Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/11/2016
11:15 AM
Frank Mong
Frank Mong
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Does Defense In Depth Still Work Against Today’s Cyber Threats?

Yes. But not for much longer unless the industry shifts to an automated security and zero trust model.

When it was first applied to the cybersecurity industry some 15 years ago, defense in depth revolutionized the business. Today, the idea of using a collection of security countermeasures to protect a network is an accepted best practice and traditional thought leaders in the cybersecurity space (financial services companies and the U.S. federal government) hold it as gospel.

But while defense in depth has served the industry well over the last 15 years, it’s time to start asking if it’s the approach to take for the next 15 years. I would argue that if defense in depth is to be effective today and in the future, it will require a shift in industry thinking. Here’s why.

If you examine the most publicized hacks of the recent past, the common factor among them was their use of highly-sophisticated APTs developed by bad actors or black hat hackers with the expertise, financing, and time to create tools to specifically counter the security measures used in the defense in depth model. Be they state-sponsored hackers or profit-seeking cybercriminals, the attackers completely mapped the defense in depth capabilities of their targets and designed ways to circumvent them.

However, the complexity and cost of developing and orchestrating sophisticated attacks used in these breaches put them beyond the reach of the majority of cybercriminals. As for the potential targets of these attacks, many smaller organizations considered themselves safe because they didn’t have the type of information (credit card data, proprietary IP) or notoriety that would attract the attention of more capable hackers. 

What’s new now?
Today, advanced cyberattack tools are widely available thanks to the rise of underground marketplaces that sell user credentials, toolkits, botnets, and many other tools a cybercriminal could need. The developers of these tools are even offering customers SLAs that guarantee stolen user credentials are valid and usable to enhance success of an attack. Furthermore, many of these tools are now automated, so less sophisticated cybercriminals can now launch a high volume of advanced attacks against a target simultaneously.

This has led to a significant rise in the number of cyberattacks so significant that the defense in depth model cannot keep up. The most concerning weak point in the model is at the point of infiltration. Today’s networks are logging millions of events every day, so it’s virtually impossible for a security team to identify, analyze, and respond as needed to real threats. And even if a security team stops 999 out of 1,000 attacks trying to compromise the network perimeter, the one attack that gets through could cause serious problems. 

Don’t forgo the perimeter
The sheer volume of attacks has led some security teams to abandon the idea of stopping attacks from penetrating the network edge all together. In their minds, the better approach is to focus on detecting and remediating an attack after it has compromised the perimeter. This is a recipe for disaster. It’s all but impossible for security teams to stay up-to-date on the latest tools attackers can use to breach the network perimeter.

Additionally, it would take a large security team to detect and remediate all of the APT and malware that would flood their networks if they were to forgo prevention, and most companies don’t have the finances or access to qualified security professionals who could keep up with the workload. So while a defense in depth model that includes prevention is still the best way to protect networks, it’s going to require the security industry shift its mindset if it’s going to have a fighting chance.

Zero trust + automated security =  way forward
If the defense in depth model is going to be effective moving forward, cybersecurity tech vendors need to do a better job of blocking attacks. The best way to do so is to adopt a zero-trust security policy and automate security processes. Zero-trust network security uses applications, data, and user information to establish policies for how data moves into and across the network instead of instead of relying on port and protocol-based security policies. Security automation requires integration of up-to-the minute threat information and an ATP security platform that inspects all network traffic to apply policies based on applications, user, and data. By combining a zero trust policy with automated security policies blocking the majority of attacks, security information and event management (SIEM) technology or cybersecurity professionals would have time to actively hunt for the few attacks that do manage to get in.

The only way that the defense in depth model can hope to stay relevant is to modernize it by adopting automated security and a zero trust model. It’s the only way security teams can scale their efforts in the constantly evolving world of cybersecurity.

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Frank Mong is senior vice president of product, industry and solutions for Palo Alto Networks. In this role, he is responsible for directing product marketing, industry (vertical) marketing and overall solutions (platform) marketing for the company's entire portfolio. An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Longtabsigo
50%
50%
Longtabsigo,
User Rank: Apprentice
7/20/2016 | 8:50:25 AM
You Will Always Defend "In Depth".
There will always be "depth" in defense.   It may not be as "geographic" as the term normally implies.  But creating standoff between most critical assets and the bad thing is job one.  Ergo, depth.

 

So don't get hung up on the noun-phrase "defense in depth" and keep focus on the action of defending, creating "depth" to either trade space for time, and give defenders time to harden, reposition or otherwise protect assets, while making adversary's job much tougher.
S0MA
50%
50%
S0MA,
User Rank: Apprentice
9/24/2016 | 1:18:09 PM
Re: You Will Always Defend "In Depth".
Agreed. But defense in depth isn't static. It should also incoroprate new technologies such as UEBA incorporating as many threads of information as possible (Packet data, End point information, AD integration, sandboxing and global malware checking that will be more adaptive to the ever morphing threat.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
CVE-2020-6009
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.