Defence in Depth - is it Always Best Practice
Should we choose Microsoft tools to safeguard Microsoft products and platforms? Why are so many not convinced of the security tools offered by Microsoft to protect their own products on the various levels - for desktop, servers and email. Those that believe Microsoft have the capacity to comprehensively and solely defend all Microsoft products, are they misinformed or naïve? Are third party tools still necessary to obtain the security that we now require? Microsoft offer a multitude of product features but they do not offer a complete security solution. Third party security solutions add to and support the Microsoft product and ultimately enhance the products security.
Security best practice, for a long time, has suggested that Defence-in-Depth is the approach to take with regards to achieving the best security outcome. This entails a multi-layered approach. Although some of the solutions that Microsoft now offers may be improving and may one day achieve a level of security on par with competitive solutions, if we completely rely on Microsoft to protect Microsoft products and platforms, we are not achieving a layered approach to security. Another way to look at it is that if Microsoft are able to effectively secure their own products why are they not ensuring that the base product is as intrinsically secure as they can make it, why the need to secure after. Considering this, emphasis is placed on the necessity for third party security even if it is additional to a Microsoft own solution. Third party solutions are likely to fill the gaps missed by Microsoft.
No matter what solutions are utilised, nothing will be 100% secure. We must perform due diligence and safeguard our assets in the best ways possible - motivated attackers will look for the gap in our security and are likely to find it.
The aim remains to mitigate risk and the best way that this can be achieved is through a layered security approach. There is no one solution that can secure against all attacks - no one vendor, product or service is able to comprehensively safeguard an environment from all attack variations over a period of time. Therefore, it remains that the best way to handle the situation is to deploy the most effective solutions, products and services and have them overlapping so that they complement each other. Thus what one product misses is likely to be caught by another.
If in agreement that Defence-in-Depth is the way to go, let’s us consider the approach in further detail.
Defence-in-depth is a proactive approach to security, a complement of products and solutions utilised to support the pre-emptive process. Security issues are better solved through overlapping complementary solutions. For the achievement and maintenance of a good security posture it is important that ongoing vigilance and user awareness is present at all times and adaptions and updates to the processes made as required.
The manner in which most organisations function presently does not lend itself to perimeter only defence and the notion of a perimeter is quickly disappearing amongst organisations. Breaches are commonly initiated from within the network (viruses, Trojans, worms) moreover peer-to-peer communications, mobile computing, unsecured wireless networks and guest internet access all have potential to compromise the organisations security. The required security solutions must go beyond traditional methods of thinking and securing and must consider all attack vectors that are possible today and may be in the near future.
Defence-in-depth necessitates that interactions between network resources and those using the network be a managed, scalable and consist of a granular system of permissions and access controls. Firewalls and segregation of traffic alone will no longer suffice.
The approach should be more data focused. Organisations must especially consider data stores, data flow and how, when and where data is communicated and by whom to secure appropriately. Access control is critical and must be properly managed. Stricter regulatory requirements also demand that these rigorous controls on data flow are implemented.
Why opt for defence in depth?
Environments have changed along with computing and functioning. This has directly influenced potential attack vectors. Areas for attack have greatly increased, and attackers continue to advance their methods of attack and are experiencing a heightened success rate. With this occurring it is essential that we deploy all options of defence to thwart such attack and the best chance we have at achieving this will require multiple security layers from multiple third party sources.
Different tools from different vendors are likely to cover more and varied risk than if a tool was utilised from only one vendor, we must circumvent as many potential risks as possible. The other train of thought in the industry is that we need extra security because the vendor traditionally has too much to cover in order to keep the OS and the application secure. For this reason, a whole market exists in keeping apps and OS’s more secure.
Six Strategies to consider for a broad approach
Ultimately organisations should aim to achieve access control, integrity and privacy. By properly achieving these fundamentals, it is likely that the sufficient security layers are in place and that the organisations security posture is elevated.
It is recommended to follow the following approach when deploying your layers of defence to achieve an architecture that is proactive and responsive.
Tools including those for Network IDS and IPS, web content filtering, Web application firewalls, malware analyser, vulnerability analyser, host level IPS with DLP, forensics tools, decryption and encryption tools at all levels, SIEM and machine data mining tools. The solutions must all be stacked and layered from the Application Layer through to the physical layer of protection. Mobile application and data security, cloud security (with viable SLA’s) and wireless protection must also be incorporated.
Strategy 1: Authentication and authorisation of all network users
Every user must be authenticated as well as authorised. It is no good allowing a user access but not knowing where they are on the network or what they are doing there - unless every user has the same access privileges (this should not be the case as a least privilege model should always be utilised). Therefore, positive authentication as well as user-based authorisation is essential throughout.
Strategy 2: Deploy VLANs for traffic separation and coarse-grained security
This should be done dynamically and based on user authentication in order to achieve the best manageability. The micro segregation of your datacentre and the virtual platforms have now become security practice.
Strategy 3: Use robust firewall technology at the port level for fine-grained security
Fine grained, user-based security policies enforced by the network is important. By placing a firewall at the port level a lot of the previous challenges regarding embedding firewalls internally (to achieve security at points other than the internet gateway) are removed.
Strategy 4: To ensure privacy is achieved utilise encryption throughout the network
Privacy of data throughout the organisation is vital. Very sensitive data is transported and stored and must be protected from accidental or intentional disclosure. It is a legal requirement for many organisations to ensure that the data that they process and are responsible for is protected and that regulatory requirements are complied with. Encryption can be achieved at any layer and allows for privacy and integrity of data.
Strategy 5: Threat detection is required to ensure the integrity of the network
Threats can come from anywhere, some very difficult to detect and protect against. You need to be able to detect, protect and remediate whenever possible. Intrusion detection system are a first line of defence. Other useful tools include intrusion prevention systems, application firewalls, threat specific tools, threat management tools, vulnerability analyses and security management tools.
Strategy 6: Include end-point security and utilise policy-based enforcement
User systems are varied and users should be allowed specific privileges depending on the system being accessed. This should be enforced through decided policies based on the security posture of the end system. So the end systems security posture is used to determine how access to the system is managed.
Defence-in-depth is the best chance for achieving results and keeping intrusions to a minimum. By incorporating hurdles that can hinder threat progression security is better achieved. Microsoft are improving their security tools for their various products and services however it is recommended that even if Microsoft tools are used that they should not be used as the only securing solution but rather as part of a layered approach, along with other top third party options for better security. Third party tools tend to enhance the Microsoft base product. Defence in depth with multiple layers of defence remains a solid approach to follow.