We are often asked by our customers "what is the one solution that will work?" The answer to this is simple: none. The current buzz words of 'Layered Security' or 'Defense-in-Depth' have their merits, but there is no magic bullet.
We prefer to take the Defense-in-Breadth approach, a strategy that uses combination highly effective, complimentary and overlapping products and services which together can have a higher success rate. Bear in mind, however, that even this approach will never be 100% effective, but it can significantly minimize successful attacks. Formally then, Security-in-Breadth is:
A planned, systematic set of multi-disciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component lifecycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement). Source: NIST.GOV NSSI 4009-2015
The key take-away is that this is not an "implement and forget" strategy. It is a sustained ongoing active approach that actually relies on a "siege" mentality. It employs multi-vendor approaches to technology, services, security processes and human resources. It takes collaboration - from both within and outside an organization.
Defense-in-Breadth Key Aspects
- Includes features of layered and defense-in-depth
- Filtering of what leaves network as well as what enters it
- Proxy all services with an ALG (Application Layer Gateway) with user level login, tracking and accountability (think UTM appliance with AD/Radius authentication)
- Establish an offline footprint - Offline needs to minimally include encrypted backups
- Build multiple firewalled networks - at a minimum separate internal corporate data from that of online data. Separate networks for any internet connected systems like IoT, Wireless, POS, Perimeter Security, etc.
- Cyber security training minimally biennially to address the human factors. This is not just one broad 'one size fits all' course, but a set of courses, each of which is tuned to the target specific employee functional groups. (Example: Finance human factor security training is quite different than that which should be taught to a company's application developers.)
- Overlapping multi-vendor environment (break the one vendor mold) - a flaw or missing signature in one product may be caught by another vendor's product at the same or different layer
- Monitor 24/7, Incident Response, Reporting
- Penetration Testing, Ethical Hacks
- Sharing of information both intra and inter industry and with government. Example: sanitize attack signature hashes shared across industries. (Paradigm change needed - while already available to a limited degree in some vendor products, it is rarely shared across vendor lines)
Call us today for a free initial consultation
Note: An in-depth article on Layered, Defense-in-Depth and Defense-in-Breadth coming soon...