By Derek Sliger, Sr. Director Information Security, Children’s Health
Defense-in-Depth, a concept to employ technical security controls in a layered manner throughout an information system’s deployment, is not a new concept. The goal is simple. If a vulnerability is exploited, minimize the damage that may result. Many years ago, a traditional architecture was comprised of an internal network, a perimeter firewall with a demilitarized zone (DMZ) with an Internet connection. Today’s architecture includes on-prem, cloud, and 3rd party locations.
In today’s world, we have to incorporate non-technical components, such as Cyber Security Awareness and Training into a complete defense-in-depth solution. What are fundamentals? Every company has different architectural implementations. That said, there are principle architecture, technologies, and non-technical aspects that can be employed within a complete defense-in-depth environment.
Information Security today is dynamic and will change tomorrow. Establish a security plan and adapt as new challenges arise.
For many years, delivery of malicious payloads via email has been at the top of every Information Security professional’s most feared “what keeps me awake at night?” list. Knowing that email is the number one method of exploitation, the primary concentration to combat bad actors is to stop that at the front door. It is very important to implement an email protection program that detects and stops SPAM; quarantines or deletes detected malicious content in file attachments or hyperlinks; employs isolation services for hyperlinks in emails, and includes security awareness training. One of the most effective methods of protection related to email is awareness training for your employees. Implement white-hat phishing within your organization.
At the root of secure architecture is the principle of least access. Only allow systems to communicate on what is necessary for operations. No matter where you are in the maturity of this principle, you must have a plan in place to achieve systems only communicating on the ports and protocols that are necessary. Today’s computing environments have many facets (internal network, DMZ, cloud, virtual environments, etc.), therefore the solution is very dynamic.
Many of the top vendors on the infrastructure and virtual sides offer micro-segmentation capabilities. Micro-segmentation must also be combined with other network access controls. From a priority perspective, start with your primary networking infrastructure; industrial controllers; shared application services such as email, DNS, NTP, etc.; systems providing public services, and then critical business applications. This will be a learning experience, and at times you may even have to back out configurations as you determine there were other necessary communications that you were not aware of. Incrementally, step-by-step, start provisioning micro-segmentation and access controls within your company to limit all lateral movement to that only necessary.
Another fundamental in-depth protection is to keep your systems up-to-date with operating and application security patches. Work with your business and application owners to establish formal maintenance/downtime schedules. Keeping systems patched is a mandatory piece of defense-in-depth program. Establishing known maintenance schedules builds assurance across the organization that we do have the ability to bring systems down. Place priority from a patching perspective in this order: public infrastructure, systems providing public services (content, application, and database), internal infrastructure, critical applications, and then secondary applications. For all systems that are publicly accessible or providing public services, remediate all vulnerabilities with priority on exploitable vulnerabilities. For internal systems, concentrate on exploitable vulnerabilities by risk.
In the past, anti-virus protection was based on known signatures. Today that is necessary, but is only a part of the overall endpoint security solution. For endpoint in today’s world, and part of a defense-in-depth deployment, the fundamental components of an endpoint protection program are comprised of the following. The endpoint solution still includes protection against common known vulnerabilities. In addition, capability includes protection against both application and browser-based exploits. Endpoint tools today detect user behavior, this is referred to as User Based Analytics (UBA). UBA consists of monitoring a user’s behavior, establishing a baseline, and when something happens outside that baseline, has the ability to either stop that behavior or alert on it. Endpoint tools should also have the ability to import threat intelligence for known indicators of compromise (IOCs), and when detected have the ability to stop or alert on that detection. Endpoint controls should include host-based intrusion detection/prevention. Needless to say, the endpoints are where the average user is computing, where they are reading emails with files and hyperlinks, surfing the Internet, downloading files, etc. Therefore implementing very dynamic endpoint controls is an absolute necessity.
Cyber Security Awareness and Training
Though this is not an architectural or direct security control, it is as important as either of these. All companies must train their employees on the expected behavior of their employees related to handling of company electronic information. This includes formal training on email protection; being aware of who senders of emails are; not opening files or links from senders they are not aware of or were not expecting; how to use isolation services; and how to report suspicious emails. They need to be trained on expectations of approved company data stores, how to use those, and only use approved data stores. A comprehensive program will include white-hat phishing testing, and additional training for those that fail phishing testing. Employees that routinely fail phishing testing should be assigned mandatory training and/or disciplinary actions.
Defense-in-depth incorporates three primary areas: architecture, technical controls, and non-technical processes. This article provides the fundamental principles, components, and some very quick areas to address. Information Security today is dynamic and will change tomorrow. Establish a security plan and adapt as new challenges arise. It is better to have a strategic goal and begin implementing items as you can. With slow wins, over time, you incrementally accomplish your goal.