What is Defense in Depth?

Defense-in-Depth Strategies

Organizations can implement defense in depth across their IT environments. The following are some examples of strategies for implementing defense in depth to address various threats.

Account Security

Account takeover attacks are a common threat to an organization that runs the risk that an attacker will gain access to a legitimate user’s account with all of its associated permissions. An example of a defense in depth strategy for account security would be:

• Password Security: Since passwords are a common authentication mechanism, requiring strong, unique, and complex passwords makes them more difficult to guess or otherwise breach.
• Multi-Factor Authentication (MFA): MFA requires multiple factors to authenticate to an account, making it more difficult for an attacker to take advantage of a compromised password.
• Least Privilege: The principle of least privilege states that a user, system, application, etc. should only have the permissions and access necessary to do its job. Implementing least privilege limits the damage that an attacker can do with a compromised account.
• Behavioral Monitoring: Behavioral monitoring allows an organization to detect suspicious, malicious, or dangerous actions by an authenticated user. The company can then block these actions and kick off incident response.

Data Security

Data is most companies’ most valuable asset. Defense in depth for data security may include the following controls:

• Encryption: Encryption is a fundamental data security control. Encrypted data can only be accessed with the appropriate encryption keys, making it more difficult for unauthorized users to access or abuse it.
• Access Controls: Access controls can be used to manage access to systems, data, and applications. Implementing least privilege access controls prevents users from accessing data without authorization.
• Data Loss Prevention (DLP): DLP solutions are designed to prevent sensitive data from flowing outside of the organization. This helps to ensure that authorized users are not placing sensitive corporate and customer data at risk.
• Backup and Recovery: In addition to theft, data is at risk of loss or encryption by malware. Backup and recovery systems help the company quickly recover from business-disrupting events.

Endpoint Security

Corporate devices may be targeted by malware and other threats. Elements of a defense in depth strategy for endpoint security include:

• Intrusion Detection and Prevention System (IDPS): An IDPS — installed at the network or endpoint level — can identify and block malicious content before it reaches a user’s device.
• Antivirus (AV) Software: An AV uses signatures to identify and block known malware variants that have gained access to a device.
• Endpoint Protection Platform (EPP): EPP provides more sophisticated protection, identifying and preventing malware infections using machine learning and threat intelligence.
• Endpoint Detection and Response (EDR): EDR supports incident responders’ efforts to remediate a malware infection resident on corporate devices.

Network Security

Network security protects the organization against internal and external threats. Solutions that can be used to implement defense in depth for the network include:

• Firewall: A firewall defines a network boundary and enables inspection of all traffic entering and leaving the corporate network. Firewalls can block inbound threats and prevent sensitive data from leaving the network.
• Virtual Private Networks (VPNs): A VPN or similar secure remote access solution provides remote users with encrypted access to corporate networks and enables the organization to manage and monitor remote access to corporate applications and systems.
• Secure Gateway: A secure gateway monitors and protects traffic from the secure network to the Internet and the cloud. This helps to prevent malicious content from sneaking in via infection or malicious web content.
• Network Segmentation: Network segmentation breaks the corporate network into chunks based on purpose and classification level. Cross-segment traffic is inspected, enabling the organization to detect and block attempted lateral movement by an adversary inside the network perimeter.