It’s a challenge every security practitioner knows well. As defenders of the company network, we need our protection mechanisms to succeed everywhere, all of the time. Meanwhile, our adversaries only need to succeed in one place and at the time of their choosing.
This conundrum is known as the defender’s dilemma. Considering this dilemma, it’s not hard to understand why companies seem to be fighting a losing battle with attackers. With constant news of data breaches and other successful cyber attacks hitting the news, the odds are seemingly in the adversary’s favor.
The attacker’s dilemma
But it’s not time to throw up our hands. There is a strategy that can be employed to turn this dilemma on its head. It involves forcing unwanted intruders to jump through several more hoops to make their attacks successful – making that a lot less likely to happen.
This strategy is defense in depth, and it is sometimes compared to a castle. As with a castle, not just one but several layers of protection stand at the ready. Should an attacker penetrate one layer, other layers are in place to stop further advances. Each layer plays a specific role, protecting in its own way, as part of a greater whole.
Several layers of security means that an attacker must get it right multiple times in order for his attack to succeed. It not only means more barriers to an attacker, but more opportunities for detection, more trip wires for the attacker to run into. The defender’s dilemma becomes the intruder’s dilemma.
Not only that, for each hurdle the attacker must overcome, the attacker’s cost structure increases. The attacker must put more time, energy and money into breaching your company, which works as a deterrent.
Defending the castle
Which layers make up an effective security program employing defense in depth? If we return to our castle analogy, we have the castle wall. Vulnerability management plugs holes in the castle wall so threats cannot slip in through the cracks. Then there’s the drawbridge, where gateway protection stops all visitors, lowering only for those deemed appropriate. Inside the castle are various structures. Endpoint protection guards each of these to protect from individual compromise. And should all of these layers fail and a threat somehow penetrate the fortress, detection and response alerts the guards so the threat can be eliminated.
With GDPR having come into force this year, these layers aren’t just “nice to have.” Securitywise, the GDPR does not detail specific requirements for keeping data safe. But because implementing solid security practices is critical to protecting data and being compliant, a comprehensive security program encompassing threat prediction, prevention, and breach detection and response should be in place. Each of these is a critical part of that program and of GDPR compliance.
In the coming weeks, I’ll be exploring each of these layers. We’ll look at how they work together to protect the organization – how they can be your best defense against data breaches.