Defense in depth explained: Layering tools and processes for better security

What is defense in depth?

Defense in depth is a security strategy in which multiple security tools, mechanisms, and policies are deployed in tandem on the assumption that if one fails, another will hold. Rather than, say, relying solely on a firewall to keep hackers out of a corporate network, an organization would also deploy endpoint security software and intrusion detection systems (IDS) to spot any attacker who manages to slip past that firewall. The intention isn’t to deploy different tools to face different specific threats: rather, a defense in depth strategy assumes that an attacker manages to defeat or bypass one tool, then other tools will pick up the slack and fight back in a different way.

Defense in depth is sometimes called a castle approach: the image is of a medieval fortress with many moats and parapets that attackers would have to breach. The term defense in depth itself has a military origin, describing a war scenario where a weaker defending army strategically retreats into its homeland’s interior, trading space for time. This isn’t how cyber defense in depth works, though: at no point do defenders intentionally cede control of any systems to an attacker (as they would when using a honeypot). Instead, you should imagine an attacker running into a relentless series of defenses, with new ones popping up every time an old one is defeated. And each of those tools is built assuming that it will be the last one standing. As Michael Howard and David LeBlanc memorably put it in the book Writing Secure Code: “If you expect a firewall to protect you, build the system as though the firewall has been compromised.”

Why is defense in depth important?

Defense in depth is important because the traditional perimeter defense model is untenable on its own. A perimeter defense philosophy throws as many resources as possible at preventing an attacker from gaining any foothold in the network by hardening its outer edge with firewalls and defenses on individual machines. This idea of what network protection is has become increasingly disconnected from the reality in which we live, in which work-from-anywhere and extensive use of public and private clouds have made it more and more difficult to even define where the perimeter is that needs protecting.

That doesn’t mean that an organization implementing a defense in depth strategy should abandon firewalls and other perimeter defenses. Rather, they must recognize that a firewall, like any other individual security tool, can almost always be breached by an attacker who is skilled and determined enough, and network assets are too valuable to be left defenseless when that happens. Defense in depth is important because we live in an environment where you have to assume that at you can be breached at any time, and even your backup defensive tools need backups.

In many ways, defense in depth dovetails with another increasingly popular cybersecurity philosophy, zero trust. A zero trust architecture is built around the idea that any user or device on the network should be continually challenged and monitored to ensure that they are who they say they are and are allowed to do what they’re trying to do. This philosophy requires an underlying defense in depth infrastructure of security tools and policies that are capable of keeping tabs on everything interacting with and on the network.

Defense in depth vs. layered security

You’ll often hear the phrases defense in depth and layered security used somewhat interchangeably. Many people use them to mean more or less the same thing: as we’ve noted, a defense in depth infrastructure involves layers of security tools fighting off attackers. Those layers are obviously important, and we’ll dive into them in more depth momentarily.

But those layers aren’t the full story of defense in depth, which goes beyond just the realm of the technical. A defense in depth architecture should entail establishing in advance how you’ll respond to attacks in progress, and how you’ll report and react to incidents whose damage you only discover after the fact. In other words, the layers of tools are only part of the story: the rest lies in the organizational mindset a defense in depth strategy requires.

Elements of defense in depth

Let’s consider how all the elements of a defense in depth strategy come together to protect your network infrastructure. One way of thinking about defense in depth as a whole groups defensive elements into three main categories: administrative controls, physical controls, and technical controls. Each of these is important in its own way.

• Administrative controls are the big-picture organizational strategies that create a secure environment. These might include policies that lay down how infosec tools are chosen and rolled out, procedures for safely handling data, and frameworks for managing the risk of connecting with the systems of third-party vendors.
• Physical controls are in some ways the simplest, but they are often overlooked. These prevent attackers from gaining real-world access to your data and computer systems: keycards, lockable and defensible doors to your office and datacenter, security guards, and the like. Remember, some social engineering attacks begin with a physical intruder conning their way into your facility by pretending to a colleague or food delivery worker.
• Technical controls are the layers of security tools we’ve been discussing, for hardware, software, and the network. Let’s take a deeper dive to understand what’s entailed here.

Defense in depth layers

These layers can be broken down into several broad categories:

The network. A defense in depth strategy can’t neglect the perimeter and starts with a firewall or IDS to try to block attacks at the network’s edge. An intrusion protection system and other network monitoring tools scan for traffic on the network looking for evidence that the firewall has been breached and either react automatically or call in human help. And tools like VPNs allow users to connect more securely and authenticate users to ensure they are who they say they are.

Anti-malware. Antivirus software, like firewalls, may sometimes seem like a product from another age. But a tool that can scan your infrastructure for malware, either matching files by their signature against a database or by using heuristics to spot suspicious patterns, is a key next layer of defense if a firewall is breached.

Behavior analysis. Real-world cops tend to zero in on people acting oddly or suspiciously, and cybersecurity pros should do the same. “People” here can mean either human users or automated processes, and tools exist to determine if they’re behaving oddly (once you’ve baselined normal behavior) and flag them for investigation. Is someone suddenly accessing data they normally wouldn’t? Is some obscure host firing off tons of encrypted information to some server in Eastern Europe? You may have a problem on your hands.

Data integrity. Are your files being modified or copied, or exfiltrated? Does an incoming file have the same name as something on your network, but different contents? Is a mysterious or suspicious IP address associated with a file? If, in a worst case scenario, your files were damaged or encrypted by ransomware, do you have backups? The tools that address these questions are another key defensive layer.

How defense in depth works: an example

Imagine an attacker who’s trying to exfiltrate valuable personally identifiable information about your customers from your datacenter. They attempt to do so by planting a backdoor in your system that should allow them privileged access.

There are multiple points in a defense in depth strategy that could stymie this scheme. In the realm of policy and procedures, perhaps your organization runs regular phishing simulations so that your employees are on guard and won’t fall for the attacker’s tricks, or rolls out patches regularly to ensure that the vulnerability that the attacker’s malware takes advantage of isn’t open on your system. On a technical level, the trojan that installs the backdoor could be detected by your email system, or the backdoor itself could be identified by an anti-malware tool. If the bad guys do manage to get access to your network, behavioral analysis tools can alert your security operations center if they see lateral movement from host to host, or if they spot data exfiltration in progress. Or maybe your database will be locked down with secure authentication tools that apply the principle of least privilege, meaning that the attacker never does get access to the crown jewels.

In theory, any one of these defenses could stop an attacker in their tracks. But in all likelihood a determined adversary will be able to bypass one or more of them. By increasing the depth of your defenses, you add to their degree of difficulty, hopefully keeping your data safe.

How to implement defense in depth

As should be clear by now, a defense in depth strategy isn’t a turnkey product you can buy; it’s a way of framing your total security philosophy, and implementing it requires a lot of thought about how you do things. That said, if you’re trying to figure out how to approach this monumental task, you could do worse than take the approach outlined by cloud vendor Fastly:

• Inventory your attack surfaces and determine what protections are currently in place
• Determine what protections you need at every layer of the network stack
• Look for gaps between system components where adversaries could find their way in

This is a move that will entail a lot of work for your organization, but the rewards can be significant. Good luck!