Defense in depth is a term that gets thrown around a lot by security practitioners, and for good reason. When applied correctly it will exponentially increase your ability to prevent, detect, and limit the damage an attacker can cause. In this blog, we will take an in-depth look at defense in depth with some practical examples.
What is Defense in Depth?
First, let’s define defense in depth. Defense in depth is the concept of applying multiple layers of security for each threat, such that if one is bypassed, others are there to either stop the attack or limit the damage. This is often referred to as a “castle” approach. Back in medieval times, if you were attacking a castle, there were several things you had to get though before you took it over. First, there would be the archers who are firing from the walls. Next, there would be a moat (with crocodiles in it, obviously). After that comes the walls, where they would knock over your ladders or pour hot oil on you. Even if you scaled the walls, now you have the soldiers to deal with.
As you can see with the castle analogy, even if the archer’s bow’s didn’t work, or the enemy developed a new armor to block the arrows, there would still be several other protections in place to block the attack. Now, apply this same concept to information security, and that is defense in depth.
Defense in Depth on a Micro and Macro Scale
You can apply defense in depth at many different layers. Just like in medieval times, there was defense in depth for the castle as a whole, but there was also defense in depth for the main gate. There is the drawbridge, the barrier and locks on the main door, and soldiers ready to fight whoever came through. Similarly, in information security, you can have defense in depth on a small scale protecting one threat vector, and conversely, you can put defense in depth on a much larger scale with controls that protect against multiple threat vectors.
An example of a defense in depth tactic is multi-factor authentication. Multi-factor authentication requires you to have two different things when trying to log in. For example, you need to have a password and then it sends a notification on your phone you have to accept. Only after you complete both actions do you gain access to whatever you are trying to login to. As you can see with this approach, even if I know your password, that only gets me through one line of defense, now I have to somehow get you to push that button on your phone or steal your phone. In general, the more layers I have the better. There are several social engineering tricks designed to get you to push that button. Which brings us to the larger scale.
Let’s say that in the above example you put multi-factor authentication on your VPN login. With today’s advanced threats, it is safe to assume that an attacker will still find a way to gain access. Either through social engineering like we discussed, or sending a malicious link that an employer clicks on giving the attacker access to that user’s computer. Macro-scale defense in depth assumes that eventually someone will be compromised, so when that happens, how do you limit the damage. This includes things like segmenting your internal network so an attacker can only access the systems that user needs to see. It also includes monitoring tools that detect and alert when a compromise happens so you can quickly contain the issue. A final example is data-loss prevention software or other tools that analyze outbound traffic for sensitive information.
Imagine your network like a medieval castle. The more you can layer protections, both at the micro and macro scale, the better off your security will be. As much as security vendors selling the next great thing will promise you, there is no silver bullet in information security. As such, a good practice is to assume a control will be bypassed, figure out what the impact will be and then add more controls to prevent or limit that impact.