Defense in Depth: The Basic Essentials of IT Security
You might remember a time when some folks believed that having one thing alone meant that their business devices or networks were secure.
“We have a firewall, we’re fine!”
“All of our PCs have antivirus, so we’re good!”
In modern times any single, standalone security product (antivirus, firewall, etc.) isn’t enough to protect your business, your users, and your data.
However, these things do make for effective layers when securing your business with a defense in depth security strategy.
Defense in depth is a security approach that we at Kelser subscribe to wholeheartedly for ourselves and our clients. A strategy that should be applied whether you’re protecting your office or your home environment when working remotely.
In this article, we’ll walk through what defense in depth is, how it can protect your business, and the most essential layers that you should consider for any environment.
A note here before we continue: if you have more stringent security requirements or compliance needs based on your industry, vendor/partner/client agreements, etc., there may be additional layers of security that apply to you beyond what we discuss here.
Check out my video here: https://share.vidyard.com/watch/ZNh6xhihLc3mZbHeDFi3mi
What is Defense in Depth and what are the primary layers?
Defense in depth is an approach by which you apply security at various points or various layers within your network.
If you were to look up defense in depth on the internet, you'd find a lot of information along with diagrams, images, documentation, best practices, and methodologies as to how to deploy this approach.
But at the core of all that information is the same base concept: applying security at a variety of layers within your environment.
If perhaps something got through one layer or a layer failed, you would have another layer to protect you and help make sure that your data is as secure as possible as well as having the most redundant security infrastructure for your environment available.
For this walkthrough, we’ll cover the minimum or basic protections you should consider having in place at the perimeter, application, endpoint, and physical security layers.
1. Perimeter Security
This layer of protection exists at the edge of your network and is what separates your home or office environment from the greater internet. It’s your first line of defense against a would-be threat and usually the layer - figuratively speaking – that’s furthest away from the data or systems you’re trying to protect.
A firewall is typically what comes to mind when talking perimeter security, and overall, they do a pretty good job of keeping hackers from targeting your infrastructure directly. This protects your PCs, network devices, etc. from direct attacks. That said, we would never consider an environment safe with only a firewall to protect it (or any single layer for that matter).
It basically lines up with the concept of perimeter security that we discussed above as a firewall is typically the main component protecting your network/systems from the greater internet by reviewing traffic and acting as a gatekeeper for what gets through and what gets denied.
For example, if traffic seems to be legit, a firewall will let it through. Email is typically deemed legitimate traffic by a firewall. However, if someone puts a malicious link into an email and then encrypts it, that encrypted email may make it through as the firewall may not be able to see it and let it pass through.
Firewalls are increasing in their sophistication and are becoming more capable in thwarting malicious data that hackers try to mask. But we still want to make sure we have other layers of protection if something passes through the firewall (like in the encrypted email example).
2. Application Security
Assuming a standard path through our layers of protection in this defense in depth strategy, if a threat made it past our perimeter security it would next run up against our application layer security protections.
Building off the email example above, ensuring you have a good spam filter on your email is typically the next main component that can help keep you safe.
While the firewall may see all email as legitimate traffic, the spam filter will be able to give that added check within emails themselves for malicious attachments, links, images, etc. They can also protect you against general junk mail and try to keep your mailboxes as clean as possible.
A lot of times a spam filter will come with your existing email package, whether it be Microsoft 365 (formerly O365) or whatnot. This will likely have some base level of protection in place, but a lot of times it may not be enough in this complex cybersecurity landscape that seems to be ever changing. You may need to go with a third-party spam filter that does a little bit more in-depth spam filtering and coordinating.
A good spam filter can even help protect you against phishing attacks. If you're familiar with phishing - where someone is trying to gain information from you by deception – some spam filters can identify patterns that detect whether the email is suspected of being a phishing attempt.
The other application layer defense I want to talk about is DNS-based protection such as Umbrella (formerly OpenDNS). It is an added layer that protects you in the event a malicious link makes it through your firewall and spam filter.
A common scenario would be if you clicked on a malicious link in an email that made it past your defenses, and you thought was legitimate. Umbrella would step in and prevent you from going to the dangerous site at the end of that malicious link. In some ways, it can be the ultimate safety net (but again shouldn’t be treated as a singular, standalone line of defense).
You can even use Umbrella in your home environment. For example, if you're just web surfing at home and while doing a web search click on something maybe you shouldn’t have, again Umbrella will spring to action and prevent you from going to that dangerous site.
With Umbrella, there’s added features that block malicious ads from loading on legitimate websites you’re browsing and even the option to filter unwanted content (such as gambling, adult content, etc.) in addition to potentially dangerous sites.
3. Endpoint Security
So, you’ve got a firewall, spam filter, and DNS-based protection in place. Is that enough layers?
Well, let’s say a hacker launches an attack that bypasses your firewall, spam filter, and DNS-protections which lands malicious content on your PC.
That’s where protections on the endpoint layer step in.
Antivirus is an extremely critical component because it's going to help prevent anything from actually harming the data on your computer if a threat makes it that far.
A robust antivirus will also take a multi-pronged approach to protect you from all forms of viruses, malware, spyware, botnets, ransomware, the whole gamut.
As seen from the exponential increase in malware attacks/infections and other cyberattacks over recent years, while antivirus can help as a layer in a defense in depth strategy, it doesn’t do anything to prevent hackers from getting through those other critical security layers.
The Human Firewall (You)
This is probably one of the, if not the, most critical components. There’s a lot of things users can do to protect their environment such as:
- Practicing good internet hygiene
- Thinking about what you click on
- Staying vigilant about who you’re communicating with and what kind of information you’re sharing with them
Any correspondence that’s out of the ordinary – such as an executive requesting a rush fund transfer out of the blue – is worth questioning.
At Kelser we’re also strong believers in employee cybersecurity awareness training and its importance as part of this security layer. Not only do we recommend this for clients, but we do the same type of training ourselves.
While it may seem rather simple and common sense, it's amazing how the tips and tricks you pick up help keep yourself and your environment safe.
We’re also strong believers in the importance of two-factor (2FA) and multifactor (MFA) authentication. I could go on for a while about multifactor authentication but to summarize it is collectively:
- Something you know
- Something you are
- Something you have
For example, something you know would be a password. Something you have would be a pin or code, and something you are would be your biometrics.
Multifactor authentication is used by a lot of well-known systems and applications these days. You’ve likely come across it at some point in your work or personal life already as it's picking up prevalence and being required in many situations.
The more you can incorporate multifactor authentication into your defense in depth strategy, the better.
4. Physical Security
There's a whole concept of physical security that’s a robust topic in its own right but I wanted to make sure to touch on it as an essential layer.
Protections you should be considering as a part of this security layer include:
- Keeping your server room locked and limiting access to it
- Cameras in sensitive areas (like the server room), around and outside your office building
- Fence perimeters
- And more
Perhaps the most basic thing here is also remembering to lock your computer when you walk away from it. This helps prevent a passerby from seeing sensitive information or having unauthorized access to your machine, the company network and data.
Does your organization have these essential security layers in place?
You can take this defense in depth approach and get pretty deep with it depending on your requirements or the security posture you want to have.
There are other protections across the layers we identified such as: additional network authentication procedures for wi-fi access, remote VPN access, securing your routers and switches, SSL decryption, DLP (data loss prevention), encryption (end-to-end, in transit, at rest), and others.
Kelser fully embraces the defense in depth methodology for both ourselves and the clients we protect.
We’d love the opportunity to explore your defensive layers in greater detail if you have any questions, concerns, or want to explore how to further harden your defenses.