Cybersecurity Executive Briefing – Why Defense in Depth

This started as an email to a few people but as the word count climbed, I started thinking that there may be other SMB IT folks out there trying to explain cybersecurity to Executive teams. I am NOT a security ‘expert’, but I do keep as up to date as possible. I hope this helps.

There are two key concepts in cyber-security today – Defense in Depth and Assumed Breach.  To understand them fully is an entire career of knowledge and research but we can boil it down to a few base principles.

Back in the Olden Days,  there were no smartphones, a few laptops, and the main concern was Keep the Bad Guys Out.  We installed firewalls to block access into our networks, some filters for email viruses and called it done.

Alas, the villainous hordes were not so easily defeated! The increasingly mobile user started being a Typhoid Mary, carrying in bad things from the outside.  Since it’s on a ‘trusted’ device, it’s welcomed into the ‘safe’ network.

Oops.

Like a sick child brings home colds and flu, these mobile devices coming back from the outside world brought back various malicious software ( MALWARE ).  Some were like viruses and spread from machine to machine by infecting documents or programs. Some were worms that moved through the network by tunneling around the files and folders accessible to a “trusted machine”. Some simply downloaded remote control software and awaited instructions as part of a robot network of attackers (BOTNET). All of this happens inside the ‘safe’ perimeter.

The way to defend against this is a posture of “Assumed Breach”. Stated simply, this is acknowledging that at some point an infected machine/file will be on your network. Now what? Detections and Containment are usually the first steps. This is done by implementing machine level firewalls, restricting network shares, routine backups and scans.

The best practices of today all recommend a ‘Defense in Depth’ strategy. Conceptually this is pretty straightforward, but a little trickier to implement. The base idea is like a soldier in a hostile country.

  • At the most personal level, our trooper has a helmet and body armor. On your laptop, this is limiting administrative authorities, disk encryption, and anti-malware software.
  • Next out are the protections for the group. For our troopers, it’s walls and gates with guards. Your network has a firewall with intrusion detection and filters to keep the bad stuff out.
  • Finally, there is air support. For our trooper, this may be a group of fighter jets flying around to detect and intercept incoming ‘bogeys’. For our network, this is a cloud-based filter that stops problems before they even get to the perimeter.

The issue with many corporate solutions goes back to the whole “mobile” concept. When our troopers are out in the jungles of the cyber world (aka the Airport Lounge), they don’t have the group protection of the firewall layer. With no cloud-based systems, it’s down to just body armor or what security they have locally installed.

Just like how our troops have more advanced body armor than their great-grandfathers in World War II, advances in weapons require advances in protection. It’s an arms race between the security experts and the bad actors, and it’s a fast-moving one.

Keeping up is difficult even for large companies with dedicated security staff, and it’s exponentially more difficult for smaller companies where the technical staff are forced to wear more hats. That’s why SaaS ( Software as a Service) offerings are so attractive. Most well reviewed SaaS products are very good at early detection and protection from outside attacks. The best will also prevent a botnet compromised machine from ‘reporting back’ for instructions. A few thousand per year is still cheaper than a very public breach or hiring a dedicated security person! Some Executives will have doubts if it’s worth it to have all this security. Sure, responsible leadership has a cybersecurity clause on their business insurance. Even with multiple layers and backups, you may still get hit. To switch analogies a bit, we all have a theft clause on our homeowner/renter insurance, right? We also still lock our doors when we leave.

So what’s the answer?  What is the solution that fixes all of this so we can move on with business? Sadly there is a no one size fits all solution. The answer is ‘It Depends”.  What is your budget? What is your tolerance for risk? A very small business with few digital files would likely be ok with a daily or weekly backup to a drive stored off line. You could call that 1.5 layers. Larger businesses with a larger digital presence and less tolerance for loss of files and capability will need more protection.