Increasing Cyber Resiliency in Businesses

A Layered Security and Defence-in-Depth Approach

The COVID-19 pandemic has disrupted our work patterns and personal lives since the start of 2020. As businesses attempt to resume normal operations amid the challenge, some businesses have moved towards permanent hybrid working and downsized office space.

Communication with colleagues/contractors are no longer just restricted to emails. The usage of webcams to see each other while conversing has become a norm when meet-ups at work sites are not feasible due to the pandemic. Employees are also increasingly making use of mobile devices and Internet of Things (IoT) devices to assess corporate resources. These less than enterprise grade security devices now form part of the corporate perimeter, leading to a security model that many organisations are unprepared for.

According to the 2020 Data Breach Investigations Report[1], ransomware accounts for 27% of malware incidents, and 18% of organisations blocked at least one piece of ransomware. The report also mentions that credential theft, social attacks (i.e., phishing and business email compromise), and errors cause the majority of breaches (67% or more). As ransomware attacks and cases of data breaches continue to rise, the capability of organisations defending themselves against such incidents are brought under the spotlight. Another pressing factor is that the modus operandi of ransomware has evolved. The adversaries have devised a new strategy - if organisations do not pay a ransom and choose to recover its operations through backups, other extortion tactics such as publicly releasing proprietary information and sensitive data that could expose an organisation or its executives to public shame would be utilised.

Based on the situation that was highlighted, what measures can businesses adopt to improve their cybersecurity posture? Let’s look at layered security and defence-in-depth.

 

Layered Security

Layered security is the implementation of different defences for the corresponding security measures to protect against different vectors of attack. Layered security does not mean applying multiple implementations of a tool with the same application. For example, installing antivirus products from two different vendors to the same enterprise laptop is applying redundancy and not applying layered security. Doing so may allow the different tools to cover for the weaknesses of each tool, it however does not catch the failings of each layer during an attack by the adversary.

The assumption is that any single defence may be flawed against some general or specific attack, and hence a combination of implementations is required to secure the entire system. If one layer fails, there will be other layers to combat against the different vectors of attack.

 

1. Data Defence

Organisations should identify where their key data is and take steps to secure it through data governance. File classification, data loss prevention (for data at rest or in motion) and information policy enforcement are important points of consideration in the deployment of data governance. Data policies must be enforceable, and state clearly how data is to be accessed and stored using encryption and/or digital signatures.

 

2. Host Defence

Patch management refers to the implementation of patches to operating systems, applications and embedded systems. Outdated software products such as Microsoft Office and Adobe Flash player introduces vulnerabilities to the assets in an organisation. Hence patching is necessary to keep software up-to-date and thus supporting system uptime.

Organisations should also deploy host-based firewalls, for example Windows Defender Firewall for hosts running on Microsoft Windows operating systems, to keep destructive and disruptive forces out. Only connections to authorized services should be allowed. The host-based firewall also provides inbound and outbound access controls through defined rulesets on executables, network ports and IP addresses.

 

3. Perimeter Defence

Perimeter defence can be achieved through securing the network. This is normally done with a network firewall to prevent an adversary from entering the private network through defined firewall policies. Technological advancements have also prompted the shift towards Next Generation Firewalls.

A Next Generation Firewall works at the application layer of the OSI model and protects the network through features such as intrusion prevention, deep packet inspection, network-based antivirus, DDoS protection and user-based rulesets. Devices should be authenticated via network access controls (NAC) before being allowed into the private network. This will ensure that only authenticated users will be allowed into the network.

 

4. Human Defence

Your employees play an important role in the fight against cyber criminals. Technology by itself is not a panacea in securing the organisation. Customers, suppliers and partners data, proprietary information and financial data are often targeted by cyber criminals. Cyber security incidents such as data breaches, ransomware attacks and intellectual property theft will result in reputational damage, operation disruptions and monetary loss. Hence, it is important to understand where the employees’ shortfalls are and increase their awareness through end-user training.

Organisations can for example, consider carrying out phishing campaigns to have an understanding on how prone to phishing their employees are in the event of a social engineering attack. Organisations can also consider putting up security awareness training posters to remind their employees of the risk and the appropriate actions they should take when faced with a cyber security incident.

 

Defence-in-Depth

Defence-in-Depth refers to a comprehensive approach in the implementation of security through multiple layers. It arises from a belief that total security is not possible, and multiple layers of security should be applied through the different information security technologies to slow down a cyber-attack.

