Defense in Depth: Is it Right For You?

by | Cybersecurity Fundamentals

Long before antivirus software was a twinkle in an engineer’s eye, humans were employing various strategies to protect their valuables from the prying hands of strangers. A lord and lady in a castle might have relied on tall, slippery castle walls for protection. If that wasn’t enough, perhaps they added a moat.

If a situation got truly serious, maybe they’d dig secret tunnels, hire some skilled archers, and keep some boiling oil at the ready. In other words, our fictional lord and lady didn’t depend on one single type of protection; they made sure their defenses were layered. Translate that to the electronic realm, and you’ve got the “defense-in-depth” concept down pat.

What is Defense in Depth?

Back in March 2010, the National Security Administration published a paper called “Defense in Depth,” in which the authors highlighted three elements that are critical to its success: people, technology, and operations. Defense in depth can be defined as a strategy that uses multiple security measures to protect an organizations’s assets. 

In our view, they nailed it! At TMG, we believe that “defense-in-depth” should be a guiding light in the cybersecurity space. Interestingly, though, not everybody agrees with us on this.

Defense-in-Depth Opposition

Some in the cybersecurity field argue that defense in depth is dead and can no longer address the current asset realities and threat landscape. Their argument centers on two main—and valid—points: first, the rapidly expanding network perimeter and second, the rapid adaptation and availability of attackers, attack vectors, and payloads.

1. Argument against defense in depth.

Essentially, their argument is that since everyone has a mobile device, and since applications and storage are increasingly consumed as cloud services, this new reality destroys the traditional notion of concentric castle-type defense-in-depth ideas. This “perimeter breakdown” means we simply can’t build “walls” that are tall or wide enough to cover our users and their diverse technologies. Making things worse, attackers are faster and meaner, plus their tools (and themselves) are available as a service with guarantees! To say nothing of the insider threats (willing or not) who are already inside the castle. So, the naysayers cry, defense in depth that!

But we disagree. The perimeter breakdown is real, and it definitely creates some challenges for cybersecurity. But at TMG we don’t interpret defense in depth as simply meaning the creation of a multilayered perimeter. Quite the opposite: defense in depth should apply at all levels and across all perimeters. It applies as much to the organizational perimeter—location by location, end point by end point—as it applies to its providers, partners, and clients and as it applies to individual users, no matter where they may be.

Defense in Depth Strategies

In other words, defense in depth is not just a top-level “castle with five walls and three crocodile-filled moats” strategy. It is also a practice that needs to be applied at each asset point.

Firms need to develop defense-in-depth strategies for physical (and virtual) offices, both local and remote, plus they should expect a defense-in-depth approach from their cloud services providers (trust but verify, always), and depending on scope, they need it from their trading partners as well.

Defense in depth is not about any specific technology or topology. Defense in depth is truly about people, technology, and operations, no matter where, no matter how.

cyberCTRL + Defense in Depth

It is exactly these challenges that drove us to develop our cyberCTRL solution. We needed to be sure that when everything was said and done, we would have a reliable system that would not only help us layer a defense-in-depth strategy for each client but would also alert us whenever one of the layers failed and kick off an automatic and rapid remediation. We took defense-in-depth to the next level: resilience-in-depth! We did this by introducing automation and remediation embedded directly in the strategy and execution of your cybersecurity program from the beginning.

Defense-in-depth is the right strategy. Implement it correctly and you will transform it from an approach to real-life resilience that will be the envy of your competitors and a hacker’s nightmare!