Defense-in-depth is a cybersecurity strategy that organizations use to protect critical assets from cybercriminals and malicious insiders. Defense-in-depth security is designed to integrate people, technology, and operations capabilities by establishing multiple security layers or barriers of protection across the organization.
Defense-in-depth typically involves assembling multiple layers of various security controls—known as layered security—to develop a robust and redundant defense across the IT environment. By layering heterogeneous security technologies along common attack vectors, a defense-in-depth strategy helps ensure that attacks missed or bypassed by one technology will be identified and stopped by another.
With multiple layers of defense on endpoints, for example, each layer provides a different type of security designed to protect the endpoint even if one or more of the controls fails. This approach helps to minimize the risk of a single point of failure. It is frequently used to address a variety of vulnerabilities across the range of physical, technical, and administrative layers.
Effective defense-in-depth layers include security techniques and solutions like these, for example: Firewalls, Patch Management, Intrusion Prevention or Detection Systems, Endpoint Detection and Response software, Privileged Access Management solutions, and Network Segmentation.
Firewalls are software or hardware appliances that control network traffic through access or deny policies or rules. These rules may include black or whitelisting IP addresses, MAC addresses, and ports. There are also application-specific firewalls, such as Web Application Firewalls (WAF) and secure email gateways that focus on detecting malicious activity directed at a particular application.
Patch Management is the process of applying updates to operating systems, software, hardware, or plugins. Often, these patches address identified vulnerabilities that could allow unauthorized access to information systems or networks.
Intrusion Prevention or Detection Systems (IDS/IPS) – These tools send an alert when malicious network traffic is detected. In contrast, an IPS attempts to prevent and alert on identified malicious activity on the network or a user’s workstation. These solutions base recognition of attacks on signatures of known malicious network activity.
Endpoint Detection and Response (EDR) software or agents reside on the client system (e.g., a user's laptop or mobile phone) and provide antivirus protection, alert, detection, analysis, threat triage, and threat intelligence capabilities. These solutions run on rulesets (i.e., signatures or firewall rules) or heuristics (i.e., detection of anomalous or malicious behaviors).
Privileged Access Management (PAM) solutions provide tools that protect access to both human and non-human privileged accounts and credentials. Passwords are stored and dispensed through a secure vault, rotated regularly, and typically tied to multifactor authentication. The principle of least privilege is applied whereby policies and technical controls only assign users, systems, and processes access to resources (networks, systems, and files) that are absolutely necessary to perform their assigned function.
Network Segmentation is the practice of dividing a network into multiple sub-networks designed around specific business needs. For example, this approach often includes having sub-networks for executives, finance, operations, and human resources. Depending on the level of security required, these networks may not be able to communicate directly. Segmentation is often accomplished through the use of network switches or firewall rules.
Beyond these typical layers of cybersecurity software tools, the defense-in-depth guiding principles have evolved to go beyond simply detecting and stopping an attack or breach. Thus, a broader, more strategic definition of defense-in-depth encompasses additional security measures such as incident response, disaster recovery, reporting, and forensic analysis.
Defense-in-depth describes a more holistic or multi-dimensional strategic approach to cybersecurity aimed at minimizing risks. Layered security, by comparison, is one aspect of DiD involving multiple defensive tools to detect and stop an immediate attack.
Defense-in-depth assumes a broader scope of defense from incident to response through resolution. This means planning for rapid notification and response when attacks occur, as well as business continuity and disaster recovery measures.
Before cloud computing altered IT priorities significantly, cybersecurity strategies were often organized around perimeter defense principles—protecting the boundaries of the network with information guarded inside a perimeter wall. This approach has flaws that have been increasingly exposed in the cloud era as remote access among employees and third-party users has become common.
A defense-in-depth strategy broadens the perspective of how organizations must manage risks with a more comprehensive view of how various cybersecurity tools can work together to reduce the impact of growing threats from both inside and outside the organization.
More Defense-in-Depth Resources:
Blogs
Endpoint Security Demands a Defense-in-Depth Strategy
Defense-in-depth with Overlapping Rings of Endpoint Security
Video