Let’s say you have a billion dollars in cash, and you want to protect it in your home. You wouldn’t just put a single lock on your front door and call it a day. You would add a deadbolt, put bars on your windows, and build a huge perimeter fence. You might throw in CCTV that’s constantly monitored, mutant attack dogs, and the burliest ex-commandos you can find. Maybe you could throw in some external turrets and install a bank vault within the depths of your basement as well.
If you designed all of these protections to work cohesively with policies and training to back them up, this would be considered defense in depth. You aren’t putting all of your faith in a single lock to keep out the bad guys. Instead, you are putting in many layers of security. With this kind of setup, it doesn’t matter so much if criminals incapacitate your ex-commandos. They still have to deal with the mutant attack dogs, the vault and all of your other defenses. As long as some of them hold out, your billion dollars will remain safe.
Defense in depth is important because no single protective measure is perfect. Everything can be circumvented if your adversary is committed, capable and well-funded. Integrating many layers of defense makes their job much, much harder.
What is defense in depth?
The National Institute of Standards and Technology (NIST) defines defense in depth as:
“An information security strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.”
In other words, using different security tools and processes to create a multi-layered defense. The term defense in depth originally refers to a military strategy that involves limiting the risk of an attacker penetrating the defenses, but the concept shifted substantially when it started to be applied in the infosec world.
Defense in depth involves controls that fall into a variety of categories. ISO/IEC 27002:2022 divides them into organizational, people, technological and physical controls. However, sometimes you might hear organizational controls referred to as administrative controls, or technological controls as logical controls.
It further divides these controls into:
- Preventive – A “…control that is intended to prevent the occurrence of an information security incident”.
- Detective – A control that “…acts when an information security incident occurs”.
- Corrective – A control that “…acts after an information security incident occurs”.
Organizational controls
Organizational controls are those that don’t fit into the people, physical or technological categories. They include things like:
- Information security policies.
- Defining specific roles and responsibilities.
- Segregation of duties.
As an example, information security policies are categorized as preventive controls, because comprehensive security policies can help to prevent security incidents.
People controls
People controls are those concerning individual people. Examples include:
- Screening and background checks on personnel.
- Establishing employment contracts with the terms and conditions of employment.
- Information security event reporting.
The latter is a detective control because it involves providing a mechanism for people to report any security events they observe or suspect. Event reporting gives the organization a means to minimize security incidents, because prompt reporting allows it to put a stop to any issues before further havoc takes place.
Technological controls
These controls concern technology. Common types include:
- Restricting and managing privileged access.
- Protection against malware.
- Managing technical vulnerabilities, evaluating them, and taking appropriate response measures.
Protecting against malware can be considered preventive, detective and corrective. As an example, if you implement rules that disable unauthorized software, this is preventive. Monitoring access to suspected malicious websites is considered detective. Using anti-malware tools can be both preventive and corrective because they can both stop malware from being installed and help to remove it.
Physical controls
As you would expect, physical controls are those concerned with physical objects. These include:
- Establishing security perimeters to protect sensitive areas.
- Physical security monitoring through tools like CCTV, guards and alarms.
- Enforcing clear desks and screens so that insider threats cannot access sensitive materials while an employee is away from their workstation.
Physical security monitoring techniques can be considered as both preventive and detective controls. They can be considered preventive because something like CCTV can deter criminals, because they will see the cameras and perhaps reconsider because of the high chance of getting caught. If the criminals do go ahead and do something malicious, CCTV can make it easier to determine what happened and find the responsible party. This makes it a detective control as well.
How does your organization approach defense in depth?
Most organizations will have some level of defense in depth at play, even if they have never heard of the term before. It’s normal for decision-makers to deploy multiple controls like locks, fences and CCTV.
However, many businesses won’t have a comprehensive approach. Unless they have conducted a risk assessment and carefully tailored their defenses to work together, there are likely to be a lot of gaps that attackers can easily slip through.
Consider your organization:
- How is defense in depth deployed?
- Do the controls work together?
- Can you identify any gaps that need to be plugged?
As any CISSP Masterclass graduate could tell you, protecting against malware can be considered preventive, detective, and corrective.