Defense-in-Depth is a dogmatic term used in the computer defense industry to indicate that every computer defense has to be made up of multiple, overlapping defenses positioned to best prevent a cybersecurity incident. Most people initially take that to mean that they need overlapping technical controls, and that is true, but it is more than that. Technical controls are just one part of a good defense.
Every computer defense you implement should have three main pillars:
- Policy
- Technical Controls
- Training
Every time you need to fight something in the cyber world, think about the policies, technical controls, and training that you need to create, communicate, and enforce to prevent, detect, and respond to that threat. Here’s more discussion on each pillar.
Policy
I used to believe that my super-smart, expert understanding of computer security was enough to fix all security problems at any company I worked. I mean, I hadn’t had a single malware infection or security incident on my own computers in over two decades. I knew what needed to be done to stop malware and hackers. I felt like “the man”.
Early on in my career, I used to look down on policy and the people who made it as unnecessary “red tape” and wastes of time. All I needed to do for perfect computer security was to correctly configure each computer under my control and everything would be smooth sailing.
Turns out my personal expertise in handling my five computers doesn’t translate to managing hundreds or thousands of computers. When multiple people were involved, all of a sudden, my great initial configurations started to get modified over time, and not always for the better. I was shocked to learn that not everyone made every security decision as competently as I did, with my decades of personal computer security experience. And sometimes even I caused security issues, when I was busy troubleshooting some down-time problem and I opened the firewall with an <ANY><ANY> rule or disabled antivirus in order to rule them out, and forgot to change them back. It’s easy to make mistakes when you don’t have good change/configuration management. Over time, I learned that it is IMPOSSIBLE to keep computers finely tuned and secure without great, written, communicated security policies.
Whatever your computer security need is, it must be backed by written and communicated security policy. Some things can only be controlled by policy. Such as when you tell someone not to re-use their same password on another system not under your control. There is no way to enforce that request if you must have passwords using a technical control. Or asking people to lock the screens of their computer whenever they step away. You can institute a technical security control that locks their screen after five or 10 minutes of inactivity, but that means that those unlocked, unsupervised computers have five to 10 minutes of unnecessary risk. But if you have a policy that states that all computers must be locked anytime anyone is away from them, and it is enforced, then you get the best of both worlds.
Every time you need to fight something in the cyber world, think about the policies that you need to create, communicate, and enforce to prevent, detect, and respond to that threat.
Technical Controls
Technical controls are all the great software and hardware tools you can use to prevent, detect, and respond to cybersecurity badness. It’s your firewalls, anti-malware software, intrusion detection, content filtering, anti-spam, anti-phishing, secure configurations, etc., and everything needed to ensure that those items are optimally configured.
My best recommendation for this class of defense, and really the other two classes as well, is to make sure your controls focus on stopping your biggest and most common threats first and best. You’d be surprised how many people focus on stopping far less threatening things to the exclusion of focusing on the right things. You’re going to be told that thousands of things a year are critical for you to fix, and it just isn’t true. Figure out what the top root cause exploit avenues in your company are: social engineering, unpatched software, misconfigurations, employee mistakes, insider threats, eavesdropping, network/data malformation, third-party risks, or physical attack issues; and focus on the top two or three root cause exploits first and best.
In most companies, the top two root cause threats behind 90% to 99% of all malicious data breaches is social engineering (70% to 90%) and unpatched software (20% to 40%). With everything else, you can possibly imagine added up all together coming in a distant third. Figure out what root cause avenues you need to focus on putting down first and best and start there. If you need more guidance on this, check out my best selling book, Data-Driven Computer Security Defense or my free white paper from my days of working at Microsoft.
Training
No matter what policies and technical controls you implement, there will be some level of cyber badness that will get through and reach the end user. You want to implement a great security awareness training program which will help to develop a healthy level of skepticism amongst employees and enable them to spot bad things and teach them what to do (hopefully block and report).
We know for sure that cybersecurity training must be ongoing, at least monthly. Doing cybersecurity training once a year is almost the same as never doing it. Training doesn’t start to make an impact until it is done at least quarterly and really, the sweet spot is monthly. We used to wonder about how to do very effective security training. We don’t wonder anymore. We have the data. We know what works. This is it.
I can’t recommend a better book on how to make a great security awareness program than my co-worker and friend’s excellent book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors . One my favorite quotes is, “They can be aware and still not care.” Perry’s book helps them care. You can also check out a myriad of free security awareness training blog articles, tools, white papers, and webinar videos at KnowBe4, Inc. You will not find a better collection of resources to help you do your training better.
Every time you need to fight something in the cyber world, think about the policies, tools, and training that you need to create, communicate, and enforce to prevent, detect, and respond to threats. You need to make it automatic in your thinking – “I have a risk, what policies, tools, and training do I need to mitigate this risk?” Rinse and repeat.