Defense in Depth Information Security Strategy

Want to get serious about Information Security? It is time for a Defense in Depth strategy. Interlocking Prediction, Prevention, Detection, and Response capabilities is the key. As no single solution provides comprehensive security, the way to achieve optimal security bliss is to apply a Defense in Depth approach of complementing capabilities to protect your computing environment and the data within. This strategy is highly effective at providing security assurance, cost efficient, scalable to large organizations, adaptive to changing threats, and proven to work.
The concept is straightforward. Establish a system of capabilities and services which align to attackers, their objectives and the methods they are most likely to attempt. Couple this with an understanding they will succeed sometimes and embed the fact at every turn there exist a learning opportunity to improve the system.
Defense in Depth v2.jpg

Security threats are about opposition. These threat agents are living, breathing opponents who are creative, knowledgeable, motivated, and have personal objectives in mind. These agents utilize available methods and resources to achieve whatever goals they seek by leveraging vulnerabilities in people, computing systems, and communication networks. In total, this represents a massive potential target landscape to be protected, edge to edge. Good luck.
The reality is you can't protect against everything and everyone. It is too cost prohibitive and in most cases impossible anyways. Although the truly paranoid may disagree, not everyone is interested in attacking you and within the realm of possible attack methods; it is more than likely only a few would be employed. The "path of least resistance" rule applies here.
A common pitfall is to rely exclusively on vulnerability assessments to determine where to focus. Although vulnerability assessments are valuable, they are misleading if the only source for Prediction. Understanding your opponent is fundamentally different than being aware of the weaknesses inherent to your environment. The result will be expending effort on areas which will never be targeted for exploit. Consequently, fewer resources will be available for areas under siege.
The best security professionals understand the relationship between attacks and the environment they protect. They marshal their resources to intercept the most likely attack vectors for the greatest effect. Prediction is the first step in the efficient use of security resources. Knowing why your organization would be attacked, likely targets, and the ‘easy' ways which tantalize attackers, provides the insights necessary to prevent such incidents.
This is where the magic happens. Preventing or deterring attacks is where everyone wants to be. Given the insights of Prediction, which includes incorporation of industry best-known-methods, you can put forth a front line of defense representing the bulk of your cost efficiency. The purpose is to render ineffective the most likely methods the attackers will employ and deny the attacker's their objectives.
Prevention can take many forms, both technical and behavioral. Here are some examples, but don't take this as a complete list or even a recommendation, as selecting the right prevention solutions is specific to the environment and organization. Policy, security awareness, web proxies, and email filters are examples intersecting people based attacks. Computing systems can be protected with anti-virus, system hardening, compartmentalization, authorization and authentication controls, host firewalls, and timely patching to name a few. Communication network attacks are prevented mostly with high speed automated technical solutions such as firewalls, proxies, as well as secure device configurations and a good network architecture plan.

At its best, a solid prevention plan will eliminate threat agent's easy attacks and protect those critical assets most sought by the attackers. Doing a good job here translates into the biggest bang for the security buck.
"Two types of victims exist: Those with something of value and those who are easy targets. Therefore, don't be an easy target and protect your valuables." 

Detection and Monitoring:
( ...when the security drums fail - video)
Unfortunately, at some point a number of attacks will succeed. Although it is most efficient to deter or prevent attacks, ignoring those that do get through the front line defenses is ill advised. Security incidents and intruders must be promptly identified, cornered and squashed like bugs. The first step is the ability to rapidly ascertain when the Prevention defenses have been breached and track the actions of the buggers. Detection and monitoring capabilities sound the alarms and direct the Response resources to the source. Speed and accuracy is most important in detection. However, it must be designed to look in the right areas as it is cost prohibitive to watch everything. Again, Prediction can play a role in deciding what to watch as well as how to monitor.
Response & Recovery:
How an organization responds to successful attacks will have a great determination on what residual losses are finally realized. When an event occurs, having the right processes, people, tools, and capabilities in place to contain the security event is critical. Time is on the side of the attacker. The goal of the security professional is to eradicate the security problem and restore the environment to normal operations. This may range from minor efforts to catastrophic recovery. The earlier the Detection capabilities alert the organization, the easier it is to corral the issues and recover. The savviest attackers are stealthy. They want plenty of time working on achieving their objectives and they dig deep like an infected tick. The longer they have inside, the more damage they can cause and become progressively more difficult to eradicate.
Don't be caught without proper Response and Recovery capabilities. Inability to restore the organization to a safe and normal state, translates to hemorrhaging money, time, resources, productivity, and maybe worse.

Continuous Improvement:
Information security is a continuous process. Key learning's from every event can improve individual areas as well as feed the Prediction services, thus giving a better understanding for the next time around. Defense in Depth can successfully be managed centrally or in a distributive model, as long at the overall strategy remains intact and interactions drive continuous improvements.
If you are ready to take the Defense in Depth plunge, you will be rewarded. Interlocking your strategy in a coherent manner gives better insights to reach and maintain your optimal level of security.
Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.