Defense in Depth for Advanced Threat Protection

Wednesday, July 09, 2014

Alain Mayer


Over the last few years, the threat landscape has shifted. Threat actors have evolved from individual hackers to well-funded professionals, often with ties to organized crime or foreign governments. These threat actors have established a network to exchange information and create tools for launching increasingly sophisticated cyber attacks. This new wave of attacks is often targeted, aiming to gain access to digital assets of high financial value to the attacker, such as source code, design plans, customer data, or credit card data.

To better protect organizations, IT security vendors have started to offer products to detect and protect their customers from such threats. Currently, there is a bewildering choice of products and technologies on the market. Products range from perimeter-based security systems to endpoint monitoring agents. Technologies include sandboxes to detonate and detect exploits, machine learning to adapt to ever-morphing threat patterns, and collecting large amounts of heterogeneous data to query for patterns.  

So how should these solutions be evaluated, how should an IT organization select and prioritize its spending on defenses?

I believe that defense in depth – a long-established information assurance concept – can help in developing a sensible strategy for this evolving threat landscape. Wikipedia defines defense in depth as:  

“Multiple layers of security controls (defense) are placed throughout an IT system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system’s life cycle.

Defense in Depth is practical strategy and “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations.  

Three Critical Defense Layers

We believe there are 3 core layers of defense against Advanced Threats:

1. Perimeter

2. Network Interior

3. Endpoint

The Perimeter

The perimeter is the traditional layer for threat detection and protection. Starting with firewalls, then IPS appliances, and most recently sandboxes, there is an established history of IT security products for perimeter-based detection and protection. Detecting, or, even better, stopping an attack before it reaches the inside is the best possible outcome as it minimizes both IT cost and business impact of an attempted attack. Unfortunately, this layer is largely ineffective in its capability to detect or stop attacks in the face of mobility, encrypted communication, and other emerging factors, such as public clouds. It is important to understand that these are inherent shortcomings of any product or technology deployed solely at the perimeter.  Any perimeter product needs to see the attack traffic in order to detect or stop it.

The Network Interior

The network interior is traditionally where performance-monitoring systems that assure the optimal performance of internal and external business applications are deployed. With an increasingly porous perimeter, the network interior becomes the first layer to see traffic generated by attacks that managed to get inside via a mobile endpoints, such as laptops infected with malware while on a guest wireless LAN. While a presence at this layer cannot detect or stop attacks before they manage to at least infect one internal endpoint, thus requiring more forensics and mitigation work than if stopped at the perimeter, this layer can distinguish between successful and unsuccessful exploits. In addition, security solutions for the network interior can differentiate between botnet activity that are mostly focused on stealing an endpoint’s computing cycles for monetization on the outside (e.g., bitcoin mining, ad click fraud) and targeted attacks that put high-value assets at risk. A beneficial side effect is that security for the network interior can best assess the business risk of an attack.

The Endpoint

The endpoint is another traditional layer of security defense, the most frequently deployed solution being anti-virus protection. An endpoint agent has the ability to watch an attack from close up. The challenge for this layer is to avoid blind spots caused by a lack of coverage for all various operating systems, employee-owned devices, clients, servers, and out-of-date agent version when updates do not happen when endpoints are offline or on external Wi-Fi connections.

I have summarized the efficiency and efficacy of the defense layers in the table below and highlight the trade-offs for each layer. “Efficiency” denotes how effectively a detection mitigates risk and “efficacy” denotes the degree of detection accuracy with respect to false negatives and false positives.  External attackers include organized crime, state-sponsored threat actors and internal attackers include disgruntled employees and employees about the leave the company.



I recommend security professionals develop a defense-in-depth strategy for advanced threat protection to ensure efficient and effective risk mitigation from cyber attacks. I believe there is currently no one vendor that can provide a comprehensive solution and therefore a combination of deployed products is the best approach.

About the Author: Alain Mayer is Vice President, Product Management at Vectra Networks. He is a 20-year veteran in computer security and product development, with a focus on machine learning. He grew up in Switzerland and lived in New York City for a decade, which makes him super polite and in your face, clean and messy, eating chocolate and bagels all at once. Alain earned a PhD in computer science from Columbia University and an MS in computer science from Brown University.

Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training
Defense in Depth threat protection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.