Cybersecurity Defense in Depth: Stop 7 Fatal Vulnerabilities

Defense in Depth eliminates the old belief that one firewall was enough to protect a network. Instead, it uses many different individual security controls, which all work together in a layered approach. If hackers get through Layer 1, they will be stopped at Layers 2 to 7.

Using only one firewall has a 100% failure rate if it is compromised.

Using multiple layers (Defense in Depth) provides seven barriers, each of which is independent and standalone.

Layered thinking provides attack surface analysis for each layer.

Enterprise standard: Never trust the perimeter.

Base knowledge: Understanding the importance of depth over width.

What is different? Most companies build their definition of security around the perimeter. Defense In Depth defines security as always having a layered approach and knowing that the perimeter is vulnerable.

Each layer is developed around an independent security boundary. If an attacker bypasses the firewall via email, the VPN authentication would stop them. If the VPN is compromised, there is no way to move within the network (because of segmented networks).

Cybersecurity professionals who can apply and “think” this way will typically earn 40% more than those who do not.

Software is easier to hack than it is to physically steal a device. Thus, having effective measures in place for protecting devices before hackers attempt remote access is essential.

Perimeter defense: fences/barriers, camera systems, motion detectors.

Building access: proximity card readers, biometric access, on-site security personnel.

The server room: cage locking mechanism and monitored temperature controls, the use of access logs for limiting access to data.

Securing devices: locks securing devices to desks, systems equipped with a BIOS password; encrypted hard disk drives.

Destruction methods: document shredders; linearly (degaussing) destroying hard drive magnetic media before determining dispose by reusing or recycling.

Real Life Example – Tech Company in Bangalore, India was burglarized when a group of people broke into the company and physically took off with servers. However, because all server systems used BIOS encrypted passwords and required biometric verification before booting, no data was affected.

Your Task: Walk around your office; identify at least five gaps relating to physical security. When considering “defense in depth,” you must consider fixing ALL identified security gaps, not just the most evident security gap.

The use of Firewall Policies to Separate Internal Networks from External Networks through the Use of Virtual LANs (VLANs) is the Greatest Benefit of Firewalls.

VLAN’s (Virtual Local Area Network) – is a method of network segmentation that separates departmental networks.

DMZ (Demilitarized Zone) – serves as a buffer zone to prevent compromised public-facing servers from accessing the Internal Network.

Microsegmentation – is used to prevent the lateral movement of system resources from one host to another.

Jump servers – are the ability to require multiple authentication processes before gaining access to sensitive information.

Internal Firewalls – ensures the enforcement of Firewall Policies between Network Segments.

Ransomware Example: When the attacker infects a laptop in the Marketing VLAN, without the ability to segment internal Networks from External Networks, the attacker could spread his Ransomware to all departments and databases within minutes. The segmentation of the Networks prevents the attacker from being able to access any internal information other than the Marketing Dept.’s resources.

Implementation of Defense-In-Depth and Segmentation by companies like IBM, HP, Microsoft, Cisco, 3M, Wells Fargo, etc. Multiple Layers of Security are used to protect critical Database systems, through the requirement of Multiple Authentication Processes for internet access to these systems. All 20+ VLANs in the Enterprise (Banking) Industry, require that the Critical Database Resources are a Minimum of 5 Hops from the Internet and each Hop requires a Different Authentication credential.

Hackers typically compromise systems via applications, multiple layers of defense have been established to thwart their attempts as much as possible before they can inflict harm on your business.

A Web Application Firewall (WAF) will prevent attackers from gaining access to your website through SQL Injection and Cross-Site Scripting (XSS) attacks.

API Rate Limiters will stop brute force attempts from gaining access to your API.

Input Validators will disallow any harmful code from being processed by your database.

Output Encoders will disallow stored XSS from being reflected back to your users.

Behavioral Analytics will allow you to monitor for unusual access patterns.

At the Code Level – Developers should protect all fields with Input Validators at Layer 7, then prepare statements through the Database at Layer 6, and transmit all data over an encrypted network at Layer 4; this is ongoing through all three layers simultaneously for the same attack.

As an example of a practical task, perform a review of any web form you use and determine how many defense in-depth layers are present to protect that web form. A Good Application has a minimum of five layers of defense protecting each field in the web form.

