What is Defense in Depth?

Overview

Defense in depth adheres to the concept that multiple defense mechanisms are more difficult to defeat than a single solution. Although strong, a single fortress wall may still become compromised. Multiple varied defenses allow for the failure of one security mechanism by protecting data with another.

The challenge with Defense in Depth is managing simplicity while ensuring adequate protection. Adding a new security protocol may lead to new risks from the increased complexity, therefore, a balance is needed for an optimal security solution.

Elements of Defense in Depth

• Network Controls
  Monitoring network traffic is the first line of defense. Firewalls can help with this, but for a more comprehensive security solution an intrusion prevention system (IPS) should also be used.
• Antivirus Software
  Using antivirus software is critical, but it’s not an all-inclusive solution. It often relies heavily on signature-based detection that can be exploited by an intelligent attacker. Some antivirus programs also use heuristics that look for suspicious activity. For example, if a document tried to download an executable when opened, the antivirus program would halt the download and quarantine the file.
• Check File Reputation
  The reputation of a file deals with its frequency of use and the source. Every file has a checksum, a mathematical representation of the file, that can be used to check against known viruses and block matches. It can also be used to find how often a file shows up. If the incoming file is completely unique, it’s marked as suspicious, as it should be in circulation somewhere else. It is also important to check the reputation of the file’s origin. Check the IP address of either the sender or origin site and decide whether it’s a trustworthy source.
• Analyze Behavior
  Network and file behaviors provide insight into whether a breach is in progress or has already occurred. By the time behavioral analysis comes into play, prevention has already failed and the new aim is detection. Initially this requires an organization to create a baseline for “normal” behavior. Algorithms can then use this baseline to detect anomalies such as high-bandwidth traffic or extremely long connections.
• Fix the Leak
  Once an attack is detected, it’s crucial to shut it down quickly. In addition to deleting malicious files the initial entry point of the attack needs to be identified and repaired.

Example of Defense in Depth

Assume an organization utilizes a defense in depth strategy. This company uses a firewall, a basic antivirus program, and behavioral analysis. An attacker creates a phishing attack and sends out a convincing email with a company schedule attached in the form of a PDF. The email makes it past the firewall and ends up in the inbox of an unsuspecting employee. When the employee opens the PDF it starts to download a malicious executable file. Fortunately, the behavioral analysis tool notices the anomaly and sends up an alert concerning the file.

Although the attack was successfully detected, there are three things the organization could improve to stop the attack from occurring in the first place. First, the company could utilize an IPS to provide an extra layer of network security. Second, they could upgrade their antivirus software to one that employs heuristics. This way the file could be automatically dealt with instead of merely sending an alert. Third, and most important, the company could offer employee security training so that phishing attacks never succeed, even if they make it past all the filters.

Conclusion

The most dangerous act an organization can make is to assume they’re safe from danger. In 2015, there were 38% more security incidents than in the previous year and this is expected to increase again in 2016. Threats should be continually assessed and monitored and defense schemes modified as needed. Having a layered security solution is critical to preventing and quickly detecting an information breach.