According to the Information Assurance Technical Framework (IATF) document, release 3.1[2], the Defence-in-Depth strategy comprises of the following areas:

  • Defend the network and infrastructure

  • Defend the enclave boundary

  • Defend the computing environment

  • Supporting infrastructures.

The achievement in the implementation of the Defence-in-Depth strategy requires a balance focus on three primary elements – people, technology and operations. To increase resiliency of your organisation in an attempted cyber-attack, some suggested cybersecurity deployments are recommended in the implementation of a Defence-in-Depth Architecture below.

 

1. Firewalls

Host-based firewalls should be installed to provide authorized inbound and outbound access controls.

While traditional network firewalls offer inspection of incoming and outgoing network traffic, next-generation firewalls provide additional features such as:

  • Intrusion prevention

  • Deep packet inspection

  • Network-based antivirus

  • DDoS protection

  • Malware sandboxing

  • User-based rulesets

  • SSL/SSH inspection

  • URL filtering

  • Web proxy

  • Data loss prevention

  • DNS filtering

Next-generation firewalls can be centrally managed and allows organisations to block less desirable applications with ease.

 

2. Endpoint Detection and Response (EDR)

The endpoint detection and response (EDR) integrate real-time continuous monitoring and data collection with rules-based automated response and analysis.

It monitors network and endpoint events. Information is recorded to a central database for further analysis. The EDR can respond via predefined rules to identified threats, thereby remediating some incidents and reducing the workload of the security analysts.

 

3. Network Segmentation

Network segmentation is the act of dividing a network into smaller subnets base on different tiers and zones. Network segmentation can be created using virtual local area networks (VLANs) and firewall rules can be applied thereafter to protect the application and data. Access controls can also be implemented via access control lists (ACLs).

The main aim of network segmentation is to enhance security by monitoring network and traffic flow and localizing technical issues.

 

4. The Principle of Least Privilege

The principle of least privilege is a concept that any user, program or process should only be given the minimum privileges necessary to perform its job. It is widely considered to be a form of best practice and is the most important step in protecting high-value data and assets.

 

5. Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) is a security enhancement requiring a user to provide two or more verification factors to gain access to a resource. Organisations should require their users to provide at least two forms of authentication (method of authentication should be mixed) to prevent any credentials being compromised.

Forms of authentication include:

  • # Something you know – Password or PIN

  • # Something you have – Token

  • # Something you are – retina, voice recognition, fingerprint

Multi-factor authentication should be implemented at places that require high privilege access and at all external entry points.

 

6. Identify Access Management (IAM)

With more and more organisations bringing their deployment to the cloud, identity access management (IAM) should be used to define how authentication is to be handled for enterprise assets. Multi-factor authentication and login timeouts for critical apps should be implemented to manage user identities and access permissions.

 

7. Mobile Device Management (MDM)

With the increased number of employees bringing their own devices to work, organisations should also consider implementing mobile device management (MDM) to enhance corporate data security by monitoring and managing mobile devices such as laptops, mobile phones, tablets and even Internet of Things (IoT) devices.

 

8. Incident Response Plan

An incident response plan is a set of documents that defines the steps and procedures a company should follow in the event of an incident.

The SANS Institute has outlined a 6-step process for the incident response plan as below:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons learnt

Having an incident response plan ready will ensure that an organisation will be able to conduct a structured investigation to provide a targeted response to contain and remediate the threat.

 

9. Human Defence

Organisations, no matter big or small, must remember that human security is their last line of defence in the fight against cyber security. With the increased number of workers performing remote work using their mobile and IoT devices, corporate network attacks can now be launched from a remote worker’s home network.

It is therefore of paramount importance that organisations take steps to educate their employees on the importance of cyber hygiene, and the ability to recognize phishing emails to avoid falling prey for it. This can be done through short videos, quizzes and conducting phishing campaigns to identify those who need more training and guidance.

 

Conclusion

Layered security plays an important role in protecting enterprise endpoints and network through layers of protection while defence-in-depth secures assets through layers of security from external to internal hosts. The decision to use layered security or defence-in-depth to protect data and its assets will depend on the use case and maturity of a business’ security architecture. It is recommended to start off with layered security, and gradually work towards a defence-in-depth approach.

 

References

[1] 2020 Data Breach Investigation Report https://enterprise.verizon.com/en-au/resources/reports/dbir/

[2] Information Assurance Technical Framework (IATF) Release 3.1  https://apps.dtic.mil/dtic/tr/fulltext/u2/a606355.pdf