Defense-In-Depth

Hmmm. Defense-in-Depth …where do we start? How about with the good old castle defence analogy?

David, Brian K., THE OBSERVER’S BOOK OF CASTLES, 1979: ‘Wall tower, barbican and gatehouse enabled the defenders of a castle to keep the enemy at a distance – so long as he remained above ground. The enemy below ground presented a greater problem. Undermining by tunnelling was, in the long run, the most effective way of bringing down a wall or tower. To combat this it was necessary to raise the natural water-table in the vicinity of the castle, so that any tunnel would automatically flood, drowning the miners. This was the original purpose of the castle moat. There were other advantages to be gained from it. A moat made it difficult for an attacker to bring ladders and wooden assault towers close to the castle walls. It provided a supply of water in case of fire. It could even be stocked with fish. But primarily it existed to discourage tunnelling.‘

Castles across the world, back in those days, can be seen as companies nowadays. Some castles carried more risks from attacks whether inherent, internal or external than others. Some castles had more available budgets and personnel than others.Defense-in-Depth when properly applied recognizes that defences need to be set up against external and internal risks, that they must respond to dynamic threats, and that defences must protect, detect, respond and recover.

If I was protecting a castle and had available security budgets then I would want physical controls such as moats and walls, intelligence such as who may attack and when, slick processes such as an effective whistle blowers system for suspicious insiders, paper log records of activity (e.g. visitors book) to be recorded and stored safely for auditing and post attack investigation,  and two guards from different divisions required to open the wall gate to prevent a rogue one opening it for the enemy.

When thinking about defense-in-depth for IT Security, it can be very daunting to understand the real risks at different depths and tie that with available budgets and correctly articulate value from any given solution (because all vendors say you need their solution and give you their special pair of glasses when doing a proof of concept that shows their solution is indeed needed!).

Doing something hastily can also be as bad as doing nothing at all. For example, building a roof may be useless if the wall is too tall for any known missile to rise above.The finite resources used for the roof could have been used on a more effective control.

At CIPHER we intimately know about defense-in-depth. This is because Information Security is our passion. We are the modern day equivalent of a castle security historian that has their own castles. It is this passion that drives our business and provides us with true expertise.

We believe defense-in-depth for an organization should include some or all of these controls depending on the results of a risk assessment.

defense-in-depth02

 

Which of these boxes do you have in place? You either have it in place, partially in place or need it.

Different businesses carry different risks resulting in different control requirements. A well-known company however big or small will have a greater risk of a DDOS attack compared to one that is not well known which is better off spending their available budget on a different control that addresses a greater risk to their organization.

CIPHER is more than happy to discuss these controls with you. We love talking about Information Security.

 

By Parthi SankarPrincipal Security Architect - CIPHER

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services and Security Consulting Services with ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions. 

Subscribe to the Blog

Maeasure Your Information Security Maturity Self-Assessment Survey

Recent Security Posts

security consulting services

@ciphersec