Beyond the Moat: Modern Defense- in-Depth Strategies

Additional resources

Security by Design or Default?

Secure-by-Design and Secure-by-Default are not mutually exclusive, and both are important elements in bolstering organizations' security posture.

IT/OT Convergence: An Era of Interconnected Risk and Reward

Successful IT/OT convergence comes down to aligning three distinct paradigms: IT Operations, OT Operations and Cyber Operations.

CCOA—Certified Cybersecurity Operations Analyst

CCOA empowers IS/IT professionals to prove their hands-on cybersecurity abilities and on-the-job skills to employers. Get started with the CCOA Review Course.

Cybersecurity Awareness Resources

ISACA offers Information Cybersecurity resources across audit & assurance, governance, enterprise, information security, and risk topics.

Lately, we’ve seen cyber threats evolving at an alarming pace, and it’s clear that relying on a single solution to protect systems and data doesn’t cut it anymore. Many organizations are now adopting a defense-in-depth approach to better combat the changing threat landscape. But, what is defense-in-depth?

It is a security strategy that leverages a layered approach to protecting an organization and its assets. Think of it like a medieval castle. To breach the castle (organization), you'd first need to cross the moat, dodge the hidden archers and get through the 24/7 monitored gate.

Great, now that you're in the castle, how do you get to the king (organization’s data)? Well, you’d still need to navigate through the castle wings, bypass internal guards and find the keys to the right doors (and trust me, there are quite a few!) These layers form a failsafe system where one compensates for the weaknesses of another, creating a depth of defensive measures.

Hold on—weren't we discussing security? We sure are! Defense-in-depth has been practiced by humanity for centuries. The only difference here is that it has been adapted for today's organizations and IT infrastructure. Let's break down the castle walls and explore the concept of defense-in-depth, its importance and applicability to modern security practices.

Why do we need a layered approach?

A layered approach to security is like having a toolkit of “just in case” measures to cover every potential vulnerability. No single security measure can protect an entire organization, and new technologies might emerge that can bypass existing controls. However, with a set of “just in case” security measures in place, you make it significantly harder for an attacker to perform a successful breach. While the primary goal is to prevent an incident from occurring in the first place, a layered approach ensures that even if one defense is breached, subsequent layers can mitigate damage and stump further progress.

Back to our castle analogy: the moat and walls are the first lines of defense. They are tough obstacles to overcome, but let's imagine the rare scenario where an assassin manages to swim across the moat, evade the crocodiles and scale the walls undetected. Without further layers of defense, the assassin can basically walk right up to the king. However, with a defense-in-depth strategy, even if the assassin breaches the outer defenses, they still face multiple additional security measures inside the castle, such as the guards and locked doors. These layers ensure the intruder is eventually detected and neutralized before causing significant damage.

What are the layers?

Now that we have explored the strategy of defense-in-depth and the importance of a layered approach, what do these defensive layers actually look like? While the layers can vary depending on your organization, a typical layered security strategy generally includes:

