Cyber Defence in Depth: An Expert’s Overview

Expert insight from our information security manager

What is defence in depth? Why is it important? How does it work? And what are some practical examples of it?

We put all these questions and more to information security manager Adam Seamons, who has more than 15 years’ experience working as a systems engineer and in technical support. He also holds CISSP (Certified Information Systems Security Professional) and SSCP (Systems Security Certified Practitioner) certifications.

What is defence in depth?

In very broad terms, defence in depth contains three layers:

  1. Prevention
  2. Detection
  3. Response

You can split these up further – into identify, protect, detect, respond and recover, for example* – but these three are the bare minimum for becoming cyber resilient.

*These are the five ‘cybersecurity concepts’ attribute values in ISO 27002:2022.

Why is defence in depth important?

Quite simply: no single measure works 100% of the time – even if correctly implemented. The fact that we’re already looking at a record number of incidents this year speaks volumes.

Therefore, organisations should take a more dynamic approach. One in which individual security measures work together effectively and make up for each other’s weaknesses.

How does defence in depth work?

Ideally, each layer presents a different challenge for an attacker – think moats, walls and keeps for castles.

The idea is that if one layer fails, the others still prevent an attack from succeeding. Failing that, they significantly reduce the impact of a successful attack.

What is a cyber security example of multi-layered defences?

Let’s take malware as an example. When defending against it, your primary goal is to stop it from entering your networks.

Should malware enter, you then want to prevent malicious code from executing in an environment where it can do meaningful damage. Failing that, you want to stop the malware from spreading.

In this example, your layers may look something like this:

  1. Perimeter defences – things like firewalls and scanning of incoming emails, downloads, and so on.
  2. Application whitelisting and sandboxing.
    • Whitelisting means that you only allow approved – i.e. whitelisted – applications to execute on your systems.
    • Sandboxing – isolating applications – is great when malicious code manages to execute despite your best efforts. By sandboxing, you make sure the code is stuck in an isolated area – a contained, isolated instance in a web browser or document, for example. The malicious code can’t then mess with your systems outside of that sandbox. [The isolation is often facilitated through a virtual browser instance like Microsoft Defender Application Guard.]
  3. Network segmentation and segregation. In other words, isolating the device on which the malware has executed from the wider organisational network. You’ll also want to limit what user accounts can do – if you control access, code can’t execute outside the infected system. That limits transferability. This comes back to the zero-trust architecture we previously talked about.

Typically, malware tries to get through the organisational perimeter to individual computers, to spread further within your networks from there.

The malware is looking to compromise a computer, so it can compromise your network account, then look for places to do more damage. Moving from computer to computer, encrypting data on each, for example – that’s a ransomware-type situation. Or the malware may look to jump onto other systems to look for, say, payment card data.

The measures you listed are all examples of prevention, right? Could you explain what prevention means in cyber security?

Yes, they’re all examples of preventive measures – and mostly, to be more specific, ingress defences. They’re aimed at incoming things, such as scanning:

  • A USB stick plugged into a computer;
  • Email attachments and downloads; and
  • The reputation of the location of those downloads.

If you’ve ever tried to visit a website, but find you’re immediately blocked – that’s likely due to a problem with the reputation of the website. It means your security software, web content filter, etc. has stepped in to prevent you from visiting the site.

Whereas if your download gets blocked after it’s already started, your malware scanner has detected something in the file or its signature, and stepped in to block or cancel the download.

More generally, prevention means trying to avoid cyber incidents from happening at all. Failing that, this layer attempts to act before the incident has a serious impact, should an attacker slip through the net.

How do you decide what preventive measures to implement?

Prevention starts with a risk assessment:

  • What assets are you trying to protect?
  • How might those assets be compromised?
  • Who or what may compromise those assets?

‘Protecting’ assets needn’t be limited to technical measures. Sticking with the malware example, attackers often deliver it through phishing attacks.

Scanning email attachments and downloads will help address that particular risk, but is best combined with staff awareness training – teaching people to not click a suspicious link to begin with, but if they do, to report it immediately.

How would you approach layering your defences?

The key is to envisage how your controls might be circumvented. You must identify the weaknesses – the parts that are vulnerable – in your process or system.

Those weaknesses are what a smart attacker will find and attempt to exploit – your security system is only as strong as its weakest point.

Also remember that it’s best to have multiple measures within each layer, particularly for prevention. That’s because individual measures typically only reduce the likelihood or the impact of a risk, but not both.

What is detection in cyber security?

Basically, it means mechanisms for telling you when your preventive measures have failed.

This typically involves automated security monitoring tools, which detect anomalies – signs that your defences may have failed. Once those tools detect an anomaly, they should alert a person to investigate and, if necessary, escalate the situation.

How can organisations plan their detective measures?

Through careful planning and asking risk assessment-type questions. Specific to detection, you’d ask things like:

  • What assets do you monitor?
  • Where do you place your detection mechanisms?
  • When an alarm is triggered, who’s informed during working hours?
  • When an alarm is triggered, who’s informed outside of working hours?
  • How will you guarantee that the person or persons appointed will be able to investigate the situation on time?

What is response in cyber security?

Quite simply, following up on detected incidents. Even the best detection in the world won’t do you any good if you don’t follow it up with a response.

Do you have any final words of advice?

Remember that you must maintain the measures you implement: for instance, anti-malware software only remains effective if you keep it up to date.

Also, don’t forget that organisational measures are equally important – if not more so – than technical ones. Staff training and awareness are vital, and cost-effective, parts of security. The same goes for policies and procedures.

Are you ready to implement cyber defence in depth?

IT Governance has everything you need, ranging from software to books, training, professional consultancy and penetration testing, and more.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our previous interview with Adam on zero-trust architecture?

Alternatively, explore our full index of interviews here.