By Byron Anderson
InfoSec Engineer, Atmosera
In a recent conversation with Atmosera’s CISO, who works with me as both a peer and a mentor, it was noted that I bring up Defense in Depth (DiD) very frequently. This left me wondering, “Why Defense in Depth?” What was it about the DiD model that made me inclined to bring it up so often in both internal conversations as well as conversations with clients? It was a topic of a previous blog article I wrote as well as the most recent webinar we did together.
So, I started thinking about why DiD resonates so well with me and causes me to bring it up so frequently…
As both a security practitioner and a general consumer whose information is stored with many different organizations that I do business with – including online retailers, health care providers and financial institutions – information security is very important to me. Security is more critical than ever due to increased regulations and increased expectations of information security. Failure to meet these expectations can result in financial penalties, business reputation damage and possible data breaches. In our modern world, just about all businesses store and/or transfer information that needs to be secured. It’s for these reasons that spreading the word and educating folks about information security is very important and rewarding to me.
The DiD model provides an easy to understand way to help people begin to think about how to approach security in their environment. DiD also scales very well from a basic security implementation to a very comprehensive implementation. I think it’s this combination of characteristics that makes DiD so easy to use in conversation.
Information security is often viewed as complicated, unapproachable, and difficult to implement; however, I don’t believe that to be the case. By having an easy approachable way to begin the conversation it helps people feel more comfortable and more open to the idea of beginning their own DiD approach to information security.
The DiD model is easy to understand because it takes the focus away from the technical elements and focuses on the basic design element of layers. These are the 10 basic proficiencies to begin a Defense in Depth approach:
- Patching – application of current updates to Operating Systems, software, platforms and devices
- Firewall – part of a computer system or network which is designed to block unauthorized access while permitting outward communication
- IPS/IDS is Intrusion Prevention System / Intrusion Detection System; these are features commonly found in modern firewalls
- Log Management – centralization, storage, and retention of log data
- A SIEM (Security Information Event Management) system is often used as it provides advanced data analytics purposes
- Change Management – controlled identification, implementation, tracking, and approval of required changes
- End Point Protection – use of software that provides protection to end-points such as servers and workstations from viruses, malware and other potentially unwanted or malicious activity
- Account & Permission Review – regular review of user accounts and the permissions associated with those accounts
- Security Training – training of employees on basic security best practices such as “how to avoid email scams”
- Vulnerability Management – process of regular identification and review of known vulnerabilities within your environment and follow-up remediation efforts
- Incident Response Plan –a systematic and documented method of approaching and managing situations resulting from IT security incidents or breaches
- Disaster Recovery – a documented, structured approach with instructions for responding to unplanned incidents
While the DiD model is very simple in concept, it can scale from a basic security program to a complex security program. This means that it’s both a model you can start out with some basic security tools and processes and grow with throughout your security journey. In information security we often refer to “maturity models”, which are models to determine how mature your information security program is in comparison to what is possible. DiD allows you to begin with just a few security measures, or layers, and continue to add and improve those layers over time; ultimately increasing your maturity model.
I really want to make information security seem more approachable so that it’s embraced by more people and organizations; DiD allows me to do this. We recently presented a webinar, Building a Foundation for Defense in Depth: 10 Security Proficiencies, designed to help make information security approachable using DiD. As part of that webinar, we also created an interactive security self-evaluation worksheet that assesses your organization’s current security profile and provides basic building blocks to help begin or advance your information security journey. If you have more security questions or if you’re looking for a trusted expert to help implement a DiD framework for your organization, contact us today.