Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
1/18/2018
12:30 PM
Chris Park
Chris Park
Partner Perspectives
100%
0%

Applying Defense-in-Depth to the Digital Battlefield

How a layered security strategy can minimize the threat and impact of a data breach.

Defense-in-depth is a concept born on the battlefield, in a time where the greatest threat to an organization’s security was physical, not digital.

The challenge with defending the front lines of attack in the modern age is that on today’s virtual battlefield, the enemy is constantly advancing. Malware itself is now sold as-a-service on the Dark Web, giving hackers financial incentive to relentlessly evolve their tactics and exploit vulnerabilities at all levels of network access. While no approach is going to guarantee 100% security across networks and devices, there are layered strategies that can at the very least minimize the threat of network breaches while giving networks the posture to thwart data theft

Start at the Perimeter
You often hear about how the distributed nature of modern organizations has blurred the enterprise network perimeter, but there are still defenses that plug holes in the process. This perimeter security traditionally starts with firewalls, which evaluate packets of data entering and leaving the network based upon pre-determined access control lists.

Secure web gateways (SWGs) are then generally implemented behind this perimeter within the network to go a step beyond firewalls, assigning contextual information to the complete file or activity that can help better identify – and stop – malicious actors before they reach sensitive content or end users. Gateways provide a horizontal defense-in-depth strategy in that the most effective ones marry a slew of defense functionalities into one platform. For instance, the SWG might act as the web proxy for users sharing the network, dictating compliance settings and network protocols to all users accessing data over that network entry point.

So, while incomplete pieces of the file might make it past the firewall via non-flagged data packets, the gateway proxy will look at the complete file, take it apart, and evaluate it in-depth based upon predetermined access settings. Additional features like sandboxing, which take entire files and allow them to play out in simulated network environments to flag for malware, should also be included to compensate for threats that might not be known by existing filtering solutions.

Incorporate User-level Defenses
Endpoint security takes defense in depth to the user level, complementing defenses at the gateway. This is software that users install on devices to detect viruses should they sneak past the defense at the network perimeter. The settings at the gateway will help complement these endpoint defenses by coordinating with device and user registries to ensure that individuals accessing sensitive network data actually have the proper permissions.

In addition, identity and access management software help change user bad habits by safely collecting sensitive log-in credentials to assure Single Sign-On (SSO) across applications. This is a more secure and convenient alternative to forcing users to create and record unique passwords for all programs and access points – or worse, recycle their credentials across platforms.

The number of defenses that networks can employ are virtually endless so organizations need to be wary of adopting more solutions than their teams can handle. When security teams are juggling management portals, it’s more likely that one area of the defense strategy might get overlooked. Teams should seek out solutions that give them holistic insight into network traffic so they’re in the best position to monitor the front lines of cybersecurity. 

Chris Park brings more than 13 years of experience in corporate network security to his position as CIO at iboss, where he is responsible for creating and driving the company's IT strategy. As resident expert in all aspects of iboss solutions and infrastructure, Chris is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8396
PUBLISHED: 2019-02-17
A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2."
CVE-2019-8397
PUBLISHED: 2019-02-17
An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_close_real in H5T.c.
CVE-2019-8398
PUBLISHED: 2019-02-17
An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c.
CVE-2019-8400
PUBLISHED: 2019-02-17
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.