Applying Defense-in-Depth to the Digital Battlefield

How a layered security strategy can minimize the threat and impact of a data breach.

Chris Park, Chris Park, CIO, iboss

January 18, 2018

3 Min Read
Dark Reading logo in a gray background | Dark Reading

Defense-in-depth is a concept born on the battlefield, in a time where the greatest threat to an organization’s security was physical, not digital.

The challenge with defending the front lines of attack in the modern age is that on today’s virtual battlefield, the enemy is constantly advancing. Malware itself is now sold as-a-service on the Dark Web, giving hackers financial incentive to relentlessly evolve their tactics and exploit vulnerabilities at all levels of network access. While no approach is going to guarantee 100% security across networks and devices, there are layered strategies that can at the very least minimize the threat of network breaches while giving networks the posture to thwart data theft

Start at the Perimeter
You often hear about how the distributed nature of modern organizations has blurred the enterprise network perimeter, but there are still defenses that plug holes in the process. This perimeter security traditionally starts with firewalls, which evaluate packets of data entering and leaving the network based upon pre-determined access control lists.

Secure web gateways (SWGs) are then generally implemented behind this perimeter within the network to go a step beyond firewalls, assigning contextual information to the complete file or activity that can help better identify – and stop – malicious actors before they reach sensitive content or end users. Gateways provide a horizontal defense-in-depth strategy in that the most effective ones marry a slew of defense functionalities into one platform. For instance, the SWG might act as the web proxy for users sharing the network, dictating compliance settings and network protocols to all users accessing data over that network entry point.

So, while incomplete pieces of the file might make it past the firewall via non-flagged data packets, the gateway proxy will look at the complete file, take it apart, and evaluate it in-depth based upon predetermined access settings. Additional features like sandboxing, which take entire files and allow them to play out in simulated network environments to flag for malware, should also be included to compensate for threats that might not be known by existing filtering solutions.

Incorporate User-level Defenses
Endpoint security takes defense in depth to the user level, complementing defenses at the gateway. This is software that users install on devices to detect viruses should they sneak past the defense at the network perimeter. The settings at the gateway will help complement these endpoint defenses by coordinating with device and user registries to ensure that individuals accessing sensitive network data actually have the proper permissions.

In addition, identity and access management software help change user bad habits by safely collecting sensitive log-in credentials to assure Single Sign-On (SSO) across applications. This is a more secure and convenient alternative to forcing users to create and record unique passwords for all programs and access points – or worse, recycle their credentials across platforms.

The number of defenses that networks can employ are virtually endless so organizations need to be wary of adopting more solutions than their teams can handle. When security teams are juggling management portals, it’s more likely that one area of the defense strategy might get overlooked. Teams should seek out solutions that give them holistic insight into network traffic so they’re in the best position to monitor the front lines of cybersecurity. 

About the Author

Chris Park

Chris Park, CIO, iboss

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is responsible for iboss' entire IT operation, including network and system engineering, front-end development, data center operations, and customer service and support. Prior to becoming CIO, Chris served in a variety of product management and network architect roles, working with public and private companies to troubleshoot and support their network security infrastructures.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights