Defense in depth, or DiD, is an information security approach where organizations implement multiple layers of security controls. There will be multiple layers of security measures for comprehensive protection against ever-evolving cyberattacks throughout your IT infrastructure. Redundancy in defensive mechanisms helps to protect your IT infrastructure even if one of them fails. Security teams know that standalone security measures cannot stop all possible cyber threats. At times, it is also referred to as the layered approach to security.
Where Did Defense In Depth Come From In Cybersecurity?
The defense in depth approach derives from a military strategy of the same name. This strategy slows down an attack’s progress, rather than utilizing resources in setting up a single line of defense. Because of multiple defensive layers, supporting defensive measures will cover up if one measure fails. As a result, you have more time to prepare your response strategy carefully. Whether you are a CISO or security professional, it is crucial to understand DiD for planning an efficient defensive strategy for your organization.
What Does Defense In Depth Include?
By adopting this approach, your organization will implement security controls across your network’s physical, administrative, and technical aspects.
Physical controls include security controls for preventing physical access to IT systems. For example, security guards, locking of doors, and biometric access.
Administrative controls cover policies and procedures for adopting a well-defined and consistent approach towards organizational security. For example, password policy, procedure for revocation of access, and labelling of documents.
Technical controls include security measures for protecting your IT systems using special hardware or software solutions. For example, antivirus, firewall, and intrusion detection and prevention system (IDS/IPS).
What Are Some Examples Of Security Measures That You Can Implement?
Firewalls
Firewalls act as a gatekeeper for your organizational network. You can allowlist or denylist ports, IP addresses, and MAC addresses. Based on your rules, a firewall can deny or accept a connection request. You can also implement firewalls for web applications and email application.
IDS/IPS
IDS continuously analyzes and monitors your network traffic for known attack signatures. An IDS solution can detect malware, port scanners, and policy violations, among other types of threat behaviors. IPS, similar to firewalls, is placed between the public internet and your internal network. It is a proactive security measure that denies network traffic to pass through if the packets represent a known threat.
Network Segmentation
This measure splits a network into multiple sub-networks. Segmentation of your network must be in line with business requirements. A recommended way to segment your network is to have sub-networks for different teams. Firewall rules, switches, and other network devices help in the segmentation.
Access Privileges
While defining your employees’ access levels, you must adopt the principle of least privilege. This principle requires organizations to limit unnecessary access to files, systems, and networks. As a matter of general practice, additional access must be granted as an exception.
Password Management
Passwords play an undeniably crucial role in user authentication. An ideal password policy will provide guidance on minimum requirements for a strong password. It will ask users to set different passwords for different accounts and change them regularly. Further, for extra protection, you must require your employees to use multi-factor authentication.
Patch Management
Patch management practices ensure that you apply patches to software, hardware, plugins, and operating systems promptly. Delays in applying patches may allow the attackers to exploit existing vulnerabilities in your IT infrastructure.
Endpoint Detection and Response (EDR)
EDR applications reside on client systems in your networks such as laptops, tablets, and mobile phones. They provide antivirus/antimalware protection, alert generation, threat detection, and analysis capabilities. Modern EDR applications also come with behavior detection capabilities, along with traditional rule-based detection.
Endnotes
When it comes to the security of your IT infrastructure, there is no easy way out. However, defense in depth approach introduces redundancy in your security measures. This prevents your network from having a single point of failure (SPOF). Successful adoption of this approach will require more time and efforts from the attackers to infiltrate your network. Starting with the implementation of this approach can be an extensive undertaking. Our experts recommend following a risk-based approach to identify sensitive assets in your network. You can dedicate initial efforts to these assets before moving on to other components of your network.
