Defense-in-depth: Effective, layered security

Modern threats are complex. If complexity is the enemy of security, then defense-in-depth is the answer to keeping your infrastructure protected by closing gaps in security and mitigating sophisticated threats.

June 7 2024 by

Jesus Vigo

Closeup of the layers of several cakes.

In case you missed our previous blog in the defense-in-depth series, we discussed how a “one size fits all” mentality often results in varying levels of protection across device types using different OS’s. The end result? The lack of baseline protections across your device fleet leads to gaps in security, leaving devices, users and organizational data vulnerable to data breaches.

Sweet Security

Imagine for a moment that you’ve got a craving for a sugary treat. Only, you can’t quite seem to make up your mind. One second you’re thinking of a decadent chocolate cake, the next a cookie that’s firm on the outside but warm and gooey in the middle. Oh, but how about a rich brownie, marbled throughout with salted caramel? And don’t forget to top it with silky ice cream. Scratch that, make it a dense yet creamy cheesecake, baked to perfection with a buttery graham cracker crust and topped with a dollop of fresh whipped cream and a handful of tart berries.

Sorry for making you hungry, but each of these desserts on their own produces different tastes and textures to our pallet. But then you’re confined to just the one flavor profile missing out on all the others.

Not unless you combine them. A cheesecake base, topped with brownie, then cookie and a layer of cake as a scoop of ice cream sits atop the sinful sweet. Whipped cream, chocolate and caramel drizzle, sprinkles, berries scattered about and one cherry for good measure.

What does this saccharine surprise for the senses have to do with security?

The layered dessert mirrors, in essence, how administrators should approach modern endpoint security. More specifically, by implementing various:

  • Security controls
  • Processes
  • Policies
  • Standards
  • Workflows

Administrators not only develop comprehensive security plans but tie them together through integration as part of an overarching defense-in-depth strategy. In short, integrating controls, layers protection and provides a safety net. Several of them, in fact, give organizations multiple levels of risk mitigation to fall back on. Should a threat slip past one control, the next control above and/or below it in the stack will effectively stop it cold.

Building Your Foundation

When preparing any pasta dish, two foundational ingredients are water and salt. Chef Emeril Lagasse always teases that, unless your water already comes seasoned from the tap, you must always add salt first.

Bearing this in mind, a solid foundation is critical to the success of any security plan. In the case of safeguarding your devices, unless they automatically come pre-configured to your unique security needs from Apple (spoiler alert: they don’t!), then the next closest thing is to develop a provisioning strategy based on Zero-Touch Deployment.

Compared to traditional deployments, where IT must painstakingly “touch” new devices before being assigned to users, zero-touch deployments ensure that provisioning workflows are implemented automatically. Devices can be shipped directly to end-users, where they can unbox it themselves and kick off the setup process, beginning the moment they power on the device for the first time. From there, users perform mandatory enrollment within the company’s MDM, where the integration between identity and access management, and device management solutions automates everything, including:

  • Applying configurations
  • Hardening settings
  • Deploying applications
  • Installing updates
  • Streamlining security

All this occurs the same way, each time, eliminating human error. And given its modular design, should a component fail to load, workflows need only to be restarted from that point to move forward. Users are empowered to set up their technology and IT can refocus this time on creating better solutions for all stakeholders while complying with organizational requirements.

How do you design a security plan with defense-in-depth in mind?

Offense + Defense

“The best defense is a good offense” – George Washington

Proactive Threat Hunting is most like a three-pronged spear. With it, Security teams perform three crucial security elements through one function:

  • Threat Detection
  • Prevention
  • Remediation

It should come as no surprise that, in recent years, attacks have grown more sophisticated. By converging, or combining multiple threats and deploying them through alternative means, attacks from malicious actors have multiple vectors with which to compromise and exploit vulnerable endpoints. Further concerning, these converged threats are more complex, meaning they are harder to protect against.

Luckily, defense-in-depth strategies have proven highly effective at neutralizing multi-pronged threats by layering controls to minimize risk.

But that is not enough because threats may exist undetected on devices, gathering information and/or simply waiting for the right time to strike. The case for establishing a threat-hunting team within your organization to not only identify unknown threats but mitigate them is critical to your security posture.

The defense is inherently stronger than the offense” – Carl von Clausewitz

Switching gears, defending against attacks gives organizations, their device fleet, users and sensitive data protection against risks that could open the door to a costly data breach. Typically, remote security, like VPN combined with access permissions was “just enough” to grant distributed workforces access to the corporate network over an encrypted tunnel. But what happens when a bad actor gains access to a user’s credentials or if say, an authorized user prefers to use their personal device instead of the company-issued one to get some work done on the go?

In both instances, legacy security technologies and strategies do not mitigate the risk, thereby leaving the device and organizational network open to attack. The modern threat landscape has evolved and so too must endpoint security tooling and strategies. Enter Zero Trust Network Access (ZTNA).

Building upon the foundational elements in the previous sections, a defense-in-depth strategy is not complete if it doesn’t prevent on-device and in-network threats. ZTNA further subdivides protections by verifying credentials and device health explicitly before requests to access protected resources is granted. By default, all access is denied (never trust). Authentication requests are verified to be free from compromise. If so, access to only the requested resource is granted – nothing else. Furthermore, each access is routed through a microtunnel, keeping it segmented from other approved connections to prevent MitM and other such attacks.

To streamline security, ZTNA extends protections to all supported devices and operating systems regardless of ownership model. Personal devices get the same level of security as company-issued ones. So each time a device makes a request, ZTNA checks device health to ensure it meets the baseline requirements for access (always verify). If it fails, access remains denied and automated remediation workflows are triggered to bring the device into compliance. Once health and credentials are both verified, only then is access granted to the requested resource.

In the case of those who are skilled in attack, their opponents do not know where to defend. In the case of those skilled in defense, their opponents do not know where to attack” – Sun Tzu

The Magic Number (Three)

  • Converged Threats
  • Social Engineering
  • Advanced Persistent Threats (APTs)

In the previous section, we touched upon evolving sophisticated attacks by threat actors. Converged threats are only one of the complex threat types targeting victims across the modern threat landscape.

Social engineering is the biggest threat to endpoint and organizational security and continues to reign supreme given its asymmetrical proportion of minimal effort to maximum impact. Additional concerns see phishing attacks growing – not shrinking – with novel attacks developed, targeting new technologies, like angler phishing and “quishing” that target the services used for work. In this case, social media and QR codes respectively.

Nation-state-backed attacks, otherwise referred to as APTs, “expand their scope of attack beyond critical infrastructure to target any persons, organizations and/or regions that further the nation-state’s interests.” The ubiquity of mobile devices has led organizations to expand business offerings that leverage continuity of operations, empowering employees to work from anywhere, on any device and over any network connection at any time. Similarly, threat actors have weaponized their tools to monitor, target and harass victims after compromising their mobile devices without their consent or knowledge.

Top 3 most targeted sectors globally are:

  1. Education
  2. Government
  3. Think tanks/NGOs and IT (tied for 3rd place)

Management + Identity + Security = best security

The integration of these three foundational elements acts as building blocks when designing a rich, deep cybersecurity defense-in-depth plan. Ensuring enterprise resources are safe from unauthorized access, minimizing endpoint risk vectors and keeping users secure and productive.

Hungry for more details on how to close security gaps?

Find everything you need to transform your existing security plan today.