Application of defence in depth and diversity
This study provides an overview of what is meant by defence in depth. It also discusses the more appropriate granular concept of ‘defence in diversity’, allowing the more holistic view of defence in depth to incorporate much more than just technology in the context of business and application security.
Author(s): Kevin Fielder and Rimesh Patel
Defence in depth is a term used to describe the need for multiple layers of defence making it harder for attackers to breech environments. These multiple layers increase the cost barrier for attackers in terms of resource and/or time and further help deter the attacker from pursuing the company or programme as a target.
A simple example would be how to prevent malware from system infections. There are likely both network-based detections in place such as intrusion detection system (IDS), intrusion prevention system (IPS), possibly advanced threat detection/protection systems and host-based security including anti-malware and host IDS (HIDS). So should any one system fail to detect a piece of malware, another system would perform detection and prevent the malware from running.
Such a diverse approach to defence promotes a stronger security posture making defence in diversity a more appropriate description. When you consider defence in depth it is easy to overlook the chance of all the tools missing the same attack devaluing any cyber kill chain efforts.
Take the above scenario, if for example your network IDS/IPS and your host anti-malware solution are from the same vendor they may have entirely replicated capabilities. In this instance, even if they have extremely high detection rates, should both solutions detect and prevent the same 98% of malware they will also both miss the same 2%. Thus, it is important to not only layer your defences, but also to ensure their capabilities are complementary.
Continuing the same scenario, you would be more secure having different network host anti-malware solutions that ‘only’ had a 90% detection rate. This is, of course, as long as the 10% they each missed was a different 10%. Whilst a 98% detection rate sounds better, the complementary solutions with differing activities they miss actually offer more comprehensive malware protection.
This demonstrates that when designing a defence in depth strategy and architecture the need for diverse and complementary capabilities should be considered. For the rest of the paper, the term defence in depth will be used to avoid confusion.
Defence in depth is the strategic and complimentary use of a range of security controls to protect the confidentiality, integrity and availability of an organisation's information base. Combining security controls builds layers of defence to protect against security threats. There are two principle aims of a defence in depth model that this paper discusses:
- To lessen the likelihood of a successful malicious attack.
- To minimise the damage as a result of an attack.
More importantly, the strategic and complementary use of defence in depth should be focused around the assets you are protecting for example, what are they? Where are they? What is their value? How is the threat/risk landscape affected? Only by fully understanding the risk factors to the assets can you then apply appropriate levels of defence. The standards organisation, ISO has specifically provided ISO 27005: 20011 to identify key stages to perform asset risk assessment activities .
Using the existing example, you may find that your internet facing transaction reporting server sitting in the demilitarized zone (DMZ) that is using an IPS and HIDS solution might also need to have malware heuristic detection capabilities enabled within its malware agent (even if the file share is to be auto encrypted by an encryption solution) . However, protecting an asset worth 100k by spending £1M devalues your security posture significantly and likely to lessen any information assurance efforts you have implemented .
High level example of defence in depth
Fig 1 provides a high level example of how defence in depth may be used alongside typical layers in preventing data breaches. It shows external and internal attackers as threats and how in collusion, the external attacker can obtain the primary account number detail and when combined with the detail obtained by the insider, the two sets of details can be used within fraudulent transactions.
Fig 1: Conceptual layers. Worldpay Defence In Depth. Conceptual Layers of Defence in depth. Slide 2. Internal Slides. Kevin Fielder. Worldpay 2015.
Layer 1: the perimeter and network
The network is the gateway in and out of your environment. It is where you interface with the world, so it must be secure and stable. Distributed denial of service (DDoS) protection helps to maintain the availability of services if targeted.
To help stop the theft of data and protect systems you should monitor for threats and data leaks and use advanced persistent threat (APT) detection to defend against sophisticated, covert attacks. Perimeter vendors can take the concept of perimeter network protection a step further and provide protection to cloud-based networks by analysing volumetric, asymmetric, computation and vulnerability based traffic.
Expanding the perimeter through browser and mobile security, is a more advanced concept, but enables you to extend the control of your network and helps to protect your customers and other third parties that connect to your systems.
Layer 2: security monitoring
The initial question to ask is: how can you defend against an attack if you do not know it is happening? Most organisations are now using 24/7 security operations centre (SoC) that provides active security monitoring allowing you to detect, identify and respond to potential security breaches thus preventing an attack and limiting the damage that can be caused. To be effective you must centrally collect and analyse security events and logs to recognise suspicious actions and when used alongside other security solutions such as IDS, it is also advised to implement intrusion detection (IDS) to identify unauthorised activity on the network. The SoC makes it easier to understand the incident and therefore what incident response and forensic investigation capabilities allow you to quickly counter, contain and respond to an identified threat.
