Defence in depth - What does it mean?

We’ve probably all been in that meeting. A senior leader is asking why we have so many security controls doing essentially the same thing. In the war against cost and complexity, it’s not a good look. Then, a witness for the defence speaks up and says simply.

“Defence in depth.”

The rest of the defence team nods to each other knowingly and we rest our case.

Depth Charges

After a few recent conversations on ‘Defense in depth’, it’s clear that not everyone interprets the strategy in the same way, and it’s probably leading to some organizations feeling more secure than they should.

The term, Defense in Depth, is a military one and based around layering your resources. Rather than a strong single line of defence, the defender deploys their resources in layers. The intention is to slow the attacker and render them vulnerable to counterattack as they progress. Medieval castles were often built this way, with concentric walls. Once attackers breached the outer wall, they would be cut off from their main force and vulnerable while trying to overcome the inner wall. In this example, the walls aren’t directly defeating the attacker, defenders on the ramparts hurling rocks, oil and pitch are.

Fortunately for us, it’s generally a less gruesome scene in CyberWarfare, but our take on the strategy is quite different from the original. Rather than rendering attackers vulnerable, the strength of our design is that each of the layers is different. The aim is to limit the effectiveness of an attack by forcing the attacker to use different techniques to defeat each layer before they can reach the castle keep. We might put a moat between those walls, throw in some alligators, some archers… defence in depth.

Unfortunately, this is precisely how we got into trouble in the first place. By adding these bells and whistles, we’re not really improving our depth, we’re simply strengthening an existing line of defence. Whatever tactics that our enemy was planning to use to overcome the wall will still probably work, with a bit of tweaking. Catapults can launch higher, ladders longer, tunnels deeper, etc.

But what if the attacker’s plan didn’t involve the walls at all? Perhaps they’re planning to poison the castle’s water supply or have a spy in the gatehouse.

Real depth comes through designing diverse layers of controls which are effective against multiple attack vectors. A well-crafted phishing email might bypass firewall, Intrusion Detection System, Anti-Virus, access control, security monitoring, awareness training, etc. It might only be a good web filtering policy, that prevents the victim from entering their credentials into a bogus site.

Zen and the Art of CyberDefense

Rather than throwing a shiny new kitchen sink at your perimeter to keep the bad stuff out, think about your defences from the asset outwards. Ask yourself, what do you need to protect and how can it be compromised. There’s a good chance that the enemy is already somewhere within your walls. If not, they will probably be in soon. So, start with good fundamental security hygiene; authentication, privileged access management, access control, segmented networks, vulnerability assessment and patching, standard images, compliance processes, application and third-party security reviews, etc. These controls aren’t usually expensive if you’re doing them right, they just need a bit of discipline and strong governance. Once these building blocks are in place, feel free to add some more exotic tools if they’re warranted, but don’t start eyeing your neighbour’s machicolations, until you’re fundamentally sound. Otherwise, the increases in cost and complexity will eventually come back to bite you.

Finally, even if you are covering the fundamentals and building in diversity, be aware that a defence in depth approach can sometimes mask ineffective controls. It’s common to hear “We’re OK if control A fails because we have control B.” But in this scenario, how confident are you that the second control will hold up? Upstream controls tend to do the bulk of our cyber heavy lifting and therefore downstream controls often don’t have the opportunity to show us what they can or cannot do. For us to know the answer, we’d need to regularly test A and B independently of each other, but this is rarely done. Perhaps some Cyber superstars are diligently doing this today for all their depth layers, but I can’t say I’ve met any of them yet.

Sometimes, Cybersecurity can seem a bit like rocket science, but the truth is that the most sophisticated solution to a problem is usually also the simplest. Continually adding layers of obstacles in front of attackers isn’t sophisticated or simple. After all, we have finite resources to repel an infinite number of attacks. In our world, less needs to be more; doing a few things well is better than trying to do too much. Today, most data breaches still stem from a lack of fundamentally sound security practices, despite the billions of dollars spent every year in the name of defence in depth.