Defense In Depth – The Onion Way

By: Ofir Even - Citadel Information Security Officer   |   Updated: 2/7/2023

Foreword

By now, you should be aware of the importance of securing your systems against potential vulnerabilities and attacks. One effective way to do so is by implementing a defense-in-depth approach, which involves using multiple layers of security measures to protect against a variety of threats. In this post, I will cover the principles of defense-in-depth and how to apply them to harden your systems.

What is Defense-in-Depth?

Defense-in-depth is a security approach that involves using multiple layers of security controls to protect against a variety of threats. It’s based on the idea that no single security measure is foolproof, so it’s important to have multiple safeguards in place to reduce the risk of a security breach. The concept of defense-in-depth can be compared to an onion, with each layer representing a different security control. The idea is that an attacker would have to breach multiple layers to successfully compromise the system, making it more difficult and less likely to happen.

Principles of Defense-in-Depth

Several key principles are important to consider when implementing a Defense-in-depth approach for your business/organization:

1. Consider how to spend your resources wisely. Resources are limited – we can’t pull out the big guns on every information security issue. Use security controls that are proportional to the level of the risk at hand. It’s important to assess the risks to your systems and implement security controls that are appropriate for the level of risk. For example, We may require better security controls for a system that handles sensitive financial data than for a system used for internal communication.
2. Incorporate multiple layers of security measures: As mentioned above, it’s important to have multiple layers of security in place to reduce the risk of a security breach. Hackers easily identify weak security posture by simply noticing there are not many layers in place to crack – just like the broken window theory. That’s why I urge you to take action in order to make your organization less likely to be targeted by implementing multiple security layers. For example, you should consider implementing systems like Firewalls, Intrusion Prevention Systems, Strong Authentication & Authorization controls, and, last but not least, Endpoint Security tools (AV/EDR/XDR).
3. Continuously monitor and improve security measures: The digital world is very dynamic. Each day new attack vectors and threats emerge. Ransomware, Vulnerabilities, Malicious software, Phishing, APTs, DDoS. That’s why Information Security is an ongoing process. Regularly review and update your security measures to ensure that they are effective and up to date. This can include actions like applying security patches and updates, conducting security risk assessments, and implementing new security controls as needed.
4. Centralized management and the use of complementary security controls: it’s important to choose security controls that work well together and complement each other. By using UTM platforms, we can manage multiple security layers in one unified platform. More on the topic later.
5. Follow security best practices: There are many best practices guidelines available for securing systems, such as the Center for Internet Security’s (CIS) 18 Critical Security Controls. It’s important to follow these best practices to ensure that your systems are as secure as possible.

The benefits of Unified Threat Management (UTM) Appliances/Software

1. Cost-effectiveness: UTM solutions almost always cost significantly less than purchasing and maintaining multiple standalone security systems separately.
2. Simplified management: With UTM, administrators can manage all security functions from a single console rather than multiple systems separately.
3. Onboarding a UTM is quicker on all fronts: simplifies the learning curve for the IT / Infosec personnel by providing a single platform for Information Security management. By focusing on becoming experts in a single system rather than trying to juggle multiple systems at once, IT professionals can improve their efficiency and effectiveness, ultimately leading to better results all around.
4. Advanced security: UTM solutions often include a range of security features, such as firewalls, antivirus, antibot, intrusion prevention, and content filtering to filter out certain Applications and URLs, which can provide a more comprehensive level of protection.
5. Improved performance: Implementing UTM solutions optimizes the performance of security functions, resulting in faster processing and reduced strain on system resources.
6. Enhanced visibility: UTM solutions provide a single, centralized view of security events, making it easier to identify and respond to threats.

Applying Defense-in-Depth with System Hardening

Now that we’ve learned about Defense-in-Depth let’s see how we can use System Hardening to apply these principles to the systems we currently own.

