When most people think about cybersecurity they think of strong passwords, firewalls, and patch management. A good cybersecurity program will assess and manage all of the areas of your business and technology that help protect your Intellectual Property and IT assets. Defense-In-Depth adds layers to your cybersecurity strategy where each layer adds protection to your critical data and assets.
The outermost layer is one of the more important layers this is where your business gets involved in cybersecurity. Ownership from the top has buy in and provides resources for a cybersecurity program. An underfunded cybersecurity program provides a false sense of security and may be worse than no security at all.
Funding isn’t the only area of business controls, identifying which areas of the business are most critical, and ranking them allows for the cybersecurity team to tailor and focus their efforts on protecting the business’s most vital assets. All layers will build upon the foundation lain by the executives.
Business controls require input and buy-in from all functions of a business. Operations, Finance, HR, Marketing, and Information Technology all have a role to play. One of the key aspects of business controls is the business risk assessment; knowing what bad things happen (impact) if a system or information is compromised is vital for the cybersecurity team to prioritize configurations and mitigations for systems and data. If these departments are not fully committed to cybersecurity there are sure to be failures down the road.
Now we start to get into some traditional security. Once an adversary has physical access they can more easily compromise your systems. Many of these physical attacks can be mitigated but you are most vulnerable when an attacker has physical access. For more information on why Physical Protections are important check out this whitepaper from the SANS institute “Physical Security and Why it’s Important” by David Hutter.
Physical controls are door locks, badge swipes, cameras, security guards, and other physical protections. These controls ensure that only authorized personnel have physical access to your systems. Physical controls fall into one of two categories, either Protect or Detect. Locked doors protect a room whereas cameras and motion sensors detect. Knowing that you have had an intrusion will allow your cybersecurity team to respond to the incident and reverse any actions that were taken.
Administrative controls differ from business controls in that they focus on the administrative processes and procedures that surround information and IT. One way to think of administrative controls is they are the controls that are not physical or technical; these are the human processes. These controls include:
Finally, some technical and more traditional cybersecurity. Network controls harden your network from attackers by controlling what information gets in and out of your network and detecting any malicious activity. Network configurations can be quite complex, especially if your business has on-premise servers and workstations that need to be separated from each other.
Firewalls are the first line of defense, they block unwanted traffic on your network. Much like your cable provider has multiple channels on one cable line, internet traffic has multiple ports on which the internet communicates. The firewall allows only the necessary channels to be passed through from the outside to your internal computers.
Intrusion Detection Systems (IDS) analyze each packet of information that crosses your network and compares it to known malicious or bad behavior. Some IDSs can also prevent communications when malicious activity is detected.
Servers and clients (desktops and laptops) require many configuration settings to be changed from their default values to secure your systems. When operating systems are first installed they are very permissive with their security settings, and to secure them they need to be reconfigured. These confiugrations tell the system (and some software) how to behave in different aspects such as:
Each of the layers of this defense-in-depth strategy can grow stale and ineffective as time progresses. Sometimes computer configurations can change while maintenance is being performed, or new vulnerabilities are identified and patches released. Both of these scenarios can render your cybersecurity ineffective, so the last layer is continuous monitoring. Every month a handful of controls should be re-evaluated to determine how well the business is performing those controls and how effective they are at mitigating vulnerabilities.
Computers need to be continuously monitored for patches and configuration compliance as well as malware and unauthorized changes. Sometimes patches fail to install and the cybersecurity team needs to be aware of when those patches fail and IT will need to make sure the issue is resolved in timely manner.
Some viruses, especially those tailored to attack your systems, can elude anti-virus software and make changes to the system. Continuous integrity monitoring will identify when that happens and alert the cybersecurity team to the threat.
If this seems like a lot of work it’s because it is. But how does a cybersecurity team, or an MSSP, implement and manage such a wide array of controls? We use control catalogs or standards like the National Institute for Science and Technology (NIST) Special Publications 800-171 or 800-53. Depending on the business needs we may also use PCI or ISO 27001 as our guiding documents.
After the business has identified their critical assets and information and allocated initial funding the cybersecurity team will perform a gap analysis to build a get-well-plan that includes additional costs for the full budget.
Once the get-well-plan is built and the budget allocated the cybersecurity team will begin to work with your departments to roll out the plan and implement the defense-in-depth strategy. The implementation could take a while, so be prepared for a lengthy process.