1. Perimeter security – moat
   In the defense-in-depth strategy, perimeter security is the initial barrier against threats, much like a moat surrounding a medieval castle. Tools such as intrusion detection systems (IDS) and firewalls form this outer layer, monitoring incoming and outgoing network traffic, and acting as sentinels to prevent unauthorized access.
2. Physical security – castle walls
   Once past the moat, attackers face the castle’s towering walls. Similarly, physical security measures, like locked doors, ensure that even intruders who breach the perimeter encounter additional barriers before accessing your organization.
3. Network segmentation - gatehouses
   Inside the castle, gatehouses partition different areas, enhancing structure and security. Network segmentation functions similarly by dividing up an organization. This approach isolates functions, limits unauthorized movement and contains potential breaches, improving overall security management.
4. Identity and Access Management (IAM) – secure drawbridge
   The castle drawbridge symbolizes an organization's secure access control, managed by guards verifying and authenticating entrants. In modern security, IAM systems control and safeguard access into and within an organization.
5. Principle of least privilege – guard posts
   In the castle, each door is monitored by guards equipped with unique keys, ensuring that access is restricted to specific areas based on necessity. This setup mirrors the principle of least privilege in modern security, which dictates that users should have access only to the resources essential for their roles. By enforcing this principle, organizations maintain strict control over sensitive information.
6. Encryption – secret tunnels
   No castle is complete without secure passageways! Encryption embodies these secret tunnels, safeguarding sensitive data transmission as it travels across and beyond your network, safeguarding it from unauthorized interception.
7. Logging and monitoring – castle watchtowers
   Castle watchtowers offer a strategic vantage point for monitoring activity inside and outside the walls. Security Information and Event Management (SIEM) solutions emulate this role by collecting and analyzing logs from various systems, offering a comprehensive view of your network activity. Logging and monitoring serve as a crucial defense layer, identifying suspicious activity early, much like the watchtowers keeping watch over the castle.
8. Automated response – arrow slits
   Arrow slits in the watchtower walls enable a swift response to threats. Similarly, Security Orchestration and Automated Response (SOAR) solutions and antivirus software provide a comparable function in cybersecurity. They automatically and efficiently address detected threats by executing pre-configured actions to counter potential attacks.
9. Escape tunnels – disaster recovery plan
   Remember those secret tunnels? Well, some served as escape tunnels, providing a means of swift exit in emergencies. This parallels a disaster recovery plan in modern organizations. This plan ensures that your organization can quickly recover from disruptions, minimizing damage and maintaining business continuity.
10. Supply store – data backups
    A well-stocked supply store ensured the castle's survival during sieges. Data backups are your modern-day equivalent, guaranteeing critical information remains readily accessible during crises. Just as a supply store requires regular replenishment, data backups must be frequently updated and maintained.
11. Security policies – castle laws
    A castle operates under the king's laws, which govern the behavior and responsibilities of its inhabitants. Similarly, security policies within an organization set rules and regulations for managing and protecting information systems. These policies ensure compliance and guide security practices, just as the king's laws ensure order and security within the castle. 
12. Guard training – security training
    Well-trained guards are crucial for security, ensuring effective protection against intrusions. Similarly, security awareness training within an organization equips employees with the skills and knowledge to identify and mitigate threats. This proactive approach ensures that personnel also act as a layer of defence.
13. Castle masons – patch management
    Castle masons, responsible for constructing and repairing the fortress, play a parallel role to modern patch management in a defence-in-depth framework. Just as masons addressed structural vulnerabilities and maintained the castle’s integrity, patch management involves regularly updating and fixing software and system vulnerabilities. This ongoing maintenance is essential for preserving security and functionality.
14. King’s spies – threat intelligence
    The king's spies are essential for gathering intelligence on threats within and beyond the castle walls. Threat intelligence teams perform a similar function by monitoring, analyzing and interpreting data on emerging cyber threats. Their insights are crucial for enhancing security measures and pre-emptively addressing potential risks.
15. Castle defense plans – incident response plans
    Castle defense plans in medieval castles closely resemble modern incident response plans. Just as medieval defense plans may outline strategies for defending the castle against various threats, incident response plans in cybersecurity provide a structured approach to managing and mitigating security incidents. Both involve detailed contingency measures, communication protocols and defined roles to ensure a coordinated and effective response. While castle defense plans prepare defenders for conflict, incident response plans outline procedures for detecting, containing, eradicating and recovering from security breaches.

So, why implement defense-in-depth? There are several reasons:

Keep up with the changing landscape: The cybersecurity landscape is dynamic and continuously evolving as new threats and attack vectors emerge. As adversaries refine their tactics and exploit vulnerabilities in new technologies, organizations must adopt a proactive and layered defense strategy to keep up with this changing landscape. A defense-in-depth approach provides a resilient and adaptable framework by implementing multiple security controls to mitigate different threats.

Improved assurance: Implementing multiple layers of security controls enhances the assurance that an organization's assets are protected. Each layer serves as an additional safeguard, so even if one layer fails or is bypassed, other layers continue to provide protection. This approach increases the overall reliability of the security infrastructure and ensures that an organization's or asset's security is not solely dependent on a single solution.

Contains breaches: A pivotal advantage of defense-in-depth is its ability to compartmentalize security. By isolating different parts of the network and systems, any potential breach is contained within a limited scope. This containment acts as a shield, minimizing the potential damage and preventing the breach from spreading across the organization. As a result, the overall impact of a breach is curtailed and the organization can respond more effectively to contain and remediate the incident.

Provides comprehensive protection: No single security tool or control is infallible. Different types of threats demand different approaches for detection and prevention. The defense-in-depth strategy rises to this challenge by deploying a range of security measures across multiple levels, including network security, endpoint protection, application security and data encryption. This comprehensive approach ensures that multiple types of threats are covered and any weaknesses in one layer can be compensated for by other layers, thereby mitigating overall risk and instilling confidence in your cybersecurity strategy.

An arsenal of security tools needed

Ta-da! You now know how to defend your castle! New threats and vulnerabilities are constantly emerging in today’s rapidly evolving digital landscape. Just as medieval castles required more than a single knight to withstand an attack, organizations need an arsenal of security tools. While we may have changed from catapults to keyboards, the underlying principles of defense have remained remarkably similar over time.