Revisiting-Defense-in-Depth

Defense-in-depth (“DiD”) is an fundamental security concept that predates IT security by centuries (if not by millennia). It involves implementing multiple layers of defense to protect assets from attack. In this way, a single point of failure is much less likely to result in a breach. This multi-layered approach significantly increases the time, effort, and resources required for a successful compromise, often deterring all but the most persistent and sophisticated adversaries.

The key principles of Defense in Depth include:

  • Redundancy: Having multiple security controls in place to provide backup in case one fails.

  • Diversity: Using a variety of different security technologies, methods, and approaches to make it harder for an attacker to compromise the entire system.

  • Depth: Implementing security controls at multiple levels, such as network, host, application, and physical security.

  • Independence: Ensuring that the failure of one security control does not automatically lead to the failure of other controls.

A classic example of effected DiD occurred during the siege of the walled Irish town of Clonmel conducted by Oliver Cromwell in May of 1650. Prior to that seige, Cromwell had overcome numerous walled cities and fortifications throughout Ireland with little difficulty. His method of attack was simply to use cannons to blast a breach in the defensive wall that surrounded a town or castle, and then send his troops flooding through that breach to overwhelm the defenders.

In the case of of Clonmel, however, after the breach was made, the defenders rapidly constructed an inner defensive wall, known as a coupure, behind the breach - a classic example of DiD. When Cromwell’s infantry entered the breach they found themselves in a killing zone from which few emerged. (NOTE: Cromwell did eventually take the town, but only because the town ran out of ammunition with which to defend itself.)

It’s easy enough to appreciate the importance of implementing DiD as part of a modern IT security architecture, however time and budget constraints have resulted in many security professionals not quite “getting around to it”. The result is that many IT assets are under-protected and more vulnerable to advanced adversaries than they should be.

In some cases DiD may be impelented at very little additional cost. For example, most modern servers and workstations come out-of-the-box with built-in firewalls. However, these firewalls may not be configured because the organization is relying on the protection of firewalls implemented on the greater network. The implementation of built-in firewalls, in addition to network firewalls, is a great way to quickly achieve an important DiD mechanism.

Regrettably, in today’s cybersecurity world, the importance of DiD is often overlooked, with organizations focusing solely on a single “silver bullet” solution or relying on outdated, siloed security measures (or even worse, relying on “perimeter security”). This myopic approach leaves those organization svulnerable to well-known attacks that can bypass these isolated defenses. In the face of increasingly sophisticated threats, a comprehensive DiD strategy is no longer a luxury, but a necessity.

In conclusion, defense-in-depth is an important cornerstone to the foundation of an effective cybersecurity program. By layering multiple security controls and mechanisms, organizations can create a comprehensive and resilient defense that have a much higher probability of withstanding the most formidable threats. As information security professionals, it is our responsibility to advocate for and implement this defense-in-depth; ensuring the protection of our organizations and the data they entrust to us.