Attackers can be slowed down by passive defenses while active monitoring can detect and stop them. Monitoring using a defence in depth perspective means monitoring all seven layers at the same time.

SIEM collects logs from all systems, identifies attack patterns

Network IDS monitors network traffic for both known and unknown attacks

EDR monitors endpoints for malware and privilege escalation

Database Activity Monitoring (DAM) monitors database activity

Security Information and Event Management (SIEM) – all the above.

Industry Statistics: An organisation with Defence in Depth monitoring will detect a security breach within 24 hours, while an organisation with single-layer monitoring will take an average of over 200 days to detect a security breach.

Your Metric: If an attacker is able to remain undetected inside your network for just 30 minutes, this means your Monitoring Layer has failed. Defence in Depth monitoring should successfully catch an attacker within five minutes of gaining unauthorised access to your network.

Zero Trust takes the principle of Defense-in-Depth and combines it with Continuous Verification. Thus, you should never trust anyone at a specific point in time, but continuously verify that person, and then when they re-connect, verify again and continue to do this with each layer of Defense-in-Depth.

The expectation for trust within your internal network must never be a blanket assumption rather, you need to verify each and every connection within the internal network.

Every user’s access is based on their need to perform their job, and that minimal access is called Least Privilege Access.

Zero Trust requires that Microsegmentation be used throughout, therefore, if you connect a system, that system does not need to communicate with any other systems by default. Each of those systems must have a clear and defined path to communicate with one another.

The goal of Zero Trust is to build your security infrastructure on the assumption that your network has been breached. Therefore, when you design your security processes and procedures for Zero Trust, you must build them for networks that are already compromised.

The way that these are implemented, Zero Trust provides each of the 7 layers of Defense-In-Depth in perfect alignment with one another, meaning that in each of Layer 3, Layer 4, and Layer 7, your users perform authentication with the same level of trust.

Traditional models of enterprises require that all companies have, as a minimum, the Zero Trust model as a required element of their security architecture. The increase in security costs by implementing the Zero Trust model is 30 percent, while the decrease in the costs associated with breaches is 85 percent.

Theory is meaningless unless there are real-world enterprise results to show for it. This article provides examples of how “defense-in-depth” stopped real breaches.

Mumbai-based Investment Bank: A hacker breached the firewall, but was unable to access Layer 2 due to VPN authentication.

Bangalore-based Startup: Ransomware was used to encrypt the user’s files, however, the Network Segmentation prevented the spread to the Database.

Government of Delhi: Credential theft was unsuccessful because the Jump Server required Biometric Authentication.

Fintech Company in India: Attempted Data Theft was stopped by the Database Encryption at Layer 6.

Chennai healthcare: Insider Threat contained through Behavioral Analytics.

The common thread between every example is Layer 1 and/or Layer 2 breaching for every organization. Each of the successful “defense-in-depth” methods prevented lateral movement at Layer 3 and/or Layer 4. Stolen data was rendered worthless through encryption at Layer 5 and/or Layer 6.

Your key takeaway is to operate under the assumption that your perimeter will be breached, and to build “defense-in-depth” such that it will cost the hacker so much time and resources that they will be detected before reaching any high-value data.

In general, all organizations claim to have implemented defense in depth, however most organizations only have a single-layered solution with limited success. Listed below are the most common failures associated with defense in depth strategies:

1. Firewall Centric Approach – No internal segmentation and no microsegmentation.
2. Unencrypted Data – Data is visible to anyone having access to the network.
3. No Monitoring for Breaches – Breaches occur without warning and may go undetected for months.
4. Lack of Response Plan – If you can detect a breach but have no means to respond, you will waste time.
5. Outdated Authentication – Using only usernames and passwords for authentication with no two-factor authentication or biometric scanning makes it very difficult to accurately identify users.

Red Flag: If your organization designates one individual to be “responsible for security,” your organization does not have a true defense in depth program; All seven layers of defense require a consistent and cohesive approach by a dedicated team.

Budget Reality: Defense in depth typically costs two or three times more to implement compared to single-layer solutions, but will save five to ten times in total costs associated with breach recovery. CFOs will immediately recognize the value of Defense in Depth programs once the ROI calculations are presented.