5 Key Factors for an Effective Cybersecurity Defense in Depth Strategy in 2022

There is no silver bullet solution when it comes to cybersecurity. New vulnerabilities are discovered every day and IT staff must win the cybersecurity battle every time, whereas attackers only need to win once to gain a foothold in an environment. So where do you focus your efforts to ensure your organization is staying protected? This blog will look at your cybersecurity defense in depth strategy.

Defense in depth is a well-known strategy amongst cybersecurity practitioners. This strategy utilizes layers of security controls to ensure that the confidentiality, integrity, and availability of information systems are maintained. Your organization will likely already have several layers of security controls in place, but you may still be wondering which controls are the most effective or would provide the best return on investment. Let’s look at the key elements of a cybersecurity defense in depth strategy.

The 5 Key Elements of a Cybersecurity Defense in Depth Strategy

Cybersecurity is holistic, and it requires a constellation of elements to be effective. That said, these five elements are foundational for an effective cybersecurity defense in depth strategy.

Patching

The easiest way to limit cybersecurity risk is to ensure all of your systems, applications, and software dependencies are up-to-date with current patches. Patch management is a cornerstone piece of any vulnerability management program and for good reason. There are dozens of patch management applications out there, and they all have pros and cons. The key factors here are that patches are applied in a timely manner (i.e., as quickly as possible), that all systems, applications, and third-party libraries are included, and that the program is audited regularly to ensure objectives are being met. For more details, read our blog, 6 Software Patch Management Mistakes and How to Fix Them.

Training

Whether your organization realizes it or not, you already have a fleet of security sensors deployed: your staff! These people are also one of your first lines of defense. For both of these reasons, training is of the utmost importance. Users should be aware of likely threats, such as phishing or social engineering, but they should also be trained to recognize and report things that seem suspicious or abnormal. Users don’t need to be trained to diagnose or triage incidents, but they do need to know when to escalate to IT who can then perform those actions. For more detailed advice on cybersecurity training, check out this blog.

Multi-Factor Authentication (MFA)

MFA used to be expensive and cumbersome to both use and implement. That’s simply not the case anymore. Solutions like Duo and Okta have a wide range of integrations and have never been easier to set up. Widely supported mobile apps and push notifications have greatly improved the user experience of using MFA.

Of the items listed so far, MFA best exemplifies the “layered” analogy. Instead of a username and password combination being sufficient for authentication, an additional factor (or layer) is required. This means that if a user’s credentials were to be compromised through whatever means, an attacker would still not have enough information to successfully authenticate as that user. For more information, read our blog on MFA.

Segmentation and Monitoring

I often tell clients, “We can’t assess what we can’t access.” This holds true for hackers and malware too. A system cannot be exploited if it is not accessible. Unfortunately, poor network segmentation is still very common. Network segmentation is the practice of creating zones within a logical network and limiting the flow of data between those zones. These zones should be configured to block (or deny) all traffic by default, with allow rules implemented for protocols or services that support necessary business functions.

Limiting the data flowing between network zones makes effective network monitoring possible. If a network is unsegmented and all ports and protocols are permitted, network monitoring cannot be effective. It is trivial for an attacker to operate a protocol over a non-standard port, which could completely circumvent network monitoring efforts or Data Loss Prevention (DLP) controls.

Principle of Least Privilege

According to NIST, the Principle of Least Privilege states that “users and programs should only have the necessary privileges to complete their tasks.” In a sense, this is similar to the previous item, network segmentation, in that only necessary privileges should be authorized, just like only necessary data should be allowed to flow between network zones. Although this principle is very logical, it’s much easier said than done, especially in existing environments where certain access rights or privileges must be taken away from users.

Convenience all too often outweighs security. Two fantastic examples of where the principle of least privilege may not be convenient but can be extremely effective, are removing users’ local administrator privileges and the use of separate accounts for privileged actions. Both of these practices bolster security by preventing the installation of unauthorized software, including malware, as well as ensuring users cannot disable security controls or modify system settings.

Privileged accounts, whether they are local accounts or domain accounts, are prime targets for attackers as they can be leveraged to move laterally, establish persistence, modify logs, and even deploy malware throughout a network, as is often done in ransomware attacks.

The Final Analysis

Effective cybersecurity is like onions, or ogres: it has layers. The more layers of controls we can put in place, the more hurdles an attacker needs to overcome. Ensuring that they 5 key factors are in place helps ensure an effective cybersecurity defense in depth strategy.

Do you wonder how effective your security controls are? LMG Security is here to help with services designed to aid you in assessing, testing, and improving your cybersecurity posture. From risk assessments to software patch management audits and updates and cybersecurity training, contact us if you would like help.