How many times have you heard someone mention that “We have locks, we don’t need security cameras” or “We have a firewall setup, we don’t need an IDS/IPS, or the need to segment our network”. More often than not, we have heard someone we know, or overheard someone say this. When it comes to cybersecurity, even if you are an expert or an ametuer, and even though you may have a firewall, an IDS/IPS deployed, or install antivirus or advanced malware protection, you can not simply assume that you are safe and secure.
IT Teams are generally tasked with the responsibility of employing a strong defense-in depth strategy. This means taking the steps and means to implement prevention, detection, response controls, all tied together with an active security awareness campaign.
Think of your organization as a castle, then think of Defense-in-Depth as the high walls, the draw-bridge, and the moat full of alligators, all designed to work in unison to protect the castle from intruders.
In order to adequately protect the network and assets, successful organizations implement a layered and cross-boundary strategy to ensure that even if one or more protective measures fail, there will be other defenses in place to protect your environment, and organization. This strategy is typically referred to as “Defense-in-Depth”, and is used as an information assurance strategy to provide multiple, redundant, and layered defensive countermeasures in order to protect valuable data and assets in the likelihood that a security control mechanism fails, or a vulnerability is exploited. If one control fails, another immediately takes its place in an attempt to thwart an attack.
The Defense-in-Depth strategy originates from a military strategy of the same name, whose goal is to delay the potential for an attack, rather than outright defeating it with one strong line of defense. This same concept is utilized in cybersecurity as a multi-layered approach can be applied to all levels of IT systems, as it increases the security of systems, and addresses the many different attack vectors a network can introduce. Each layer of security introduces complexity and latency while requiring that someone actively manage it.
Protecting your information assets requires a combination of different technologies to create these multiple layers of security. There are several important security layers that can provide the means to implement prevention, detection, and response controls, some of the most essential can include measures that provide the means:
- Firewalls, Web Application Firewalls, System dependent firewalls (Windows Firewall)
- Intrusion Detection Systems / Intrusion Prevention Systems
- Identity and Access Management / Access Control
- Change Management / Patch Management
- Enterprise-wide Antivirus / Antimalware applications
- User Awareness Security Training
Prevention controls are used to stop an attack before it has the chance to start. This can be done in several ways:
- User Awareness Training: training users not to click links in email, open unexpected attachments, visit unsafe sites on the web, downloading games, music or movies from peer-to-peer (P2P) networks, or allowing insecure means to remote into their machines.
- Configuring firewalls to restrict access
- Not allowing users to install software on company devices, or allowing users to make system wide configuration or settings changes.
- Only allowing designated IT staff to have admin rights to workstations.
- Malware runs in the security of the context of the current user.
- Not allowing users to disable antivirus/antimalware controls.
- Disable remote desktop connections unless connected through enterprise/company VPN services.
- Enabling browser based controls, pop-up/ad blockers, screening downloads, and enabling automatic updates
Detection controls should identify the presence of malware and then alert administrators, and potentially prevent the malware from carrying out its attack. Detection needs to occur at multiple levels, the entry point of the network, each host device/workstation, and at the file level. Some of the common detection controls include:
- Real-time firewall detection of suspicious network connections, or file downloads
- Both Host-based and Network-based IDS/IPS solutions
- Obtaining baseline (normal behavior), reviewing, and analyzing firewalls, IDS/IPS, operating systems, application logs, network logs, and antivirus/antimalware logs for Indicators of Compromise (IoCs)
- User Awareness Training to recognize suspicious activity
- Help Desk, or equivalent training in order to respond to incidents.
Employ multiple layers, avoid duplication, and use common sense.
SME provides fully managed security solutions including Firewalls, Virtual Private Networks, Remote Access and Intrusion Detection Systems, all of which can be used in combination to add layered defenses to your network. Each customized security solution is monitored 24x7x365 from our Secure Network Operations Center, allowing our team to respond to potential threats as they are happening. For any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.