Cyber Defense in Depth

In recent years we have begun to understand that a cyber breach is not a matter of if, but when. Looking at security this way, it becomes clear that activities focused on stopping all threats are futile; that such all-in efforts will (eventually) fail and they will exhaust resources in the process. If the persistent nature of cyber attacks effectively guarantees their success, then we should redefine success to measure the effectiveness of response when the walls are breached. This means shifting the defensive focus toward early detection, quick mitigation, and targeted remediation.

A military concept called “Defense in Depth” offers a compelling way to think about cybersecurity. The concept holds that attacks are inevitable and can take a potentially infinite number of forms. If we accept that potential attacks are both infinite and inevitable, then it is effectively impossible to build defenses that provide perfect security. Therefore, the best possible defense system is one that reliably slows the progress of any attacks when they occur. Attackers may breach one wall, but their progress will be significantly impeded if there are multiple layers of protection. These impediments allow other defenses breathing room to become more active and responsive. Put another way, defenses should focus not only on prevention, but also on detection and response.

The parallels to cybersecurity are clear. At the perimeter of a network, we find devices like firewalls and intrusion prevention systems, as well as technologies like 2-factor authentication and data encryption, These cyber defense technologies are woven together across a network to form a cyber defense prevention layer, but this prevention layer has gaps. Cyber attackers rarely target technologies alone; they target the people who use technologies.  An attacker who sends 10 “phishing” emails into an organization will have a better than 90% chance that at least 1 recipient of the email will open it and click the malicious link. When that happens, security technology cease to be a meaningful component of the defense.

The NIST Cyber Security Framework serves as a helpful guide when thinking about this problem. Efforts focused on the perimeter that focus on preventing attacks correspond to NIST’s guidance to “Identify” and “Protect” key assets. According to a Gartner estimate, 90% of spending on security occurs at the prevention layer. But what happens when an attack passes through preventive measures? According to the doctrine of defense in depth, we should focus energy on building effective detection and response capabilities.

As it happens, this is the same guidance offered by NIST in its “Detect”, “Respond” and “Recover” core principles. Early detection of a threat or attack can shorten the time it takes to mount an active defense. Planning for responses means that teams mobilize as soon as an attack is detected, then rely on their training rather than their instincts. Recovery objectives serve as a valuable roadmap to guide progress during an attack response. Together, these activities can enable a swift, nimble, and effective response to a security incident.

Defense in depth is the result of coordinated effort across multiple layers of security. Those layers make good use of technology at the point of prevention, and rely increasingly on effective policy, procedure, training, and awareness as the attack progresses past the point of prevention. Once key aspects of the business are identified and protected, attention must be turned to detection, response, and recovery.

Learning to identify and protect are important preventive measures, but doomed to fail if they are the only efforts. Being able to detect, respond, and recover will significantly improve resilience. All of these activities benefit greatly from effective management and governance.