Moving Beyond ‘Defence-in-Depth’ to Transform Enterprise Security

The security market today is flooded with hundreds of software tools, hardware appliances and cloud-based services. Enterprises now have a limitless number of security products to choose from to protect their IT infrastructures.

Yet, despite all of these choices, attackers are still successfully compromising IT environments and major data breaches continue to occur. Although more money than ever before is being invested into security, the challenge is far from being solved.

A popular approach to the challenge has been the idea of 'defence-in-depth' which involves layering multiple security tools over an infrastructure to protect it. Although it sounds great in theory, it often doesn't work.

The security industry started by offering prevention tools such as anti-virus software and firewalls. It then shifted to offering detection capabilities such as anti-malware and intrusion detection systems. Now there are response tools such as SIEMs, threat intelligence, and forensics. While they all operate well individually, together they fail to provide sufficient protection.

An organisation may feel that deploying multiple tools is covering all bases, but in reality it still leaves security gaps. The bottom line is that the traditional defence-in-depth security strategy is an outdated model and organisations must look to transform their approach to enterprise security.

Taking a comprehensive approach

To achieve effective IT security, an organisation needs unity. This doesn't mean it has to purchase all its tools from a single vendor or replace what is currently installed. Rather, it's a matter of focussing on the building blocks of a good security program and ensuring they work together to create comprehensive, holistic protection. This approach to security is built on three key pillars of assurance:

• Maintaining continuous visibility of all IT assets
• Having critical context to prioritise threats for response
• Taking decisive action to reduce exposure and loss

Visibility

It's impossible to determine whether an infrastructure has been compromised without comprehensive and continuous visibility of all systems and devices. This can't be achieved through periodic scans. Instead, it must be a continuous process. With attackers constantly attempting to penetrate networks, organisations cannot afford to have any security blind spots.

The process needs to start with establishing a pattern of 'normal' behaviour across all devices and applications within the infrastructure. Then continual surveillance will identify anomalous occurrences that can be flagged for closer attention.

Context

When an organisation has a program of continual surveillance in place, its IT team can quickly find itself overwhelmed by the resulting data. A constant stream of logs and events means they risk missing significant breaches as they are hidden within hundreds of inconsequential flags.

To effectively distinguish malicious activity from non-events, a security team will need tools that prioritise threats and weaknesses. By putting data in context, staff can then identify the true threats and reduce the time taken to respond and remediate. Rather than trying to respond to every alert and notification, the team can concentrate its efforts on the most critical threats.

Context is achieved by way of:

• Constant monitoring to collect real-time data across systems
  
  
• Thorough analysis of all collected data to determine whether a compromise or breach is in progress. Anomaly detection, event correlation, and behavioural analysis can provide contextual information and identify potential malicious activity.

Action

While action in the context of security may imply reactively responding to threats, it also includes being proactive. This involves constantly looking for potential compromises within the infrastructure before they become actual data breaches.

To stay one step ahead of attackers, continuous network monitoring is key. By proactively monitoring an infrastructure, an IT team can spot a potential compromise, learn from it, and quickly respond to stop a potentially costly breach.

Taking action comprises two key factors:

• A rapid response to notifications. With actionable intelligence from dashboards and reports, threats can be prioritised and breaches quickly shut down. Tools such as triggered alerts, notifications, patch management and remediation workflows provide the ammunition for responding to attacks.
  
  
• Protection from threats. This is the ultimate goal; however, it is not easily achieved. Protection results from the automation of patch management, configuration changes, service modifications, device isolation, and ongoing intelligence gathering to remediate problems and reduce exposure and loss.

Conclusion

With security threats constantly evolving and attackers showing no sign of slowing their activity, the traditional defence-in-depth strategy is no longer an effective solution.

Organisations now have IT infrastructures that incorporate mobile devices, remote access and usage of cloud-based resources and services. Ensuring effective security in this environment requires a different approach.

It is necessary to eliminate security blind spots and reduce overall attack surfaces, while prioritising threats to ensure the IT team is aware of the most pressing security concerns. By focusing on visibility, context, and action, robust and effective security protection can be created and maintained.