Defense in Depth - A Primer

June 14, 2019

By: Jerry Horton, Technology Director

“Defense in depth,” what exactly does this mean? Is it a new cheat code for Fortnite? A military strategy developed for action movies? An advertising buzzword phrase to entice you into spending more money?

The answer is far simpler and less sinister. Simply put, defense in depth is a security engineering concept used when designing systems, whether the system is computer-based or physical. The idea is identifying the most likely weaknesses and attack points and then build protections around them. A great way to think of a system built with defense in depth is to envision a medieval castle.

As you look at the picture to the top right*, you see several features that protect the occupants and fend off invaders. The round towers provide a 360° view to all approaches. The barbican (that’s the gate out in front of the moat) give the defenders a location to identify and repel attackers before they can reach the castle. The moat and the drawbridges control access to the castle and separate it from the surrounding countryside. The battlements (the top part of the surrounding wall) provide troops with a sure and solid footing to maintain a defense without exposing themselves to danger. These features, together with several others, provided King Jerry and his adoring subjects with defense in depth – an attack on any one part of the castle would not endanger the whole.

Modern networks are like a medieval city; far too many points of possible attack to be defended by a single system. The days of making sure you’ve updated your anti-virus and calling it good are long gone. Today, you have to consider viruses, phishing, denial-of-service, social engineering, mobile devices, cloud computing…the list goes on and on! To begin building your castle defenses, here are a few suggestions:

  1. Identify what you need to protect
    Your first task is to figure out what you’ve got, where it’s at, and who uses it. This sounds like an oversimplification, but the truth is you will not understand what defenses to build until you know what you’re trying to defend! You have computers and probably a server, but that is only the beginning. Do you have a wireless network? Mobile phones and tablets? Do you use cloud-based services, like Office 365? These systems house part of your data and have their own unique security needs.
  2. Protect against the most common threats
    In the Middle Ages, kingdoms had to worry about roving groups of bandits, contentious neighbors, and international kingdoms who wanted to acquire resources. History is repeating itself: cybercriminals are in a perpetual state of war to get your data and resources using malware, social engineering, and brute force. Build your basic castle walls with anti-malware on every device, including servers and mobile devices, a business-grade firewall, and a well-designed backup as your castle keep when the outer walls fail. Other protections include enforcing strong password discipline, requiring secure VPN access to your network from mobile devices, and educating your staff on cybersecurity.
  3. Detect threats before they become a problem
    Just as a medieval castle wasn’t simply a wall and a locked gate, you can’t rely on simple protective measures to keep your data secure. Castles had lookouts and patrols to help defend the kingdom. Fortunately, you don’t have to employ knights and provide for their horses! Deploy a secure business-grade wireless network, unified threat detection on your business-grade firewall, implement advanced endpoint protection on your computers and servers, use a robust email security service to reduce or eliminate phishing attempts, and perform regular security reviews. If your business has requirements to comply with regulations, you will want to consider even more stringent security policies and measures, including a Security Information and Event Manager (“SIEM”) and possibly Mobile Information Management.

The royalty of the Middle Ages knew their world was dangerous and that doing one or two things were not ample to keep their kingdoms safe. They built complex systems of defense to avoid disaster. Likewise, our digital kingdoms are at risk and should require a similar level of diligence. For more information on how to become Sir Lancelot for your organization, contact our legion of security knights at Networks Plus!

*Castle Features - https://www.tes.com/lessons/HXqtwMKFUnRWcA/copy-of-identifying-the-featu...