Defence in Depth – Is this still a valid approach to Information Security

In this blog, CyberLab CEO Gavin Wood explains what defence in depth stands for and whether it’s a valid approach nowadays. He covers:

• • What is defence in depth?

• • The different layers

• • Is this still a valid approach?

Defence in Depth (DiD) – is this still a valid approach to Information Security? The short answer to this question is ‘Yes’, but there is a lot more to discuss behind this seemingly simple answer.

What is defence in depth?

Simply put, defence in depth is a layered approach to security with layers of controls built up to protect the core. The core could be the data/systems/users/IP you are trying to protect.

The different layers

I tend to visualise this approach as the layers of an onion.

The outer layers perform initial broad protection and could include elements of Cyber Essentials (+) and Penetration Testing, looking for and closing any weaknesses in the security architecture. Regular assessments are essential to ensure continued protection and validation that all your other controls are working.

As the next layer, we might include:

Cloud gateway technology to prevent access to your systems and networks to filter out threats before they reach your critical systems.

“Nearly all incidents of the devastating new form of malware called ransomware are triggered by phishing links.”

Source: Verizon

Email gateway services that filter out Spam, Phishing and malicious content before these even hit your systems.

Web filtering would also be an excellent recommendation at this level because web proxy services, both cloud and on-premises, filter out threats before they hit your organisations.

I would also include network edge solutions in this layer. That would consist of next-generation firewalls protecting systems and networks that sit “behind” them, such as offices, core networks, data centres etc., but would also safeguard cloud solutions with the implantation of cloud-based firewall solutions and or Firewall as a Service (FWaaS) solutions.

Moving inwards, the next layer would consist of protecting your devices. This layer aims to ensure devices are hardened, patched, and have appropriate endpoint protection installed. If a threat makes it through the outer layers, the device (laptop, desktop, server or mobile) should have enough protection to defend itself.

Next-Gen endpoint includes powerful protection to stop threats. With the new security standards, including EDR/XDR capabilities, you can proactively threat hunt across your estate and find/stop any issues before they do any damage.

This layer would also facilitate the latest trends in IT security, such as Zero Trust Network Access – a “trust-no-one” approach. Conditional network access based on user, location, device health and endpoint status can all be used to verify the device and allow access.

Device and data encryption would also play their part at this level. If data is encrypted, it is much harder for threat actors to take advantage of it.

One of the most important layers is the human. All your controls will only be as strong as the weakest link, and if your people are not playing their part in your IT security posture, then all of the other layers are mostly pointless.

Protecting the human layer might include educating your users on phishing, social engineering, and password health threats. It would also have phishing tests and enforced long, complex passwords, which can be remembered but not easily guessed. Enable multifactor authentication (MFA) for as many services as possible. MFA is one of the most critical elements of user security and, which provides vital protection for devices and services.

The final layer, I believe, would be the protection of your core data. If a threat is going to breach all the outer defences, how can you continue to operate?

Recovery. Being able to recover from an attack or ransomware outbreak is going to be key to survival. Complete and comprehensive Disaster Recovery (DR) & Business Recovery (BC) procedures that are tested and validated are crucial to any business operations. For example, if you were to have a ransomware outbreak, what would you do? Pay the ransom and hope you can recover or wipe the machines and restore them from protected, up to date backups? I know which I would rather do.

Is it still valid?

Given all the changes to modern IT infrastructures, Defence in Depth can sometimes seem like an outdated approach to IT security. The distributed nature of the way we work today, where the crown jewels are not always wrapped up in a data centre at the core of your network, doesn’t seem to lend itself to this approach.

However, I would argue strongly that a layered approach to security is key. Elements of this theory can be applied to networks of all types and structures and incorporate all of the most up-to-date security trends such as SASE, ZTNA, FWaaS. The logical implementation of layered controls becomes a framework to ensure the basics are covered and protection is applied at all levels of your infrastructure.

Having a structured framework to work towards allows the whole business to understand how the security controls you are putting in place secures your business and shows how risk and threats can be mitigated to a wide audience. Coupled with a program of continuous improvement, including real-world testing (penetration testing / Red teaming), will ensure you are as protected as possible in today’s fast-paced and ever-changing threat landscape.