What is defense-in-depth security?

A photograph of a woman sitting at a wooden desk thoughtfully working on her laptop. She has several potted plants and books on her desk.

Would you be all right if your business shut down for a week due to ransomware?

What would you do if a cybercriminal accessed employee emails and stole the contacts and information inside?

Do you know how to protect your business from cyberattacks like these?

When it comes to security, effective defensive measures are your best chance of preventing cyberattacks like ransomware and cyber extortion. While some attacks are a nuisance, others can be financially devastating.

Defense-in-depth uses layers of security tools, procedures, and programs to help protect your data from cybercriminals while saving you stress and profits in the long run. The more secure your business is, the less likely it is to fall prey to cybercriminals.

For over 25 years, WEBIT Services has built effective cybersecurity procedures for hundreds of clients. It is passionate about using strategy and education to prevent cyberattacks and loss.

By the end of this article, you will learn more about the definition of defense-in-depth security, the tools used in each layer, what this looks like practically, and the next steps in implementing new security measures.


Defining “Defense-in-depth”

Defense-in-depth security seeks to add as many hurdles as possible for cybercriminals trying to break into your system. If a criminal makes it past one layer, another layer prevents entry.

Some experts call this “the castle approach” to security because of the many defensive measures in castle construction. Breaching castle walls and weapons was no easy task.

As a defensive outpost, castles had a moat to keep out invaders. Next, they must climb the castle walls while dodging archer attacks, and so on. The goal was to make it immensely difficult and costly for invaders to come inside.

Defense-in-depth takes a similar approach. While you’re not taking out a cybercriminal’s army, your defenses will cost him time and effort. Cybercriminals love easy, random targets, and their success relies on exploiting vulnerabilities.

The fewer vulnerabilities you have, the safer you are from attacks.

So why does defense-in-depth use so many layers to protect your data? Because defense-in-depth understands that cybercrime and security are constantly evolving entities. This constant change makes it impossible to be 100%.

Layers of the defense-in-depth model

Defense-in-depth holistically approaches security to create as much safety as possible. It is generally broken into three groups:

  1. Physical controls
    Tools and systems that prevent physical entry to your location and IT systems (door codes, ID cards, etc.).
  2. Technical controls
    Security measures that protect networks and IT systems through technology, IT tools, and programs.
  3. Administrative controls
    Policies and procedures created by the organization regarding technology use and data protection (i.e., a password policy, employee security training, how to share business files, etc.).

For this article, we will be focusing on tier two, technical controls.


Defense-in-depth: Technical controls

Technical controls focus on IT tools and procedures to boost security and minimize vulnerabilities. It is generally broken into four categories:

  1. Network security
  2. Antivirus Software (also known as “Antimalware” or “Endpoint protection” software)
  3. Behavioral analysis
  4. Data integrity

1. Network security

Network security tools focus on keeping unwanted connections, data, and traffic out of your systems.

Firewalls are an essential network security tool. They block data from dangerous IP addresses and can prevent access to dangerous websites or applications. A good firewall acts as the “front door” to your network.

Multi-factor authentication (MFA) is another critical tool to protect network access. Users must enter their login credentials and an additional, random MFA code to log into accounts or applications. If your password is a doorknob lock, MFA is the deadbolt.

When MFA is activated, cybercriminals cannot access your network even with stolen login credentials. This is because they need both the credentials and the code, and it is much more difficult to steal an MFA code.

2. Antivirus Software

Antivirus software detects malware and other malicious software that might have sneaked past the firewall.

Antivirus software scans your systems for malicious programs that should not be there and may cause harm or a data breach.

Tools like an intrusion protection system (IPS) will analyze network traffic to see if there’s been a breach. Then, depending on the program and its settings, an IPS will either handle the breach automatically or send an alert for human help.

Email spam filtering tools and phishing detection help identify and isolate emails with harmful links or attachments. Roughly 90% of data breaches occur due to phishing. Email filtering can prevent dangerous emails from entering inboxes and flag suspicious messages to help keep employees on alert and your data safe.

3. Behavioral Analysis

Behavioral analysis tools detect malware or suspicious files that might have evaded the antivirus software.

Behavioral analysis tools are programmed to recognize normal behavior within your system. Once this is established, the tool will identify abnormal behavior indicating a breach.

For example, it is normal for the finance team to access finance folders, not marketing. However, if a finance team member’s account suddenly opens marketing folders, the behavioral analysis tool will flag it as abnormal behavior.

Once abnormal behavior is detected, the tool will either alert human administrators or automatically isolate the breach before it can perform significant damage.

4. Data integrity

Data integrity is our final defensive layer, analyzing the quality and behavior of files, applications, and programs within your network.

If a file behaves oddly or comes from an IP address associated with cyberattacks, it will be flagged and isolated. For example, files that are being copied, changed, moved, or damaged can indicate a breach.

Another aspect of data integrity includes applying security patches and updates to your hardware and software to address known vulnerabilities. For instance, the WannaCry ransomware attacks occurred due to thousands of Windows users failing to update a security patch.

Backups are also considered part of data integrity. If a breach deletes or damages files (like in a ransomware attack), do you have backups ready? Are they isolated or attached to the infected network? Quality backups can save valuable data and systems in emergencies.


Defense-in-depth in action

For malware to take root and do maximum damage, it must get through every layer of security. However, with quality security tools and employee training, breaching the defense-in-depth layers becomes increasingly tricky.

First, malware is going to need to get past the firewall. Ideally, the firewall will notice a file coming from a malicious IP address and block it instantly.

However, if the malware sneaks past the firewall, now it must contend with the antivirus software. The antivirus will isolate and delete if it’s a known threat. But, if not, it might escape antivirus.

Now, the malware must avoid behavioral analysis. If the behavioral analysis tool notices the malware accessing or moving files in an unusual, unapproved manner, it will alert security administrators or remove the threat.

Finally, the malware must escape data integrity analysis if it gets that far. If it is identified as malicious software, it will be isolated and removed before it can do significant damage.


Next steps for creating your defense-in-depth security system

Defense-in-depth security takes a holistic view of security in hopes of making breaches increasingly difficult for cybercriminals.

First, it’s divided into three control groups:

  1. Physical
  2. Technical
  3. Administrative

IT security focuses mainly on the technical control group. This group consists of several IT tools and programs that will identify and handle security threats. They can be summarized as follows:

  1. Network security tools
  2. Antivirus tools
  3. Behavioral analysis tools
  4. Data integrity

Talk to your IT provider about your latest risk assessment and what tools you are using for each defense-in-depth tier.

Your acceptable risk level will determine the number and complexity of your chosen tools. If you are comfortable with greater risk, you may use fewer tools than someone uncomfortable with risk.

For example, if you are comfortable with a higher risk level, you may utilize one firewall. However, someone comfortable with minimal risk may use two firewalls; if one fails, the second will activate.

Every business has unique needs, budgets, and risks. A trusted IT provider or team can help you navigate and select the best for your organization.

If your IT provider is unwilling to discuss or perform quarterly risk assessments, this can be a red flag that something in the partnership is not quite right.

WEBIT Services has helped hundreds of clients in the greater-Chicago area create effective cybersecurity procedures.

If you are looking for a new IT provider, schedule a free 30-minute consultation to see how WEBIT can help.

If you aren't ready to make a commitment but would like to learn more about cybersecurity, we recommend the following articles: