Does Defense In Depth Still Work Against Today’s Cyber Threats?Yes. But not for much longer unless the industry shifts to an automated security and zero trust model.
When it was first applied to the cybersecurity industry some 15 years ago, defense in depth revolutionized the business. Today, the idea of using a collection of security countermeasures to protect a network is an accepted best practice and traditional thought leaders in the cybersecurity space (financial services companies and the U.S. federal government) hold it as gospel.
But while defense in depth has served the industry well over the last 15 years, it’s time to start asking if it’s the approach to take for the next 15 years. I would argue that if defense in depth is to be effective today and in the future, it will require a shift in industry thinking. Here’s why.
If you examine the most publicized hacks of the recent past, the common factor among them was their use of highly-sophisticated APTs developed by bad actors or black hat hackers with the expertise, financing, and time to create tools to specifically counter the security measures used in the defense in depth model. Be they state-sponsored hackers or profit-seeking cybercriminals, the attackers completely mapped the defense in depth capabilities of their targets and designed ways to circumvent them.
However, the complexity and cost of developing and orchestrating sophisticated attacks used in these breaches put them beyond the reach of the majority of cybercriminals. As for the potential targets of these attacks, many smaller organizations considered themselves safe because they didn’t have the type of information (credit card data, proprietary IP) or notoriety that would attract the attention of more capable hackers.
What’s new now?
Today, advanced cyberattack tools are widely available thanks to the rise of underground marketplaces that sell user credentials, toolkits, botnets, and many other tools a cybercriminal could need. The developers of these tools are even offering customers SLAs that guarantee stolen user credentials are valid and usable to enhance success of an attack. Furthermore, many of these tools are now automated, so less sophisticated cybercriminals can now launch a high volume of advanced attacks against a target simultaneously.
This has led to a significant rise in the number of cyberattacks so significant that the defense in depth model cannot keep up. The most concerning weak point in the model is at the point of infiltration. Today’s networks are logging millions of events every day, so it’s virtually impossible for a security team to identify, analyze, and respond as needed to real threats. And even if a security team stops 999 out of 1,000 attacks trying to compromise the network perimeter, the one attack that gets through could cause serious problems.
Don’t forgo the perimeter
The sheer volume of attacks has led some security teams to abandon the idea of stopping attacks from penetrating the network edge all together. In their minds, the better approach is to focus on detecting and remediating an attack after it has compromised the perimeter. This is a recipe for disaster. It’s all but impossible for security teams to stay up-to-date on the latest tools attackers can use to breach the network perimeter.
Additionally, it would take a large security team to detect and remediate all of the APT and malware that would flood their networks if they were to forgo prevention, and most companies don’t have the finances or access to qualified security professionals who could keep up with the workload. So while a defense in depth model that includes prevention is still the best way to protect networks, it’s going to require the security industry shift its mindset if it’s going to have a fighting chance.
Zero trust + automated security = way forward
If the defense in depth model is going to be effective moving forward, cybersecurity tech vendors need to do a better job of blocking attacks. The best way to do so is to adopt a zero-trust security policy and automate security processes. Zero-trust network security uses applications, data, and user information to establish policies for how data moves into and across the network instead of instead of relying on port and protocol-based security policies. Security automation requires integration of up-to-the minute threat information and an ATP security platform that inspects all network traffic to apply policies based on applications, user, and data. By combining a zero trust policy with automated security policies blocking the majority of attacks, security information and event management (SIEM) technology or cybersecurity professionals would have time to actively hunt for the few attacks that do manage to get in.
The only way that the defense in depth model can hope to stay relevant is to modernize it by adopting automated security and a zero trust model. It’s the only way security teams can scale their efforts in the constantly evolving world of cybersecurity.
Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.
Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio.
An ... View Full Bio