Threat Intelligence

7/11/2016
11:15 AM
Frank Mong
Frank Mong
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Does Defense In Depth Still Work Against Todays Cyber Threats?

Yes. But not for much longer unless the industry shifts to an automated security and zero trust model.

When it was first applied to the cybersecurity industry some 15 years ago, defense in depth revolutionized the business. Today, the idea of using a collection of security countermeasures to protect a network is an accepted best practice and traditional thought leaders in the cybersecurity space (financial services companies and the U.S. federal government) hold it as gospel.

But while defense in depth has served the industry well over the last 15 years, it’s time to start asking if it’s the approach to take for the next 15 years. I would argue that if defense in depth is to be effective today and in the future, it will require a shift in industry thinking. Here’s why.

If you examine the most publicized hacks of the recent past, the common factor among them was their use of highly-sophisticated APTs developed by bad actors or black hat hackers with the expertise, financing, and time to create tools to specifically counter the security measures used in the defense in depth model. Be they state-sponsored hackers or profit-seeking cybercriminals, the attackers completely mapped the defense in depth capabilities of their targets and designed ways to circumvent them.

However, the complexity and cost of developing and orchestrating sophisticated attacks used in these breaches put them beyond the reach of the majority of cybercriminals. As for the potential targets of these attacks, many smaller organizations considered themselves safe because they didn’t have the type of information (credit card data, proprietary IP) or notoriety that would attract the attention of more capable hackers. 

What’s new now?
Today, advanced cyberattack tools are widely available thanks to the rise of underground marketplaces that sell user credentials, toolkits, botnets, and many other tools a cybercriminal could need. The developers of these tools are even offering customers SLAs that guarantee stolen user credentials are valid and usable to enhance success of an attack. Furthermore, many of these tools are now automated, so less sophisticated cybercriminals can now launch a high volume of advanced attacks against a target simultaneously.

This has led to a significant rise in the number of cyberattacks so significant that the defense in depth model cannot keep up. The most concerning weak point in the model is at the point of infiltration. Today’s networks are logging millions of events every day, so it’s virtually impossible for a security team to identify, analyze, and respond as needed to real threats. And even if a security team stops 999 out of 1,000 attacks trying to compromise the network perimeter, the one attack that gets through could cause serious problems. 

Don’t forgo the perimeter
The sheer volume of attacks has led some security teams to abandon the idea of stopping attacks from penetrating the network edge all together. In their minds, the better approach is to focus on detecting and remediating an attack after it has compromised the perimeter. This is a recipe for disaster. It’s all but impossible for security teams to stay up-to-date on the latest tools attackers can use to breach the network perimeter.

Additionally, it would take a large security team to detect and remediate all of the APT and malware that would flood their networks if they were to forgo prevention, and most companies don’t have the finances or access to qualified security professionals who could keep up with the workload. So while a defense in depth model that includes prevention is still the best way to protect networks, it’s going to require the security industry shift its mindset if it’s going to have a fighting chance.

Zero trust + automated security =  way forward
If the defense in depth model is going to be effective moving forward, cybersecurity tech vendors need to do a better job of blocking attacks. The best way to do so is to adopt a zero-trust security policy and automate security processes. Zero-trust network security uses applications, data, and user information to establish policies for how data moves into and across the network instead of instead of relying on port and protocol-based security policies. Security automation requires integration of up-to-the minute threat information and an ATP security platform that inspects all network traffic to apply policies based on applications, user, and data. By combining a zero trust policy with automated security policies blocking the majority of attacks, security information and event management (SIEM) technology or cybersecurity professionals would have time to actively hunt for the few attacks that do manage to get in.

The only way that the defense in depth model can hope to stay relevant is to modernize it by adopting automated security and a zero trust model. It’s the only way security teams can scale their efforts in the constantly evolving world of cybersecurity.

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio. An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S0MA
50%
50%
S0MA,
User Rank: Apprentice
9/24/2016 | 1:18:09 PM
Re: You Will Always Defend "In Depth".
Agreed. But defense in depth isn't static. It should also incoroprate new technologies such as UEBA incorporating as many threads of information as possible (Packet data, End point information, AD integration, sandboxing and global malware checking that will be more adaptive to the ever morphing threat.
Longtabsigo
50%
50%
Longtabsigo,
User Rank: Apprentice
7/20/2016 | 8:50:25 AM
You Will Always Defend "In Depth".
There will always be "depth" in defense.   It may not be as "geographic" as the term normally implies.  But creating standoff between most critical assets and the bad thing is job one.  Ergo, depth.

 

So don't get hung up on the noun-phrase "defense in depth" and keep focus on the action of defending, creating "depth" to either trade space for time, and give defenders time to harden, reposition or otherwise protect assets, while making adversary's job much tougher.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.