Defense in Depth and what it can do for your business

Photo: Adobe Stock Images

Laurence Lafond and Robert Hawk, Global Relay’s security experts, explain the power of the military Defense in Depth strategy when applied to cyber-security.

Information security can be remarkably simple if it is organized well. It can be fascinating and fun too (honestly). Welcome to the security onion! This image denotes the established approach adopted by many corporations to protect themselves from cyberattack. It helps to explain the true power of Defense in Depth.

Defense in Depth is a military strategy designed to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, Defense in Depth relies on the tendency of an attack to lose momentum over time, or as it starts to cover a larger area.

Applied to the world of information security, it is a strategy of using multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented.

Different security products from multiple vendors may be deployed to defend different potential vectors within the network, helping to prevent a shortfall in any one defense that might lead to a wider failure. This describes the layered approach to rigorous data security.

The strategy is based on the US Department of Defense approach for addressing the three critical control criteria, which are:

administrative;
physical;
technical.

How to defend and protect

Policy represents the outer layer of the security onion that encloses everything. The physical is the next layer beneath policy. Beneath the physical environment are the juiciest parts of the vegetable. These are the real trophies that attackers are trying to penetrate:

perimeter;
network;
host
application;
data (the ultimate prize for attackers).

At each layer the enterprise must have a certain set of controls that make that layer viable and protected. Data is the holy grail – when an attack encroaches on your data, that is a data breach and is the most serious intrusion that needs to be disclosed for legal and compliance purposes.

So what are the guiding principles for optimizing Defense in Depth:

Not relying on any one defensive mechanism, point, layer, etc., to protect against misconfigurations.
Adding protection in regard to presenting more defensive mechanisms, points, and layers against potential attackers/ bad actors.
Protecting against any emerging vulnerabilities in any defensive mechanism, point, layers.

Topics

Latest News

USAA dinged for failing to fix AML, IT, third-party oversight shortcomings

SEC charges Express with failing to disclose $1m in perks to former CEO

SEC dings Becton Dickinson $175m for misrepresenting product risks

Topics

Latest News

CFTC amends investor safeguard rules

PRA and FCA propose reform to ease bank remuneration rules

SEC modernizes submission of some forms and filings

Topics

Latest News

The relentless advance of American asset managers in Europe

Musk, Altman and the AI feud worth billions of dollars

Microsoft has purchased half a million advanced Nvidia chips as part of AI investment

Topics

Latest News

GRIP Extra: McKinsey slapped with $650m fine for pharma work, CFPB goes after Zelle

Podcast: CCO Courtney Reid is optimistic about the state of compliance in 2025

GRIP Extra: Trump advisers seek to axe bank regulators, China seeks to relax monetary policies