We are experiencing a ransomware epidemic. This past June, the Biden administration issued a memorandum urging businesses to take proactive steps to reduce the risk of ransomware following a string of devastating attacks on Colonial Pipeline and JBS Foods. In April, the U.S. Department of Justice introduced a ransomware task force after labeling 2020 the “worst year ever” for ransomware and related extortion incidents. Despite this, the amount and frequency of ransomware attacks continue to escalate.
To solve the problem, you have to understand why existing tools and techniques are not working.
Is defense-in-depth still relevant?
One of the most widely used security strategies today is Defense in Depth, coined by the Department of Defense about 20 years ago. Defense in Depth involves a series of security mechanisms and controls thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability (CIA Triad) of the network and the data within. While no individual mitigation can stop all cyber threats, together, they help mitigate against a wide variety of threats while incorporating redundancy in the event one mechanism fails. When done right, using a Defense in Depth approach significantly bolsters network security against many attack vectors. The most effective Defense in Depth strategy is supported by additional security best practices, tools, and policies.
However, like many frameworks that have been out there, utopia laid out is far from what is actually being implemented in reality. Tools are added only to be shelved, or are not closely monitored to evaluate efficacy post implementation, IT infrastructure constantly changes without examining what the changes cause to the Defense in Depth architecture and whether it still ‘works as designed’?
The defense-in-depth dilemma
Gartner predicts worldwide spending on information security and risk management technology and services will reach $150.4 billion in 2021. Despite billions being spent on security tools, we continue to see ransomware attacks and large-scale data breaches reported daily.
Implementing best practices for modern security requires continuous assurance of an organization’s security readiness. A layered approach to security is only as strong as its weakest link. It is not enough for security teams to simply add new tools and technologies to their organization’s security stack unless they also validate that the existing Defense in Depth architecture continues to work as intended. New security solutions can strengthen the overall security program if they are added to a strong foundation.
However, validating an organization’s Defense in Depth approach against real threats has historically been a major roadblock for security teams. Traditional pentesting and vulnerability scanning methods are not built for today’s dynamic enterprise hybrid and distributed infrastructure. Pentesting can be effective, but it is manual and provides only a point-in-time snapshot of an organization’s security posture assuming homogeneity between assets and network, which is very rarely the case.
In addition, traditional vulnerability management tools flood CISOs and security teams with non-critical alerts. There were more than 15,000 vulnerabilities found in 2020, while attackers exploited only 8%.
As the digital landscape increases in complexity, more security teams are struggling to properly implement and manage the strategy they have in place.
The cloud is flat
We have witnessed a transformation across the corporate technology stack that is exponentially growing and changing how we operate, work, and think for the past couple of years. The enterprise shift to the cloud has also created significant challenges with the traditional Defense in Depth strategy. The shift to the cloud and an open connected world has changed the organization’s perimeter. Organizations do not have a way to validate that they are operating in a Zero Trust infrastructure or that their controls, policy, and processes are holding ground.
The speed of business continues to grow, and the enterprise IT infrastructure is evolving at record rates. Security teams cannot keep up with these changes. And still, the concept to continuously test (e.g., validation) that your Defense in Depth design, policy, and approach are working as planned was NEVER introduced.
Why validation-in-depth is a must
One of the most significant flaws in Defense in Depth methodology is that it does not include validation. Defense needs to be right a hundred percent of the time, whereas an attacker only needs to be right once. Building a defense methodology without incorporating the attacker’s approach is a major gap that must be addressed with continuous validation.
Organizations need a new security approach designed for the modern world that automatically validates security for continuous resilience instead of assuming Defense in Depth is accurate.
Legacy tools that confirm the Defense in Depth framework is effective include penetration testing and vulnerability scanning. Since these tools are no longer practical for the reasons outlined above, they cannot accurately handle quality control.
In addition, while we may mostly attribute data breaches to sophisticated malware and stealthy actions, misconfigurations are being overlooked. Security teams are focused on adding new tools and controls but do not take the time to ensure controls and policies are correctly configured. This leads to a false sense of security.
Security teams need to shift their focus from assuming that Defense in Depth validation is accurate to practicing validation-in-depth. Every Defense in Depth design requires Validation-in-depth at its core.