Defense-in-depth reminds me of the stories I grew up hearing from my grandmother about how kings and queens would protect themselves from invasions. Essentially they would build castles on a hill in the center of the kingdom. So if ever there was an invasion, they would have time to respond without succumbing to the enemy. The purpose was to delay the attack by increasing the number of barriers, not to prevent the attacker. This begs a question: Is this a viable strategy for protecting enterprises from today’s growing number of sophisticated cyber-threats?
The short answer is no. In the last decade, enterprises have built their security posture by layering with multiple security tools from firewalls, SIEM, User Behavior Analytics, SOAR, EDR, DLP, Email/Web Filtering, etc., and having a well-trained SOC team. The truth is that this doesn’t do the job. Despite deploying these tools, enterprises still get breached and face malicious attacks causing data frauds on a day-to-day basis.
With the shift towards cloud computing and IoT, the attack surface is growing exponentially. Additionally, in the face of advanced threats and increasing attack vectors, stacked silo solutions presents a false sense of “zero-trust” security that no longer suffice. These disparate silo security solutions are also inherently not designed to work together and, thus, leave holes that can be easily exploited by the attackers. Attackers leverage these gaps to intrude into the enterprise and then work their way deep inside. Some examples include the massive breach that happened via a cyberattack through the HVAC systems, as well as a widespread Distributed Denial of Service (DDOS) attack caused by the Mirai BOTNET targeting IoT devices, primarily home routers and IP cameras, and many more.
In addition, defining and maintaining a security posture with these disparate tools is operationally very costly as the organization needs to hire and constantly train the SMEs who must work together in the broader ecosystem. Secondly, the enterprise network perimeter is disappearing with BYOD and critical applications are being accessed in the cloud by these devices from disparate locations. So, in order to provide a comprehensive security solution, protecting only a pre-defined set of critical assets is sure-shot recipe for failure. It is, therefore, more imperative than ever to view enterprise security more holistically, as opposed to piecemeal.
Visibility is paramount to providing comprehensive “zero-trust” security. After all, what cannot be seen cannot be protected. It is vital to see all the devices (assets) and their interactions within the ecosystem. To get full visibility, it is extremely important to view not only the traffic leaving and coming into the organization but also the traffic being sent and received within the organization. This is a foundational building block towards a comprehensive security architecture, where defense-in-depth falls short.
Correlating various events from the layers of defense created by security tools is complex and challenging. The SMEs for each security tool need to compare the data extracted from each platform and the context from the past. Note that these silo solutions inherently do not integrate or communicate with each other. Typically, APIs are exposed and left to professional services for integration. Hence, adding layers of defense is a myth. Couple this with the cost and scarcity of cybersecurity talent compared to most companies’ limited security budgets. Enterprises today need machines to conduct intelligent, meaningful correlation with past context, detect anomalies and take action to contain and eliminate them or flag them to the security experts for further qualification and remediation.
Detection itself if not enough. Consider a state-of-the-art building with no sprinkler system installed to protect against fire. If there is a fire in the building, the fire station receives an alarm. But without any remediation on-site, one needs to wait for the fire engine to come and extinguish the fire. We could have actually prevented a lot of damage by having sprinklers turning on by themselves as soon as the fire was detected, and while the fire engines travel to the site. This type of behavior has even worse consequences when it comes to a cyberattack. Relying on integration with SOAR tools, as in the case with defense-in-depth security architecture, will certainly not suffice for cybersecurity in the digital era. Although it is better than just relying on SOC analysts to do damage control, there are many organizations, assets and applications that need real-time, automated response.
Lastly, compliance laws are becoming more stringent. GDPR is one such example and very soon there will strict requirements from governments in different parts of the world. How does the current defense-in-depth model stack up with these requirements? Being compliant on Day 1 is easy, but what about Day 10? Is there a drift? Which tool in the stack takes the ownership for the compliance drift in the multi-layer security model?
Many organizations are realizing that the shortcomings inherent in today’s class of defense-in-depth solutions put them at dangerous risk, and they are slowly migrating to a more comprehensive, integrated solution. As the attack surface increases and threat vectors become more complicated, it is extremely important for enterprises to re-evaluate and revamp their defense-in-depth strategy for providing comprehensive cybersecurity.