Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/11/2016
11:15 AM
Frank Mong
Frank Mong
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Does Defense In Depth Still Work Against Todays Cyber Threats?

Yes. But not for much longer unless the industry shifts to an automated security and zero trust model.

When it was first applied to the cybersecurity industry some 15 years ago, defense in depth revolutionized the business. Today, the idea of using a collection of security countermeasures to protect a network is an accepted best practice and traditional thought leaders in the cybersecurity space (financial services companies and the U.S. federal government) hold it as gospel.

But while defense in depth has served the industry well over the last 15 years, it’s time to start asking if it’s the approach to take for the next 15 years. I would argue that if defense in depth is to be effective today and in the future, it will require a shift in industry thinking. Here’s why.

If you examine the most publicized hacks of the recent past, the common factor among them was their use of highly-sophisticated APTs developed by bad actors or black hat hackers with the expertise, financing, and time to create tools to specifically counter the security measures used in the defense in depth model. Be they state-sponsored hackers or profit-seeking cybercriminals, the attackers completely mapped the defense in depth capabilities of their targets and designed ways to circumvent them.

However, the complexity and cost of developing and orchestrating sophisticated attacks used in these breaches put them beyond the reach of the majority of cybercriminals. As for the potential targets of these attacks, many smaller organizations considered themselves safe because they didn’t have the type of information (credit card data, proprietary IP) or notoriety that would attract the attention of more capable hackers. 

What’s new now?
Today, advanced cyberattack tools are widely available thanks to the rise of underground marketplaces that sell user credentials, toolkits, botnets, and many other tools a cybercriminal could need. The developers of these tools are even offering customers SLAs that guarantee stolen user credentials are valid and usable to enhance success of an attack. Furthermore, many of these tools are now automated, so less sophisticated cybercriminals can now launch a high volume of advanced attacks against a target simultaneously.

This has led to a significant rise in the number of cyberattacks so significant that the defense in depth model cannot keep up. The most concerning weak point in the model is at the point of infiltration. Today’s networks are logging millions of events every day, so it’s virtually impossible for a security team to identify, analyze, and respond as needed to real threats. And even if a security team stops 999 out of 1,000 attacks trying to compromise the network perimeter, the one attack that gets through could cause serious problems. 

Don’t forgo the perimeter
The sheer volume of attacks has led some security teams to abandon the idea of stopping attacks from penetrating the network edge all together. In their minds, the better approach is to focus on detecting and remediating an attack after it has compromised the perimeter. This is a recipe for disaster. It’s all but impossible for security teams to stay up-to-date on the latest tools attackers can use to breach the network perimeter.

Additionally, it would take a large security team to detect and remediate all of the APT and malware that would flood their networks if they were to forgo prevention, and most companies don’t have the finances or access to qualified security professionals who could keep up with the workload. So while a defense in depth model that includes prevention is still the best way to protect networks, it’s going to require the security industry shift its mindset if it’s going to have a fighting chance.

Zero trust + automated security =  way forward
If the defense in depth model is going to be effective moving forward, cybersecurity tech vendors need to do a better job of blocking attacks. The best way to do so is to adopt a zero-trust security policy and automate security processes. Zero-trust network security uses applications, data, and user information to establish policies for how data moves into and across the network instead of instead of relying on port and protocol-based security policies. Security automation requires integration of up-to-the minute threat information and an ATP security platform that inspects all network traffic to apply policies based on applications, user, and data. By combining a zero trust policy with automated security policies blocking the majority of attacks, security information and event management (SIEM) technology or cybersecurity professionals would have time to actively hunt for the few attacks that do manage to get in.

The only way that the defense in depth model can hope to stay relevant is to modernize it by adopting automated security and a zero trust model. It’s the only way security teams can scale their efforts in the constantly evolving world of cybersecurity.

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio. An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
S0MA
50%
50%
S0MA,
User Rank: Apprentice
9/24/2016 | 1:18:09 PM
Re: You Will Always Defend "In Depth".
Agreed. But defense in depth isn't static. It should also incoroprate new technologies such as UEBA incorporating as many threads of information as possible (Packet data, End point information, AD integration, sandboxing and global malware checking that will be more adaptive to the ever morphing threat.
Longtabsigo
50%
50%
Longtabsigo,
User Rank: Apprentice
7/20/2016 | 8:50:25 AM
You Will Always Defend "In Depth".
There will always be "depth" in defense.   It may not be as "geographic" as the term normally implies.  But creating standoff between most critical assets and the bad thing is job one.  Ergo, depth.

 

So don't get hung up on the noun-phrase "defense in depth" and keep focus on the action of defending, creating "depth" to either trade space for time, and give defenders time to harden, reposition or otherwise protect assets, while making adversary's job much tougher.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...