Service providers now exist in the marketplace that can provide your organisations an outsourced SoC environment, if in-house is not feasible. They can specifically provide managed security services including threat protection, information protection, cyber security services and website security services through their 24/7 external SoC service offerings.
Layer 3: computer and server protection
End user environments such as personal computers, IT devices and servers that support systems and business operations are an attractive target for an attack. Standard builds and vulnerability scanning coupled with robust server patching policies help ensure all systems and servers are secure against known attacks. File integrity monitoring can be used to detect changes of key operating system and application files, which may undermine security or indicate a potential attack against unknown attacks.
To prevent infection from computer viruses or other malicious software (Malware), anti-malware and host protection software should be constantly updated against the latest threats. These can be standalone vendor monitoring agents that are installed as part of the build deployment using best practice hardening techniques such as the Centre for Internet Security (CIS) [ 4 ] benchmark that can be used alongside file integrity monitoring solutions further demonstrating a diverse approach to defence in depth builds in automatic prevention mechanisms at the build level.
Layer 4: application protection
The enterprise security solutions that are more commonplace in their use have been mentioned so far for previous layers. Some of the more tangible layers need to also ensure the applications you develop are secure and should be considered a key part of the defence in depth strategy. Your applications will often be the engine which powers your services. Applications must be designed secure using tools such as threat modelling (analysis of susceptibility to threats). They must be built using secure standards and assured through secure code reviews following a software development life cycle programme. Applications requiring different levels of security or access should be segregated from other parts of the network by firewalls and application firewalls to control access and communication and further tested regularly through penetration testing to provide assurances of their security.
Layer 5: data protection
The information held by an organisation is very likely one of your greatest assets and biggest risks. Protecting the data you store and process needs to be a core element of your security strategy. First you need to know where data is, so use a combination of good data architecture and data discovery to ensure this is understood. Identifying your key data forms a critical part of knowing what to protect and how to control it, for example, data encryption safeguards its confidentiality when it is stored or transmitted whilst data leakage prevention (DLP) solutions stops sensitive information leaving your control. Secure web gateway solutions now exist in the market place that can enforce policies on inbound and outbound traffic.
All the layers reviewed so far when combined can help you understand the nature of an attack quicker and thus allow you to respond faster to your cyber kill chain. Thus, the ability to understand how each solution protects your asset, asset value and threat vectors across each layer helps define the tailored defence in depth approach that should be taken .
Conceptual approach to defence in depth
Fig 2 is a conceptual diagram showing potential ‘layers’ to be considered when protecting data. Included are some of the conceptual controls expected at each layer .
Fig 2: Conceptual Controls. Worldpay Defence In Depth. Conceptual Layers of Defence in depth. Slide 5. Internal Slides. Simon Martin. Worldpay 2015.
Network and perimeter protection
Web application firewall (WAF)
WAFs manage the connections to web sites and the applications running on them. They are able to detect and prevent attacks upon an application, such as structured query language (SQL) injection and cross-site scripting (XSS) that augments the security built into the application at ‘layer 4’ of the IP stack. WAFs also help protect against application level denial of service attacks.
Protection against a DDoS acts to stop systems from being brought down by a targeted flood of internet traffic typically originating from a network of compromised computers (botnet). DDoS protection passes traffic though high capacity networks (provided by third parties), that sit outside of your network to monitor and sanitise traffic preventing your systems from being overwhelmed by a distributed attack. The popularity and volume of these attacks are increasing and perimeter technology vendors are providing diverse methods to mitigate DDoS attacks.
Browser and mobile security
Any activity that is performed via the browser extends the security of an organisations network into the internet. These activities effectively ‘extend your perimeter’ to the devices that connect to you, thus improving your security, and potentially that of your customers and other third parties.
Networking monitoring is typically performed by devices such as network IDS/IPS, network packet capture and network DLP. These devices refer to the monitoring for threats and events on your network that indicate a compromise of your systems and for potential leaks of information through the network-dependent services such as e-mail or web proxies.
