Defense in Depth and what it can do for your business

Laurence Lafond and Robert Hawk, Global Relay’s security experts, explain the power of the military Defense in Depth strategy when applied to cyber-security.

Information security can be remarkably simple if it is organized well. It can be fascinating and fun too (honestly). Welcome to the security onion! This image denotes the established approach adopted by many corporations to protect themselves from cyberattack. It helps to explain the true power of Defense in Depth.

Defense in Depth is a military strategy designed to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, Defense in Depth relies on the tendency of an attack to lose momentum over time, or as it starts to cover a larger area.

Applied to the world of information security, it is a strategy of using multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented.

Different security products from multiple vendors may be deployed to defend different potential vectors within the network, helping to prevent a shortfall in any one defense that might lead to a wider failure. This describes the layered approach to rigorous data security.

The strategy is based on the US Department of Defense approach for addressing the three critical control criteria, which are:

  • administrative;
  • physical;
  • technical.

How to defend and protect

Policy represents the outer layer of the security onion that encloses everything. The physical is the next layer beneath policy. Beneath the physical environment are the juiciest parts of the vegetable. These are the real trophies that attackers are trying to penetrate:

  • perimeter;
  • network;
  • host
  • application;
  • data (the ultimate prize for attackers).

At each layer the enterprise must have a certain set of controls that make that layer viable and protected. Data is the holy grail – when an attack encroaches on your data, that is a data breach and is the most serious intrusion that needs to be disclosed for legal and compliance purposes.

So what are the guiding principles for optimizing Defense in Depth:

  • Not relying on any one defensive mechanism, point, layer, etc., to protect against misconfigurations.
  • Adding protection in regard to presenting more defensive mechanisms, points, and layers against potential attackers/ bad actors.
  • Protecting against any emerging vulnerabilities in any defensive mechanism, point, layers.