Mastering defense in depth
Back in the old days, people relied on perimeter defense, which is erecting a virtual fence to prevent non-authorized people from getting into your systems.
Figure 1.8 – Single-layer perimeter defense
However, the threat landscape has evolved, and we must do the same!
While perimeter defense is mostly based on a single layer of protection (normally a network layer), Defense in Depth (DiD) takes this further by applying a plurality of security layers in which each layer offers a new line of defense against an attack.
Normally, those layers are independent and each of them provides a different security mechanism that increases the overall security. The benefit of this independence is that a vulnerability that affects one layer may be irrelevant to the other layer. This is a great advantage over a pyramidal model where, if the foundation is affected, the rest will fall.
However, this independence also has its downside in terms of the complexity of the operations. In this case, managing all the different layers (configuration, test, updates, maintenance) is not an easy task, but who says that our job will be easy!
Factors to consider when creating DiD models
Most DiD models create the layers based on technology; however, if you want to apply DiD as a master, you must also consider the following two very important factors: People and Processes.
Tip
The DiD model can be applied at a macro level (to the entire organization) or at a micro level (to a single system or technology). This means that once you master this method, you can use it to create your overall security strategy, as well as use it to create the security strategy to secure your web apps.
Now, let's analyze these two factors in detail.
The people
People are often pointed to as the biggest threat in cybersecurity…and they are! And we are not talking about the criminals; we are talking about your company employees who are responsible for many of the security breaches, either as a result of an inadvertent error or by being used by an attacker to gain access to some systems or data.
Therefore, we must consider the human factor when developing our defense strategy. Ignore this and your strategy will be doomed.
The very first step here for you is to segment the company employees by access type. Users should be created on a need-to-know/need-to-do basis. This segmentation of employees should be performed as part of your identity and management process and while, in the beginning, it may be a time-consuming process, in the end, I assure you that the investment is well worth it.
Admin rights
Some companies started to adopt a policy to provide admin rights to all employees over their work computers. The justification is related to the huge cost associated with having a support team in charge of helping the user every time they need to install software, hardware, update, or plugin.
But what about the cost of reinstalling a machine following a malware infection? What about the cost associated with the installation of corrupted drivers? What about the cost of a data leak due to the installation of a trojan? What about the legal cost of the installation of unlicensed or restricted software? Those are some of the questions that you may ask senior management in case they want to provide admin rights to everyone. Remember, it is your responsibility to help your organization to understand that security will always be above usability and user experience.
Are you saying this should not be done? No, I am just saying that this needs to be carefully analyzed from the cybersecurity perspective to ensure that if applied, all appropriate controls are in place to reduce the risks mentioned earlier.
The processes
You must have an in-depth understanding of the organization that you are tasked with defending. You can achieve this by understanding all the company's processes (or at least the core of them). Once you know them, it will be easier for you to identify vulnerabilities and risks where others don't!
I understand that as a technical person, you may hate processes and the associated (and mostly) outdated documentation that it brings, but trust me, if you know them, you will bring an exceptional value that very few are capable of providing to their organization.
Another reason for you familiarizing yourself with this is because you will have to eventually create your own processes. One good tip is to create your processes in alignment with the organizational processes; this will enable you to reduce risks while closing any potential gaps.
Additionally, I suggest you evaluate/analyze those three factors (Technology, People, and Processes) from two perspectives: Internal and External.
Tip
I suggest you do an inventory of your technology, processes, and types of employees, and then evaluate the risks (internal/external) associated with each of them, as shown in the following diagram.
Figure 1.9 – Risk evaluation matrix based on three factors
Now that we have reviewed the factors that need to be considered and how to manage them, it is time to move forward to understand how to determine which assets will be defended by our DiD model and how to prioritize them.
Asset identification
In an ideal world, you would apply the strongest defense across the entire organization, but as you may know, that is not realistic because the stronger the security, the more expensive the cost.
Therefore, before moving forward, you must analyze your systems and data and sort them to prioritize the defense strategy for each type.
Tip
Once you have identified the different systems and data, create a Kanban-like board in which the columns are the levels of security (with an associated cost), and then schedule a meeting with relevant upper management (CEO, CFO) and ask them to place the different systems and data in the desired security level (columns). This is a great tool for you when it comes to supporting your budget request, but also when delegating the responsibility of the security level selected for each system/infrastructure or dataset.