An APT, as the term suggests, is sophisticated, covert and ongoing. The aim is to target strategic users (individuals with privileged access to information or systems) and to remain undetected to repeatedly steal data from a target organisation. Network APT detection typically involves the use of ‘sandboxes’ or other secured location to actually open/run files in order to identify if they perform any malicious actions. This is more time consuming, but much more effective than solutions that just look for potential malware in a file without actually running it where APT vendors are now maturing to provide next-gen APT detection tools.
IDS systems detect activity on a network, server or PC which is indicative of malicious behaviour from outside (intrusion) or inside (misuse) the network. By integrating IDS into the monitoring control, it alerts security operations team to take action. Once there are minimal or no false positives, it is advisable to put security tools such as IDS into preventative mode like IPS, as this actually prevents the malware from running, rather than just alerting that it may have run.
Security events and log monitoring
Collection and evaluation of system logs and security events provides the capability to understand what is happening on your systems and identify anomalous, suspicious or malicious activity. Centralising this information into a security information and event management tool provides efficient analysis to respond quickly to potential threats, such as an intruder on the network. It is also crucial for responding to incidents and retrospective security investigations. Having a centralised view also ensures that the environment is understood and helps track attackers if they move laterally throughout the environment.
Rapid incident response and forensics
The ability to react to a threat or potential breach is a critical aspect of an integrated and effective security system. Incident response processes should be designed to support the effective management of a security incident such as a potential cyber attack or data breach. A typical response process may incorporate four steps: (i) identification – understand what has occurred and its impact; (ii) response – actions to contain and manage an event; (iii) recovery – undertake restoration and remediation; and (iv) post-incident analysis – where root cause or forensic investigation is utilised to provide a full understanding of the incident.
PC and server protection
Anti-malware and host protection
This runs on the computer and server environment, which identifies and blocks a range of malicious software (malware), for example viruses, Trojans and spyware among others, from infecting our systems. The use of malware is a primary factor in the majority of attacks. Further capabilities such as application white listing can also be considered here to ensure a secure environment.
File integrity monitoring
This validates the integrity of our systems against a security baseline to identify changes to components such as security configurations, key system and application files, privileges and security settings, among others. Typically these are then linked to change control records to identify any unauthorised changes.
Host intrusion detection
Similar to network IDS/IPS, HIDS/IPS specifically identifies suspicious activity (external intrusion or internal misuse) on the computer and server environment.
Vulnerability scanning and patching
This forms a vital part of an effective security management strategy where scanning the network for vulnerabilities identifies and fixes potential weaknesses by applying patches. This prevents an attacker from exploiting known vulnerabilities. As this process matures configuration compliance an agreed hardening standard should also be considered. This ensures all systems are built to and remain aligned with your build standards.
As discussed, these are often referred to as WAF solutions which are application aware firewalls that can prevent specific attacks against applications such as XSS and SQL injection.
Security by design
A securely designed and built application provides effective protection against an external attack. Threat modelling defines what security should be built into an application, secure coding is integrated in the application development process and code reviews provide assurance that applications are built secure.
This testing is performed as part of a security testing regime. It is recommended that you use a number of authorised providers to undertake pen testing of your applications to ensure they are secure or identify potential vulnerabilities (that could be exploited) so that they can be fixed.
Encryption prevents the data from being read without the correct access rights. If other defences are breached, the final layer of defence becomes the protection of the data itself. Encryption vendors are providing specific data encryption methods to encrypt data paths transparently to the user for most corporate environments.
As long as strict permissions are applied to who can decrypt the data, the access control lists are independently maintained, and keys appropriately protected, this should protect the confidentiality of the data in the event of any breach.
Identifying where sensitive data resides on your network allows you to control and properly protect it. This ensures that all of your security defences are in place to protect the data you hold most dear.
Data leakage prevention
A data breach would result from sensitive information leaving your control, whether through malicious compromise by an attacker, insider or by accident. A strong DLP strategy employs technology controls that stop information being removed from the corporate network, such as scanning and blocking email, website filtering and barring the use of portable media.
Although not specifically called out, consideration should be given to data access and what data a system or individual requires. In order to minimise the data that is lost when a breach occurs this is a key step:
- How much data does the user or system need access to?
- Do they need so see complete data? e.g. could they perform their role/task with partial data such as only part of a credit card number or address?
- Could the user or system function using tokenised data?
These considerations mean that data can be better protected. For example, should an application be breached, if it only accesses tokenised data, the real data that has value would not be lost.
