By Kevin A. Joyner, CISSP
Information Security Officer, Brazos County IT
"Defense in depth" is a common buzzphrase in the security sector these days, with vendors pushing comprehensive product suites to help you achieve this latest security holy grail. So, what is it and why should we care?
I asked ChatGPT to give me a definition of defense in depth for cybersecurity, and it provided the following result:
Defense in depth in cybersecurity is a strategy that involves employing multiple layers of security measures to safeguard systems and data from various threats. By using a combination of tools like firewalls, encryption, access controls, and training, this approach enhances security by making it harder for attackers to breach systems. It recognizes that no single defense is sufficient and aims to create a more resilient and robust security posture.
Not bad, but I would include tools like IDS/IPS, AV/EDR, SOC/MDR, NDR, zero trust, SIEM/SOAR, DNS Security, and others I am sure I am missing. (On a side note, the cyber security world has a ridiculous number of acronyms.) A layer of tools means that, should a well-resourced attacker come after you, there are more obstacles and barriers between them and the pot of gold that is your data/resources.
Our agency hasn’t implemented all of the tools listed above, and the full list is something only the most well-resourced agencies among us can afford. Though the array of tools can be overwhelming, even for well-resourced agencies, the pursuit of cybersecurity maturity remains an ongoing process rather than a destination. For resource-constrained agencies, there are free and low-cost tools available to bridge gaps.
One question that each agency needs to decide for themselves is how to implement defense in depth. Opting for fewer vendors can streamline management, reduce support headaches, and improve interoperability, which is particularly vital in the face of understaffing and the need for increased productivity.
Our agency’s approach prioritizes diversification of vendor products. When you select a vendor’s product for implementation, you are not only selecting the product but the vendor’s security posture as well. Every vendor emphasizes different things that will determine where and how their resources are allocated. We have different vendors providing security tools at almost every level of our security hierarchy. This provides us with a plethora of security postures, and the hope is that a blind spot for one vendor might be a strength for another.
This approach was recently validated in the past six weeks through two security events. In both cases, the users clicked on a malicious link that was elevated using SEO poisoning. They were both searching for work related information, and the downloaded content appeared legitimate. Both avoided our firewall and IDS/IPS upon initial download. One attempted to run encrypted powershell code and was stopped by our EDR, while the other ran JavaScript that eluded our EDR, but was then stopped from downloading the second-stage malware payload by our IPS. Everything else in our security stack missed them both. Per our policy we reimaged both machines and quickly had them back in production.
Does this mean that our approach is better? Not necessarily. It worked in those two situations, but next time when I am too busy managing all the various vendors and their products and our lower levels of interoperability leads to a breach, then the other approach might be better. The choice between these approaches depends on the agency's circumstances, resource availability, and risk tolerance. Striking a balance between the two involves weighing the costs and benefits and committing to your choice. In the ever-evolving landscape of cybersecurity, adaptability, constant evaluation, and dedication are key to maintaining a robust defense posture. My advice: weigh the costs and benefits of both approaches figure out what works best for you, and commit to it.
Good luck and keep fighting the good fight!