Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense in depth minimizes the probability that the efforts of malicious hackers will succeed. A well-designed strategy of this kind can also help system administrators and security personnel identify people who attempt to compromise a computer, server, proprietary network or ISP (Internet service provider).
If a hacker gains access to a system, defense in depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent recurrence. Components of defense in depth include antivirus software, firewalls, anti-spyware programs, hierarchical passwords, intrusion detection and biometric verification. In addition to electronic countermeasures, physical protection of business sites along with comprehensive and ongoing personnel training enhances the security of vital data against compromise, theft or destruction. Implementation:
- Network Controls
- Antivirus Software
- Check File Reputation
- Analyze Behavior
- Fix the Leak
Monitoring network traffic is the first line of defense. Firewalls can help with this, but for a more comprehensive security solution an intrusion prevention system (IPS) should also be used.
Using antivirus software is critical, but it’s not an all-inclusive solution. It often relies heavily on signature-based detection that can be exploited by an intelligent attacker. Some antivirus programs also use heuristics that look for suspicious activity. For example, if a document tried to download an executable when opened, the antivirus program would halt the download and quarantine the file.
The reputation of a file deals with its frequency of use and the source. Every file has a checksum, a mathematical representation of the file, that can be used to check against known viruses and block matches. It can also be used to find how often a file shows up. If the incoming file is completely unique, it’s marked as suspicious, as it should be in circulation somewhere else. It is also important to check the reputation of the file’s origin. Check the IP address of either the sender or origin site and decide whether it’s a trustworthy source.
Network and file behaviors provide insight into whether a breach is in progress or has already occurred. By the time behavioral analysis comes into play, prevention has already failed and the new aim is detection. Initially this requires an organization to create a baseline for “normal” behavior. Algorithms can then use this baseline to detect anomalies such as high-bandwidth traffic or extremely long connections.
Once an attack is detected, it’s crucial to shut it down quickly. In addition to deleting malicious files the initial entry point of the attack needs to be identified and repaired. Example Of Defense In Depth
Assume an organization utilizes a defense in depth strategy. This company uses a firewall, a basic antivirus program, and behavioral analysis. An attacker creates a phishing attack and sends out a convincing email with a company schedule attached in the form of a PDF. The email makes it past the firewall and ends up in the inbox of an unsuspecting employee. When the employee opens the PDF it starts to download a malicious executable file. Fortunately, the behavioral analysis tool notices the anomaly and sends up an alert concerning the file. Although the attack was successfully detected, there are three things the organization could improve to stop the attack from occurring in the first place. First, the company could utilize an IPS to provide an extra layer of network security. Second, they could upgrade their antivirus software to one that employs heuristics. This way the file could be automatically dealt with instead of merely sending an alert. Third, and most important, the company could offer employee security training so that phishing attacks never succeed, even if they make it past all of the filters.