1. Perform a security risk assessment: The first step in implementing a defense-in-depth approach is to conduct a security risk assessment to identify potential vulnerabilities and threats to your organization. Start with identifying assets, assessing risks, and developing a plan to mitigate them.
2. Implement security controls: Based on the results of your security risk assessment, implement appropriate security controls to reduce the risk of a security breach. Consider the following: setting strong passwords, disabling unnecessary services and accounts, and making sure applying security patches and updates occur regularly.
3. Implement least privilege: It’s important to follow the principle of least privilege, which means giving users only the minimum level of access they need to perform their job functions. This can help reduce the risk of unauthorized access to sensitive data or systems.
4. Fine Tuning Security Policies: Many security systems like Firewalls, IPS, and NAC (for example) often give a false sense of confidence to C-Level Managers. We must implement a proper policy in addition to having the device present in the organization. Sometimes an audit reveals that the system wasn’t even working – because someone had put it in monitoring mode. This can happen when several IT personnel configure the system without notifying and coordinating with each other. So, make sure to regularly check the policy and the configuration for holes and issues with a third-party auditor.
5. Use advanced security tools and technologies: There are many security tools and technologies available that can help you implement a defense-in-depth approach with system hardening. These can include tools like Anti-Virus (Newer Versions – EDR/XDR), a WAF – Web Application Firewall, NAC – Network Access Control, and a DLP – Data Loss/Leak Prevention.
6. Information Security Awareness Training: We humans are the weakest link in the chain. Hackers very often prefer to trick the human (easy) instead of trying to fool a best of breed Firewall (hard). That’s why it’s important to educate your employees about security best practices and make sure they understand the importance of following security protocols. Make sure to include an annual training plan on various subjects to ensure employees understand, for example, why and how to set a strong and memorable password, how phishing attacks look like and how to avoid them, and how to identify and report a potential security threat.
7. Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide at least two forms of authentication before logging in. Multiple Factors include “something you know” - like a password, or “something you have” - like a phone or security token. Additionally, “something you are” (biometrics) and “somewhere you are” (location) are also factors that should be considered.
8. Use encryption technologies: Encrypting data can help protect it from unauthorized access, whether it’s in transit or stationary. It will also make it very frustrating for an attacker when they understand all the stolen assets are encrypted, which means they got nothing. We usually encrypt data as it’s transmitted over the internet, as well as when it is stored on servers or devices.
9. Monitor for suspicious activity: proactively monitoring for suspicious activity can help you identify potential security threats and take swift action to neutralize them before they cause harm. For example, monitoring for unusual login activity, monitoring for unauthorized access to sensitive data, and monitoring for suspicious network traffic. The best way to do so these days is by using SIEM – Security Information and Event Management Software. We use SIEM to collect and analyze the relevant logs from all around the organization in one centralized place. The best way to implement a SIEM is by harnessing the power of the SOC – Security Operation Center. The SOC analyst team is responsible for monitoring, detecting, investigating, and are the first responders to cyber threats around the clock, 24/7/365. Many organizations have traditionally found this defense layer to be costly. However, in recent years it has been possible to acquire and utilize this service at a more affordable price through the use of Managed Security Service Providers (MSSPs).
10. Have a response plan in place: It’s important to have a plan in place for responding to security breaches or other security incidents. Make sure to have important contact information readily available, just in case. Prepare a protocol for identifying the scope of the incident, taking steps to contain the incident, and restoring affected systems to their normal state.

Closing Words

If you read this far – Congrats! Knowledge is power – and you just gained some more.

In this post, we emphasized the benefits of taking a defense-in-depth approach. How it will greatly improve the security posture of the organization while reducing the risk of a security breach. It is a cyclic process that must be maintained over time. By all means, it is not an easy task, but it is one of the cheapest. Most of you probably already have a Firewall or an IPS in place. That being said, very few can say that they know exactly what is going on inside those tools. Moreover, the Tools and practices mentioned above are just examples and are not intended to be a complete list. So, invest the time to build a plan that fits your business, considering all the key principles we talked about here. Thanks for taking the time to read and invest in your cybersecurity knowledge.

Back