Whereas cybersecurity involves securing computer systems against malicious attackers, it has adopted security practices from the military to bolster its efforts in preventing and stopping cyber attacks. One such practice borrowed from the military is Defense in Depth (DiD)
Defense in depth is a military strategy that can be traced back to medieval times when castles had multiple layers of security, such as drawbridges, ditches, moats, walls, and guard towers, providing additional layers of security to the castle.
Defense in depth was also used during the first and second world wars when militaries would dig trenches, use strategically placed machine guns, build fortifications, and use anti-tank obstacles to slow down enemies from advancing, cause casualties and buy time to retaliate.
In cybersecurity, defense in depth is a security practice where multiple security products and controls, such as firewalls, encryption, and intrusion detection systems, are layered and used together to protect networks and computer systems from attacks.
This results in enhanced security of critical assets making systems harder to penetrate as when one security measure fails, there are additional layers of security to protect a system against threats.
Defense in depth employs redundancy in cybersecurity, which makes it very effective as a single cybersecurity measure or control cannot stop all forms of cyber attacks. Defense in depth’s multi-layered approach to cybersecurity allows for protection from a wide range of cyber attacks resulting in better-secured computer systems that are very hard to compromise.
Elements of defense in depth
Defense in depth is made up of the following key elements
These are security measures put in place to secure computer systems and prevent physical access to the systems by intruders. This usually involves limiting access to computer systems by putting physical infrastructure such as security cameras, locked doors, ID card scanners, and biometric systems or even employing guards to man rooms with critical computer systems.
These are the hardware and software implemented to protect systems from malicious attackers. Examples of such security measures include firewalls, multifactor authentication, intrusion detection or prevention systems (IDS/IPS), antivirus, and configuration management, among many others.
These comprise an organization’s policies and procedures for its employees, which are meant to control access to the organization’s resources and also guide employees in proper cybersecurity practices to reduce human errors that can result in computer systems being compromised by attackers.
Why defense in depth is important
Kevin Mitnick, who at one time was regarded as the world’s most famous hacker after hacking systems of companies like Sun Microsystems, Nokia, and Motorola, is noted for saying that “Anything out there is vulnerable to attack given enough time and resources.”
This statement still holds true until this day, particularly with the sophisticated tools accessible to attackers. This, in turn, means that there is never a one-fix-all cybersecurity solution that cannot be compromised. This is why defense in depth is very important in a world with sophisticated attackers who have access to immense resources.
Defense in depth forces organizations to take a proactive approach towards their security and think of the security of their resources even when one security product fails.
This layering of different security products provides companies with robust protection for their critical resources, significantly reducing the likelihood of their systems being compromised. Defense in depth makes the process of compromising systems very difficult for attackers.
Additionally, it forces organizations to take a holistic approach toward their security and address all possible ways in which their systems can be hit. Just like in the military, where defense in depth slows down attacks and buys time for retaliation, it does the same thing in cybersecurity.
Defense in depth can slow down malicious actors before they access systems and give administrators time to identify attacks and implement countermeasures to stop the attacks before they breach their systems.
It also limits the damage done by attackers in case one security measure fails, as others security controls will limit the access and the amount of damage that attackers can inflict on a system.
How Defense in Depth Works
A key component of defense in depth is the redundancy of security measures that makes it harder for attackers to execute attacks. For instance, an attacker may consider physically coming to your premises to install an infected USB stick in your systems.
By having security guards manning the premises or using biometrics to log and control access to computers, such an attacker may be stopped.
Assuming that they are very determined in their attack and shift their focus to attack the network by sending malware to the network, such an attack can be stopped using a firewall that monitors network traffic or an antivirus installed in the network.
Or, say they try to access the network using compromised credentials, a multifactor authentication implemented in a network may be able to stop them from accessing the system.
Assuming that they still are able to get into the system, an intrusion detection system might catch and report their intrusion, which can then be addressed before further damage is done. Alternatively, an intrusion prevention system can also be used to actively stop threats.
If they are to pass through all these security measures, you can prevent attackers from exploiting sensitive information by encrypting data in transit and at rest.
As much as attackers can at times be very determined in their attacks and work around the different security measures installed to secure data, defense in depth works by making it very difficult for attackers to gain access to a system. This can discourage them in their attacks or, better still, give the organization time to respond to attacks before their systems are breached.
Use Cases of Defense in Depth
Defense in depth can be applied in a variety of scenarios. Some of these include:
#1. Network Security
A common application of defense in depth is in protecting networks from attacks. This is typically done by having firewalls to monitor network traffic based on an organization’s policy and intrusion protection systems to monitor for malicious network activity and take actions to prevent and mitigate intrusions in a network.
Additionally, antivirus software is installed in the network to prevent malware from being installed in the network or remove any that may be installed.
The final layer of security is the encryption of data at rest and data in transit in the network. This way, even if attackers bypass all the previous security measures, they are not able to use the data they access as it is encrypted.
#2. Endpoint Security
Endpoints are devices such as servers, desktop computers, virtual machines, and mobile devices which connect to an organization’s network. Endpoint security involves securing these devices from threats.
A defense-in-depth strategy in endpoint security may involve physically securing the location where the endpoints are located, using strong passwords and multifactor authentication to control access to the devices, and logging activities of the devices. Firewalls, antivirus software, and encryption of data can also be implemented to add extra layers of security.
#3. Application Security
Defense in depth is also useful in securing applications as they handle sensitive data such as users’ bank accounts, personal identification numbers, and addresses.
In such a scenario, defense in depth can be implemented by the use of good coding practices to minimize security flaws, regular testing of applications to hunt for vulnerabilities, encryption of data in transit and at rest, and implementing multifactor authentication to confirm the identity of users and also keep a log of activities done by users of the application.
Layered Security vs. Defense in Depth
Although these two security measures involve the use of multiple layers of security products to enhance the security of computer resources, they differ in implementation and focus. However, they both rely on building redundancy to enhance security.
Layered security is a security approach where multiple security products are deployed to protect the most vulnerable areas in an organization’s security.
In this approach, the multiple security approaches are deployed in the same layer or stack, such as using different antivirus software so that in case one antivirus misses a virus or has some shortcoming, the other available option may pick up the virus or overcome the shortcomings of the other antivirus.
Another example of this is using multiple firewalls or intrusion detection systems such that in case one product fails to detect or stop an intrusion, another product may pick it up.
Such an approach ensures the security of computer systems is not compromised even when one product fails. Layered security can be across different security layers to enhance the security of critical computer systems.
Unlike layered security, which builds redundancy on a single security layer, defense in depth builds redundancy across multiple layers or areas of a possible attack to protect computer systems against a wide range of attacks.
An example of defense in depth is implementing firewalls, multifactor authentication, intrusion detection systems, physically locking rooms with computers, and using antivirus software. Each security product addresses a different security concern and thus protects a system against a wide range of attacks.
Previous cyberattacks have shown that malicious actors will try out different attack vectors when looking for a vulnerability to exploit in any system. Since attackers have a wide array of attacks they can launch to compromise a system, organizations cannot rely on a single security product to guarantee the security of their computer resources against attackers.
It is, therefore, important to implement defense in depth to protect critical computer resources against a wide array of attacks. This has the benefit of ensuring that all the possible channels that malicious actors may use to exploit a system are covered.
Defense in depth also gives organizations the benefit of slowing down attacks and detecting of ongoing attacks, giving them time to counter threat actors before they can compromise their systems.
You may also explore Honeypots and Honeynets in cybersecurity.