How to Implement Defense-in-Depth Security
Success for financial institutions is ultimately measured by whether customers can trust them to safeguard their sensitive data. The best way to secure that data is to deploy multiple defensive measures, as no single option is completely infallible. Multiple barriers may seem redundant, but that’s the point – should one layer fail, numerous others are immediately at the ready to thwart any danger.
This is the reasoning behind defense-in-depth security. A security strategy of this kind implements numerous layers of defense against threats, including:
- Network security
- Endpoint security
- Application security
- Administrative controls
- Physical barriers
- Perimeter security
In this multi-layered approach, the first two layers – administrative controls and physical barriers – are social and physical methods of defending data. Technological defenses comprise the other defense-in-depth layers: technical controls based on the network systems, devices, hardware, software and other technology organizations rely on. Each layer of the defense-in-depth approach increases the security of personally identifiable information (PII) and other confidential data.
Addressing common security concerns
The three primary security concerns organizations most commonly face are the skilled attacker, the insider threat and a compromised system.
Often, skilled attackers rely on social engineering tactics like calling a help desk or emailing an employee to obtain names, numbers and other information to cross security barriers. If threats break through the perimeter or network security, additional layers like endpoint or application security can stop them.
Whether a current or former employee, the insider threat has intimate knowledge of the inner workings of a company and uses that information to gain unauthorized access, often exporting large quantities of highly sensitive information. A defensive layer like application security with user activity monitoring can proactively alert admins to abnormal activity, preventing data loss.
With access to just one computer on a network, an attacker can quickly break into an organization’s entire infrastructure. Once inside this compromised system, they can rapidly hijack and override other security measures.
Security controls in the cloud
Industries storing PII or other sensitive data in cloud applications often rely on technical controls like CASB, DLP, user activity monitoring and SIEM solutions. While these are all excellent options for building a security program, each has its limitations and vulnerabilities. But when combined with multiple other layers, they support a nearly impenetrable security posture.
Cloud access security broker (CASB)
A CASB tool acts as a gatekeeper between on-premises and cloud-based infrastructures. CASBs can provide insights into cloud usage and help detect shadow IT operations.
However, many CASBs don’t cover SaaS applications like email programs, which are one of the biggest targets for hacking tactics like phishing. The 2018 Verizon Data Breach Report showed that 98% of social attacks consist of phishing and pretexting incidents, and email is the most common path of attack, making up 96% of incidents. To prevent an influx of scam attempts, other layers of defense – like a network firewall and endpoint security – are necessary.
A CASB can integrate with user activity monitoring, ingesting event monitoring log data to detect potential threats and alert security teams. By adding cloud access data and event logs, InfoSec teams can gain in-depth visibility into application activity like creating or deleting contacts, running reports or exporting data in Salesforce.
Data loss prevention (DLP)
The goal of DLP solutions is to answer questions like:
- How can we prevent data loss?
- Where is sensitive data being stored?
- How is it being used?
DLP provides protective actions that can prevent users from accidentally or intentionally mishandling data by classifying sensitive data and alerting on policy violations. Unauthorized data use can put an organization at risk, but with monitoring, you can identify potential incidents before they cause catastrophe.
However, DLP solutions have their limitations. DLP relies on policies, but the policies may not work as intended based on a rigid set of controls. For example, if the program prevents users from sending PII to external drives and applications, a user trying to attach a file containing PII to an email would be blocked. That email may be perfectly in line with business operations, but the user is limited based on a rigid, transactional policy.
User activity monitoring
Proactively monitoring cloud applications gives organizations critical insights into security, usage, performance and compliance. It also fosters a culture of compliance to create trust among organizations, their users and their customers.
Security: Monitoring usually starts at the greatest point of pain—security—watching for signs of specific users, for instance, exporting abnormally large reports or logins occurring from restricted IP addresses.
Compliance: As regulations multiply, user activity monitoring ensures stronger security, avoidance of regulatory fines and business interruption, and greater trust among customers.
Performance: The metrics and availability of information within your cloud application provide insight into the end user experience. User monitoring supplies that information to improve application performance and user experience.
Usage/Adoption: By monitoring user activity, organizations can identify high performers and use them as a benchmark to help other users enhance their own usage and adoption.
Security information and event management (SIEM)
A SIEM system like Splunk or SolarWinds is an excellent start. But SIEMs are limited by configurations, cost, false positives and required staffing. To fully leverage a SIEM, someone needs to monitor logs and alerts 24/7. Without a dedicated team to pull reports and observe the logs, security threats may fall through the cracks.
To boost your security posture and reduce your attack surface, adding cloud-based user activity monitoring at the application layer provides additional visibility. You can get information like the IP address where an export originated and the name of the report exported by integrating user activity monitoring with a SIEM. Then, you can correlate that information with the SIEM for analysis. This reduces false positives and eliminates the need for a 24/7 monitoring staff.
A robust defense-in-depth strategy
To make sure your organization has a comprehensive defense-in-depth approach, review your current security measures and evaluate their effectiveness. Consider your organization’s:
- Network security such as VoIP protection, proxy content filters, remote access and wireless security.
- Endpoint security, which secures devices accessing an organization’s network remotely or wirelessly, including device firewalls, patch management, content security, antivirus, antispyware and host intrusion prevention systems.
- Application security, including user activity monitoring, dynamic app testing, encryption, application firewalls, database monitoring and runtime application self-protection technology
- Administrative security controls, such as policies and procedures for increased data protection.
- Physical security like keycards, access codes on locked doors and workstation locks.
- Perimeter security, which may include anti-virus and anti-malware programs, DLP solutions, perimeter firewalls, border routers and other boundaries between the public and private sides of a network.
It’s critical to establish customer and employee trust, maintain compliance and secure your mission-critical data through a defense-in-depth approach to cloud security. The best practices listed above will help you layer multiple strata of technology and security to protect your mission-critical assets.
By Mike Mason, general manager of cloud security, FairWarning