What is defense-in-depth?
Organizations defend their networks on each of the six levels in the graph you see. End-user Internet Security Awareness Training resides in the outer layer: Policies, Procedures, and Awareness. As you see, this is the outer shell and in reality it is where security starts. You dont open the door for the bad guy to come freely into your building, right? Lets have a quick and admittedly highly simplified look at defense-in-depth.
End-user Security Awareness is an important piece of your security puzzle because many attack types go after the end user (called social engineering) to succeed.
Once an organization has published policies, has implemented security procedures, and has trained all employees, the first step of defense-in-depth has been established.
The second step is defending the perimeter. In the case of IT that usually means a firewall, and related tools to block intrusions.
Part three is protection of the internal network. There are various software tools that scan the network for attackers, traffic that should not be there, and many other ways to detect attacks.
Next, protecting each individual computer in the network (called hosts) is also crucial. Here is where end-point security tools live, which attempt to block attacks on the individual computer level.
Then, there are many ways to protect the individual applications that are running on computers in the organization, and last but not least, the data also needs to be protected, and yet again, there are many, many ways to do that, for example encryption.
However, end-user security awareness can affect every aspect of an organizations security profile, as it truly is where security starts! That is why it is so important that SMEs give their end-users Internet Security Awareness Training, and enforce compliance.
Stu Sjouwerman
Organizations defend their networks on each of the six levels in the graph you see. End-user Internet Security Awareness Training resides in the outer layer: Policies, Procedures, and Awareness. As you see, this is the outer shell and in reality it is where security starts. You dont open the door for the bad guy to come freely into your building, right? Lets have a quick and admittedly highly simplified look at defense-in-depth.
End-user Security Awareness is an important piece of your security puzzle because many attack types go after the end user (called social engineering) to succeed.
Once an organization has published policies, has implemented security procedures, and has trained all employees, the first step of defense-in-depth has been established.
The second step is defending the perimeter. In the case of IT that usually means a firewall, and related tools to block intrusions.
Part three is protection of the internal network. There are various software tools that scan the network for attackers, traffic that should not be there, and many other ways to detect attacks.
Next, protecting each individual computer in the network (called hosts) is also crucial. Here is where end-point security tools live, which attempt to block attacks on the individual computer level.
Then, there are many ways to protect the individual applications that are running on computers in the organization, and last but not least, the data also needs to be protected, and yet again, there are many, many ways to do that, for example encryption.
However, end-user security awareness can affect every aspect of an organizations security profile, as it truly is where security starts! That is why it is so important that SMEs give their end-users Internet Security Awareness Training, and enforce compliance.
Stu Sjouwerman
