and secure access to privileged accounts [superuser accounts, local and domain administrator accounts, application administrative accounts, etc.] by both human and non-human identities [applications, scripts, bots, etc.].
- Lockdown critical endpoints – use advanced endpoint privilege management solutions to lock down privilege across all endpoints, prevent lateral movement, and defend against ransomware and other forms of malware.
- Enable adaptive multifactor authentication – use contextual information [location, time of day, IP address, device type, etc.] and business rules to determine which authentication factors to apply to a particular user in a particular situation.
- Secure developer tools – use secrets management solutions to secure, manage, rotate and monitor secrets and other credentials used by applications, automation scripts, and other non-human identities.
Enterprises typically deploy privileged access management solutions, endpoint privilege management solutions, adaptive multifactor authentication solutions, and secrets management solutions in conjunction with traditional enterprise security solutions [EDRs, firewalls, IDS/IPS, etc.] as part of a comprehensive, modern defense-in-depth strategy.
Risk Control Strategies are the defensive measures utilized by IT and InfoSec communities to limit vulnerabilities and manage risks to an acceptable level. There are a number of strategies that can be employed as one measure of defense or in a combination of multiple strategies together. A risk assessment is an important tool that should be incorporated in the process of identifying and determining the threats and vulnerabilities that could potentially impact resources and assets to help manage risk. Risk management is also a component of a risk control strategy because Nelson et al. [2015] state that "risk management involves determining how much risk is acceptable for any process or operation, such as replacing equipment".[1]
Examples of ThreatsSocial EngineeringTheftVandalismForces of natureHuman errorSoftware errorsHardware errorsStrategies[edit]
Five basic strategies to control risks that arise from vulnerabilities [2]
- Defense - Applying safeguards that eliminate or reduce the remaining uncontrolled risk
- Transferral - Shifting risks to other areas or to outside entities
- Mitigation - Reducing the impact of information assets should an attacker successfully exploit a vulnerability
- Acceptance - Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control
- Termination - Removing or discontinuing the information asset from the organization's operating environment
Defense[edit]
The defense strategy works to deter the exploitation of the vulnerability that requires protection. Defense methods can apply physical, logical, or a combination of both to provide protection as a defense strategy. The application of multiple layers of defensive measures is called defense in depth. Defense in depth applies access controls that Stewart et al. [2012] describe as "multiple layers or levels of access controls are deployed to provide layered security" [3]
Transferal[edit]
This strategy according to Stalling & Brown is the "sharing of responsible for the risk with a third party. This is typically achieved by taking out insurance against the risk occurring, by entering into a contract with another organization, or by using partnership or joint venture structures to share the risk and cost should the threat eventuate.[4] The act of purchasing insurance is an example of risk transferral.
Mitigation[edit]
The mitigation strategy attempts to reduce the damage of a vulnerability by employing measures to limit a successful attack. According to Hill [2012], "this can be done by fixing a flaw that creates an exposure to risk or by putting compensatory controls in place that either reduce the likelihood of the weakness actually causing damage or reduce the impact if the risk that is associated with the flaw actually materialized.[5]
Acceptance[edit]
This strategy accepts the identified risk and deploys no defense strategy. A reason for using an acceptance strategy is that the cost associated with deploying safeguards outweighs the damage of a successful attack or compromise.
Termination[edit]
Instead of using a safeguard to protect an asset or deploying zero safeguards and accepting the risks to an asset, this strategy removes the asset from the environment with risks. An example of this strategy would be to remove a server from a network because the company has determined that termination of the resource outweighs the benefit of leaving it on the network due to risk concerns.