Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/11/2016
11:15 AM
Frank Mong
Frank Mong
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Does Defense In Depth Still Work Against Today’s Cyber Threats?

Yes. But not for much longer unless the industry shifts to an automated security and zero trust model.

When it was first applied to the cybersecurity industry some 15 years ago, defense in depth revolutionized the business. Today, the idea of using a collection of security countermeasures to protect a network is an accepted best practice and traditional thought leaders in the cybersecurity space (financial services companies and the U.S. federal government) hold it as gospel.

But while defense in depth has served the industry well over the last 15 years, it’s time to start asking if it’s the approach to take for the next 15 years. I would argue that if defense in depth is to be effective today and in the future, it will require a shift in industry thinking. Here’s why.

If you examine the most publicized hacks of the recent past, the common factor among them was their use of highly-sophisticated APTs developed by bad actors or black hat hackers with the expertise, financing, and time to create tools to specifically counter the security measures used in the defense in depth model. Be they state-sponsored hackers or profit-seeking cybercriminals, the attackers completely mapped the defense in depth capabilities of their targets and designed ways to circumvent them.

However, the complexity and cost of developing and orchestrating sophisticated attacks used in these breaches put them beyond the reach of the majority of cybercriminals. As for the potential targets of these attacks, many smaller organizations considered themselves safe because they didn’t have the type of information (credit card data, proprietary IP) or notoriety that would attract the attention of more capable hackers. 

What’s new now?
Today, advanced cyberattack tools are widely available thanks to the rise of underground marketplaces that sell user credentials, toolkits, botnets, and many other tools a cybercriminal could need. The developers of these tools are even offering customers SLAs that guarantee stolen user credentials are valid and usable to enhance success of an attack. Furthermore, many of these tools are now automated, so less sophisticated cybercriminals can now launch a high volume of advanced attacks against a target simultaneously.

This has led to a significant rise in the number of cyberattacks so significant that the defense in depth model cannot keep up. The most concerning weak point in the model is at the point of infiltration. Today’s networks are logging millions of events every day, so it’s virtually impossible for a security team to identify, analyze, and respond as needed to real threats. And even if a security team stops 999 out of 1,000 attacks trying to compromise the network perimeter, the one attack that gets through could cause serious problems. 

Don’t forgo the perimeter
The sheer volume of attacks has led some security teams to abandon the idea of stopping attacks from penetrating the network edge all together. In their minds, the better approach is to focus on detecting and remediating an attack after it has compromised the perimeter. This is a recipe for disaster. It’s all but impossible for security teams to stay up-to-date on the latest tools attackers can use to breach the network perimeter.

Additionally, it would take a large security team to detect and remediate all of the APT and malware that would flood their networks if they were to forgo prevention, and most companies don’t have the finances or access to qualified security professionals who could keep up with the workload. So while a defense in depth model that includes prevention is still the best way to protect networks, it’s going to require the security industry shift its mindset if it’s going to have a fighting chance.

Zero trust + automated security =  way forward
If the defense in depth model is going to be effective moving forward, cybersecurity tech vendors need to do a better job of blocking attacks. The best way to do so is to adopt a zero-trust security policy and automate security processes. Zero-trust network security uses applications, data, and user information to establish policies for how data moves into and across the network instead of instead of relying on port and protocol-based security policies. Security automation requires integration of up-to-the minute threat information and an ATP security platform that inspects all network traffic to apply policies based on applications, user, and data. By combining a zero trust policy with automated security policies blocking the majority of attacks, security information and event management (SIEM) technology or cybersecurity professionals would have time to actively hunt for the few attacks that do manage to get in.

The only way that the defense in depth model can hope to stay relevant is to modernize it by adopting automated security and a zero trust model. It’s the only way security teams can scale their efforts in the constantly evolving world of cybersecurity.

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio. An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S0MA
50%
50%
S0MA,
User Rank: Apprentice
9/24/2016 | 1:18:09 PM
Re: You Will Always Defend "In Depth".
Agreed. But defense in depth isn't static. It should also incoroprate new technologies such as UEBA incorporating as many threads of information as possible (Packet data, End point information, AD integration, sandboxing and global malware checking that will be more adaptive to the ever morphing threat.
Longtabsigo
50%
50%
Longtabsigo,
User Rank: Apprentice
7/20/2016 | 8:50:25 AM
You Will Always Defend "In Depth".
There will always be "depth" in defense.   It may not be as "geographic" as the term normally implies.  But creating standoff between most critical assets and the bad thing is job one.  Ergo, depth.

 

So don't get hung up on the noun-phrase "defense in depth" and keep focus on the action of defending, creating "depth" to either trade space for time, and give defenders time to harden, reposition or otherwise protect assets, while making adversary's job much tougher.
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.