Knowing the necessary and appropriate cybersecurity controls to implement within your organization can be tricky, or at least cumbersome. There’s an overwhelming amount of tools and services available, as well as endless pieces of advice to keep in mind as you’re building your security program.
In an effort to help make building, or refreshing, your security program a little easier, today we’re kicking off our “best practices” series. This series will take a deep dive through each of the cybersecurity checklist items outlined in a previous blog to give you a better understanding of why each of these components is essential to creating a secure environment.
We begin this series talking about the importance of layered security and how it benefits enterprises in the long run.
Why layered security?
Layered security, or defense-in-depth security, is an approach to cybersecurity that does not rely on a “silver bullet” solution to counter cyberthreats. Although there are several reasons why a layered security approach is an important and effective cybersecurity best practice, the 3 main reasons we’ll discuss today are:
- Too many threats have too many different characteristics. It’s not reasonable or feasible to depend on a single solution to counter all attack types. For example, a Web Application Firewall (WAF), which proactively protects websites and applications from malicious actors by blocking suspicious behavior, isn’t going to stop a spear phishing attack or insider threats, as both of these attacks target very different systems.
If you rely on a so-called silver bullet solution, all you will be given is a false sense of security and an unprotected environment. However, a layered defense strategy allows you to implement a number of security measures to combat a multitude of threats from outside and within your organization, each with their own unique traits.
- A single attack is usually made up of a cyber kill chain. This is the lifecycle of a threat from the initial compromise to the end goal, and the steps in between. In most cases, each step can only be detected by a specific type of security control, or a combination of controls.
For example, let’s say there’s a particular attack including:
- Reconnaissance: A target ‘victim’ email address is identified
- Weaponization: A malicious attachment is created
- Delivery: The attachment is sent to the victim via email
- Exploitation: The malicious attachment is executed
- Installation: The initial attachment downloads and runs a second stage of malware
- Command & Control: The second stage malware establishes connections to C2 over https
- Actions & Objectives: The attacker uses established C2 to steal sensitive information
Here, in the cyber kill chain, you can see multiple points of attack before the threat actor gets to the metaphorical pot of gold. Therefore, having multiple layers of security provides a greater number of defenses. Supposing your email filter fails to detect the attachment, you might have a network security policy and proxy that would prevent the second stage malware from being downloaded even if the end user clicked on the attachment. Basically, if you have multiple layers of security and one of those layers counters a particular step in the kill chain, it might be enough to mitigate the attack.
- If one layer is missing, the next one might be able to fend off the attack. One good real-life scenario where a multi-layered approach might have thwarted an attack was WannaCry. People lament the lack of proper patching in the affected organizations and how it might have prevented that ransomware crypto-worm from spreading.While that’s true, the spread also could have been prevented had the affected organizations adopted a multi-layered approach by 1) minimizing external exposure of services through firewalls/NATs and 2) applying proper (internal) network segmentation. That way, even if the systems were unpatched, the worm wouldn’t have been able to infect other networks or move laterally.
Underneath the layers
From a macro perspective, the layers of security are policy, technology, and training.
You need clear and strong policies to dictate what security controls should be in place. For example, you could have a policy that says, “Be wary when opening email attachments or clicking on links from people you don’t know.”
That policy can then be supported by a technology layer, which would consist of technical elements or sub-layers, like configuring firewall entrance and exit filtering rules, setting up a NAT or reverse proxy, opening only specific ports, and so on.
The last layer ensures that end users, which are almost always the weakest link in a security program, are properly educated about the consequences of failing to adhere to security policies as well as how to uphold those policies. It doesn’t matter how well-thought-out your policies and how state-of-the-art your technologies are, if your end users are not educated enough, your security controls can be at risk of being circumvented.
Ultimate benefits of a layered security approach
In addition to the importance of layered security that we talked about in the first section, which are essentially also the benefits of that approach, there are a few bonuses worth mentioning.
If you institute layered security, you actually gain more flexibility in maintaining an acceptable level of security. To elaborate on that, if you have only one security solution that requires patching (e.g. to prevent a recently known exploit) and that patch somehow can’t be applied to certain systems (this sometimes happens), you’re left with no other option.
But if you can patch the majority of your systems, isolate the ones you can’t patch, and then apply specialized monitoring on those unpatched systems, you still should be able to detect an attack that takes advantage of the known exploit. That’s another benefit of layered security.
In today’s threat landscape, where cyberattacks are usually multi-pronged, multi-staged, and multi-faceted, a layered approach is, realistically speaking, the only way you can truly defend your digital assets.
Stay tuned for additional blogs in this cybersecurity best practices series on topics such as, patch management, third-party partnerships, password security, storing customer information, and response plans.