Cyber kill chain
The previous sections discusses high level and conceptual aspects of defence in depth, where pragmatically, the kill chain proposed by Lockheed Martin shown in Fig 3 demonstrates the steps a compromise can typically take across the different layers of your network.
Fig 3: The Cyber Kill Chain. Lockheedmartin. http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html. Last Accessed 9th November 2016.
It demonstrates what to consider when an attacker performs an attack, and the steps needed for them to be successful . Using this view shows how much broader defence in depth can and should be than the traditional view of ‘we have both network IPS and host protection to prevent malware compromises’. This is why ‘defence in diversity’ is also applicable to any security strategy .
Taking the broader view it is clear that defence in depth in the context of the cyber kill chain means looking at how you can prevent or challenge the attacker at each step in the chain and ensuring appropriate controls are implemented.
Application development lifecycle in defence in depth
Another example of how defence in depth is critical to security is the application development lifecycle. There are many ways to ensure an application is securely designed, developed and deployed . Missing out any of the steps shown in Fig 4 increases the risk of an insecure application. As such all of the steps can be considered as defence in depth layers for application development and assurance.
Fig 4: Application Security Programme. Worldpay Defence In Depth. Conceptual Layers of Defence in depth. Application Section. Internal Slides Kevin Fielder. Worldpay 2015.
Fig 4 highlights the defence in depth layers that ensure secure application development. Each layer provides the following:
- Application security training: This is the various forms of developer training around secure coding and application design. The aim of this is to ensure that all developers have a strong understanding of application threats and how to secure against them.
- Requirements: In the context of this document, this refers to security requirements, although ensuring that all requirements are gathered and understood is critical to the success of any development. By collecting and agreeing the security requirements, and demonstrating how these are met you help ensure that the developed application is secure.
- Design approval: This ensure along with any architecture and solution design review, there is clear security review and approval of any designs, and it is clear how the design meets the agreed security requirements.
- Threat modelling: This should ideally be seen as part of the design process, once there is a design an exercise should be undertaken to understand how it could be attacked. The output of the process is a set of agreed mitigations and design updates to remediate the identified attacks.
- Unit testing: Code testing as close to the developers code schedule is recommended.
- Code review: Various options are available here to statically assess the code for security vulnerabilities. This enables the identification of potential issues relating to coding or application configuration prior to extensive testing.
- Mitigation and risk assessment: When the code review identifies issues, this is the process by which they are risk assessed and mitigations are agreed with the security team.
- Dynamic application security testing (DAST): This utilises security tools to assess the running application. This is usually in a test environment; the tool will be given credentials and is usually walked through the application. It will then access the application like a user and try to misuse it with XSS, SQL injection and other application attacks. This provides further identification of issues that can be fixed before the application is moved into production.
- Penetration test: The process of security experts testing the application for potential security vulnerabilities. It should be done on the production ready code, or actually against the production environment. A good strategy here is to make extensive use of the previous steps and tooling, to then have periodic pen tests in order to best balance risk and cost.
- Web application scanning: It is similar to DAST that automates the scanning of web applications. Often configured to be non-impactful to minimise risk and can be regularly run against web facing production systems.
- Remediation workflow: It is a formal process to ensure any identified risks are documented with agreed timelines and next steps for mitigation/remediation.
- Third party library security: It is a process for assessing and understanding any security issues in third party libraries that are integrated into the developed applications.
- Continuous improvement: this should ideally be incorporated into all processes to ensure they are improved as they run and any issues are identified.
As you can see, while these activities may not be thought of as part of a defence in depth strategy, the same principles apply to application security and development . Areas in your security environment should consider what they protect and whether you could or should have multiple layers to ensure they are appropriately secure. If you only have one layer and it fails then your security has failed. If you have multiple layers, mistakes or issues in one layer will likely be caught by another one.
This paper has reviewed the network layers that a typical compromise can effect and discusses how conceptually these layers should be thought of when selecting the right level of preventative and mitigative solutions. The paper mentions that defence in diversity better reflects how the concept of defence in depth can be applied across your technology estate, specifically as it unifies people, process and technology.
For businesses that are now embracing mobile and online platforms, a defence in depth strategy enables strong assurances by creating a layered and flexible approach to enhance any confidentiality, integrity and availability triage process, for example, it might allow you to take any vendors threat landscape detection system and position it to compliment your WAF product, ensuring the security policy around each critical asset is driven by your business needs and industry alerts.
Further use of intelligence feeds, blocking algorithms, forensics on the wire or behavioural detection allows the real-time story boarding of the aggravation points to be layered into a security context during a potential compromise. The paper concludes that the defence in depth approach offers the ability to mitigate aggravation points across multiple security functions in a layered fashion that help to reduce security silos, increase return on investment and promote the overall health posture of your technology estate.
- 27005: 2011. Information technology – security techniques – information security risk management. Online Browsing Platform. Available at https://www.iso.org/obp/ui/#iso:std:iso-iec:27005:ed-2:v1:en, accessed 25 February 2017.
- Defense in Depth. Todd McGuiness. Version 1.2E. 2001. Available at https://webcache.googleusercontent.com/search?q=cache:x83joWZQ5hsJ:https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525+&cd=1&hl=en&ct=clnk&gl=uk, accessed 5 November 2016.
- Defense in Depth. National Security Agency. 16 July 2015. Available at https://www.iad.gov/iad/library/ia-guidance/archive/defense-in-depth.cfm, accessed 1 November 2016.
- Center for Internet Security. cisecurity.org. Available at https://benchmarks.cisecurity.org/membership/certified/symantec/, accessed 10 November 2016 .
- Rogers R. Fuller E. Miles G. et al.: ‘Network Security Evaluation Using the NSA IEM. Defense in Depth’ (Syngress, 2005), p. 362.
- Chapple M., University of Notre Dame Mike Chapple, Seidl D.: ‘Cyberwarfare’ (Jones & Bartlett Publishing, 2014), p. 198 .
- Bollinger J. Enright B. Valites M.: ‘Crafting the InfoSec playbook: security monitoring and incident response master plan’ (O'Reilly Media, Inc., 2015), p. 111.
- Michael Stewart J.: ‘Network security, firewalls, and VPNs’ (Jones & Bartlett Publishers, 2010), p. 255.
- SahaP.: ‘Advances in government enterprise architecture’ (IGI Global, 2008), p. 356.
- Tipton H. F. Nozaki M. K.: ‘Information security management handbook’ (CRC Press, 2012, 6th edn.), vol. 6, p. 251.
- Manage non-functional requirements for cloud applications. Software design patterns for PaaS environments. Available at http://www.ibm.com/developerworks/cloud/library/cl-bluemix-nfr/index.html, accessed April 2015.
Case study: IBM threat protection system
As technology business platforms evolve so do their inherent non-functional requirements  and by ensuring a diverse layered approach to asset protection, the analysis available during a compromise will help mitigation efforts ensuring investments with regards to people, process and technology remain iterative. The concepts of defence in depth and its application into the components of the modern IT infrastructure can be demonstrated by most threat protection systems.
The definition of defence in depth is seen clearly as the system is comprised of several different solutions forming an integrated system designed to disrupt the lifecycle of advanced attacks with a three pronged approach that help prevent, detect and respond to threats.
Fig 5 shows the aggravation points of a typical attack chain and how the pragmatic analysis of a layered approach can enable a successful defenced deployment.
Fig 5: IBM Threat Protection System, 2014. www.ibm.com/Security. Last Accessed April 2015.
The attack chain allows identifying the typical aggravation points of a network to be reviewed and addressed using vendor security products.
- Prevention on the host identifies attacks such as exploit interruption, malicious communications jamming, corporate credentials protection enhance the security posture of the estate. Solutions now behavioural-based technology to detect existing infections and their outbound communications, as well as blocking of the installation of new malware, this complements traditional antivirus and/or endpoint solutions that prevent malware installation and credential loss.
- Prevention on the network is achieved when products prevent mutated exploits, malware command and control vectors and block access to malicious sites using propriety technology mechanisms.
- Detection of sophisticated and constantly evolving threats, discovery and disruption of previously unknown threats on the network require strong intrusion detection methods on the network by blocking malicious activity based on classes of behaviour known to be malicious, such as shellcode injection, SQL injection and outbound or inbound communications with known bad IP addresses.
- Detection through vulnerability management provides a unified view of vulnerability information and applies rich context so exposures can be prioritised and efficient corrective action can be taken.
- Response through behaviour detection can be enhanced by threat detection methods that use statistics from threat landscape platforms.
- Incident forensic techniques allows the investigation of breaches to occur swiftly and provides a strong knowledge building exercises to occur that document with great detail the particulars of the breech and its learnings from findings help prevent future occurrences.
This case study demonstrates how once aggravation points have their controls in place, monitoring solutions can further enhance the application of defence in depth across your technical estate.