The following diagram is an example of a Kanban-like board that can be used to determine Asset priorities (based on impact) and also to support budget requests made to upper management:
Figure 1.10 – Sample Kanban-like board for asset classification
Now it is time to create the layers of your DiD model.
Defense by layers
Here, you will use the inputs from the asset prioritization that we just created to develop the best-layered model based on your resources.
There is an open debate ongoing about whether it is better to have one super strong control or multiple good controls.
Let's look at some pros and cons of a sample scenario so that you can draw your own conclusions.
Figure 1.11 – Single strong control versus the multi-control approach
There are two ways to create your layers, by means of the functionality of the control or by technology, as explained next.
Creating layers by type or functionality of the control
Here, you create the layers based on the functionality or type of controls.
The idea is that you correlate what you are trying to secure against the controls applicable to it. For example, there will be cases in which corrective controls may not be relevant, while in other cases, it should be the priority. Remember that in security, everything needs to be tailor-made based on the business.
Figure 1.12 – Layered security by the control function
Figure 1.12 shows a full layered model that includes the most popular controls layered by their function. For example, an electrified fence to prevent someone from entering the building, a Camera system to detect intruders, a security guard to deter potential intruders, biometric authentication or geolocation as an alternative method to compensate a more expensive mechanism, a backup to perform the recovery following a disaster, and a "Reboot to restore" software (like a deep freeze) to correct any issue or misconfiguration on a given system.
Creating layers by technology
Here you create layers of controls based on the technology used, despite the fact that they provide the same functionality. For example, you may implement several methods or technologies on a critical system to detect intruders (IDS, audits, logs, and so on).
Figure 1.13 – Layered security by technology
In the preceding diagram, you can see an example of how you can create layers based on the technology. For example, a camera and a sensor may both be a detective control, but both use different technologies to achieve it. This model is very useful when you want to increase the focus on a given functionality, for example, implementing a plurality of technologies to provide a special focus on detection or prevention.
Tip
To make things more interesting, remember that layers can also be further defined on three categories of controls: administrative, physical, and technical. I know that you are already familiar with those categories (so there is no need to waste ink in explaining them), but I just want you to keep in mind that you can add components from the three categories on the same layer.
Which approach is better?
This will depend on your infrastructure, and that is why performing an in-depth analysis of the environment is key.
Remember that the logic behind this is to make things harder for an attacker and you can achieve that with both methods.
Benefits of a security by layer model
There are a lot of benefits associated with the implementation of a Security by layer approach and Figure 1.14 highlights some of them for you to consider whether they can be beneficial for your defensive security strategy:
Figure 1.14 – Benefits of implementing a security by layer model
Additionally, upper management will also benefit from implementing this type of security model as this enables the company to perform a better allocation of cybersecurity resources.
Tip
Layered models were designed to work in isolation, which means that there is no communication between the layers. However, the latest research studies confirm that interconnecting the layers will improve the system as one layer may learn from the other one to better protect against an upcoming threat.
Keep in mind (like everything else in security) that a layered model that works today may be obsolete in 2 years, so you need to constantly evaluate your layers to determine if they still offer the required level of security.
Bonus track
I know you want to see the latest and greatest technologies, so here are a couple of systems recently developed that can be implemented on layered security models.
Mobile device feature disablement
This is a very interesting project (patented in the US) that I worked on recently with my friend and master inventor, Eric Rueger. The idea is a system that prevents the execution of a plurality of systems on a mobile device based on a plurality of factors such as time and location. Therefore, this is a state-of-the-art system that can be applied to the preventive or detective layer of the model. Here is the link: https://patents.google.com/patent/US10594855B2/en.
Cognitive security adjustments based on the user
If you want to see one real example of how you can add AI to a preventive layer (and take your layered model to the next level), take a look at this patent pending in which the system monitors the user's emotional state and level of attention to determine whether the user's computer should be automatically locked to prevent unauthorized access or the inadvertent disclosure of sensitive information. In terms of the development of this system, I had the privilege to work with one of the most prolific inventors in human history, Greg Boss: https://patents.google.com/patent/US20190180013A1.