What is Defense in Depth?

Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack. This multi-layered approach with intentional redundancies increases the security of a system as a whole and addresses many different attack vectors. Defense in Depth is commonly refered to as the "castle approach" because it mirrors the layered defenses of a medieval castle. Before you can penetrate a castle you are faced with the moat, ramparts, draw-bridge, towers, battlements and so on. 

The digital world has revolutionized how we live, work and play. However, it's a digital world that is constantly open to attack, and because there are so many potential attackers, we need to ensure we have the right security in place to prevent systems and networks being compromised. Unfortunately, there is no single method that can successfully protect against every single type of attack. This is where a defense in depth architecture comes into play.

A layered approach to security can be applied to all levels of IT systems. From the lone laptop accessing the internet from the coffee shop to the fifty thousand user enterprise WAN, Defense in Depth can significantly improve your security profile.

No organization can be ever be fully protected by a single layer of security. Where one door may be closed, others will be left wide open, and hackers will find these vulnerabilities very quickly. However, when you use a series of different defenses together, such as firewalls, malware scanners, intrusion detection systems, data encryption and integrity auditing solutions, you effectively close the gaps that are created by relying on a singular security solution.

With an ever-growing landscape of security threats to contend with, security companies are continuously developing new security products to protect networks and systems. Here are some of the more common security elements found in a Defense in Depth strategy:

Network Security Controls

The first line of defense when securing a network is the analysis of network traffic. Firewalls prevent access to and from unauthorized networks and will allow or block traffic based on a set of security rules. Intrusion protection systems often work in tandem with a firewall to identify potential security threats and respond to them quickly. If you would like to learn more about network security, visit our "what is network security?" page. 

Antivirus Software

Antivirus software is critical to protecting against viruses and malware. However, many variants often rely heavily upon signature-based detection. While these solutions offer strong protection against malicious software, signature-based products can be exploited by intelligent cybercriminals. For this reason, it is wise to use an antivirus solution that includes heuristic features that scan for suspicious patterns and activity.

Analyzing Data Integrity

Every file on a system has what is known as a checksum. This is a mathematical representation of a file that shows the frequency of its use, its source and which can be used to check against a known list of viruses and other malicious code. If an incoming file is completely unique to the system it may be marked as suspicious. Data integrity solutions can also check the source IP address to ensure it is from a known and trusted source.

Behavioral Analysis

File and network behaviors often provide insight while a breach is in progress or has occurred. If behavioral analysis is activated it means the firewall or intrusion protection solutions have failed. Behavioral analysis picks up the slack and can either send alerts or execute automatic controls that prevent a breach from continuing any further. For this to work effectively, organizations need to set a baseline for "normal" behavior.

As mentioned previously, it is the firewall that provides your first line of defense in your organization's Defense in Depth strategy. For this reason, it makes sense to choose a solution that offers a range of features designed to protect against an ever-evolving threat landscape and the changing needs of today's modern business.

Forcepoint's Next Generation Firewall (NGFW) defends organizations against emerging malware and other exploits that threaten the integrity of your network and data. With NGFW in place, you can respond to incidents in minutes, not hours, and immediately see and understand what is happening on your network.