Mastering Defense in Depth: A Comprehensive Guide for Cybersecurity
One of the hardest things about cyber is that no measure is 100% effective forever — which makes defense in depth one of the essential cybersecurity frameworks.
Why is that? And what is defense in depth? Let’s quickly cover the basics.
Business growth makes cyber defense tough
As your business grows, it interacts with new systems. These interactions generate more and more data. So you’re sitting on valuable information, and you’re also more exposed, as your attack surface area increases.
Now, are bad actors going to sit back and let you cruise through cyber-growing pains? Of course not. They’ll try to find and exploit your weaknesses as soon as possible.
Let’s pretend for a moment that one of these bad actors gets through your first layer of security. Wouldn’t it be great to have another layer? How about three more, all strategically positioned to stop a variety of attacks?
In a nutshell, that’s defense in depth. But let’s dig deeper.
What does defense in depth mean in cybersecurity?
Defense in depth is a military term dating back to the Roman Empire. At first glance, the modern wonders of cyberspace may not seem related to phalanx formations and iron-tipped javelins. But cybersecurity pros know a great strategy when they see one.
In fact, defense in depth is so crucial to cybersecurity that the CSRC at NIST — that’s the Computer Security Resource Center of the National Institute of Standards and Technology — has a definition:
The application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.
Got all that? It’s a great definition, but it’s got a lot of the typical cyber jargon. So let’s simplify it into a single sentence, also found in our Cyber 101 section:
Using multiple layers (and different types) of cyber defenses to stop an attack. If one fails, another is there to help prevent the attack from succeeding.
OK, that’s better. But what does it mean in practice? How can you do it? Let’s dive in.
The 3 layers of a defense in depth security strategy for SMBs
Before moving on, let’s consider who needs to strictly adhere to the principles of defense in depth. That may seem contradictory. Isn’t the point that everyone needs multiple layers of cyber defense?
Yes, but defense in depth is table stakes for large organizations. It wasn’t always like that; there have been enough big, publicly-known breaches to indicate that a handful of giant companies didn’t get serious about cyber until they suffered an attack. But nowadays, big organizations make cyber a big-budget priority.
For better or worse, those massive breaches are part of the reason cybersecurity has dramatically improved for everyone. This is why companies run by solopreneurs can often get away with basic security from their service providers or Software-as-a-Service (SaaS) partners. Their operations aren’t seductive or expansive enough to be focused targets of prominent cyber bad actors.
But in the middle is the sweet spot: SMBs with 2 employees to 250. Companies that need to get serious about cyber but have to be smart and strategic, sometimes from the ground up.
For SMBs, a defense in depth security strategy involves three levels of control: technical, administrative, and physical.
1. Technical controls
Technical controls secure your computer systems. If you’ve got a computer and a server, a bunch of software, and a network, then you need to protect it on the technical level.
2. Administrative controls
Administrative controls are your cybersecurity policies and procedures. For instance, employee cybersecurity training is critical, given that humans are still the easiest target for malicious actors.
3. Physical controls
Physical controls involve protecting everything that can be touched. Simple stuff, like remembering that your most valuable hardware shouldn’t be in a dinky back office with a missing door handle.
Speaking of doors . . .
Defense in depth cybersecurity is like home security
The best way to understand defense in depth is to imagine that you have a home. How do you keep it secure?
Allow us to introduce 4 guiding principles and show how they all pertain to network security (the act of securing your company’s computer network).
1. Lock your doors
First guiding principle: Don’t make it easy for anyone to enter. Install locks on all your doors (and windows). When you leave, lock everything, doors and windows. Locks are a reliable security technology — they’ve been around for thousands of years. But they only work if you remember to, you know, lock them.
For network security, this translates to having various forms of access control in place, such as using firewalls, end-point protection, and attack surface management.
2. Limit access
Second guiding principle: Limit the people who have access to your home. Want to make your locks more secure? Limit legitimate access to them. Who gets your spare key? Probably a small number of people, like nearby family, close friends, or trusted neighbors.
This is akin to using Role Based Access Control (RBAC) for network security, which involves setting permissions and privileges to enable access to authorized users. RBAC provides employees with varying levels of access based on their roles and responsibilities. It is designed to protect sensitive information or data.
3. Have a backup plan
Third guiding principle: Have backup plans. What if an intruder breaks the lock? No problem — your home security system beeps loudly and automatically calls the authorities.
Still, the crook wants to grab anything in sight. It doesn’t work — your valuables are hidden away, not on your dining room table. Actually, didn’t you move them to a safety deposit box last month?
Now it’s a week after the break-in. You want to deter intruders, so you put a security sign outside your home and install a camera and motion sensor detector outside the front door.
For network security, this is having a data backup and recovery plan. It also encompasses elements of data segmentation (the process of segmenting your data into groupings [some might be in different physical locations]) to help with access control and security. Finally, it touches on using early threat detection and deterrence (concepts we are working hard to write articles on).
4. Get help
Fourth guiding principle: It takes a village to defend your home. All your individual measures added up to a lot and protected you from the worst. But if you want to go deeper, you can form a neighborhood association with your community or even hire private security.
By the way, if you have kids, you’ll probably talk to them about security. For instance, what should they do if a stranger knocks on the door? Don’t open it!
Kind of like: What should you do if you get a weird email at work? Don’t open it!
For network security, this largely means developing a robust network of partnerships, participating in industry groups, sharing with law enforcement, and developing training programs for your employees.
See all the similarities between the guiding principles we provided for securing your home and securing your network?
Do you want to use our content for your site or training material, or would you like us to write curated white-label content for you? We can help you! Let’s talk.
A defense in depth strategy is a foundation of cybersecurity
Cybersecurity is never 100% foolproof forever. As bad actors evolve, your cybersecurity must keep up with all defensive measures. Defense in depth is building layers of security – if one fails, another measure is there to meet the threat head-on!
For example, if you have strong technical controls, bad actors won’t even be able to send your employees a phishing email. But if they somehow manage to, you have nothing to worry about. Why? Well, your trained workforce won’t fall prey to it. Or, what if you just updated your software, and it caused a hole in your cyber defense for an hour? Is that a problem? Not at all — your properly-trained employees know how to patch the vulnerability.
So that’s defense in depth: a strategic approach that SMBs should really look into. Of course, your specific defense in depth strategy will differ from anyone else’s. It’ll include a variety of well-integrated measures, depending on your needs.
Want help getting started? Email us, and we’ll have one of our experts reach out! Want to keep learning? Why not get a simplified explanation of zero trust, one of the hottest terms in cyber today?
Toto, I've a feeling we're not in Kansas anymore. Maybe if we share this article 3 times, we will find our way home!? #Yolo
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD