Medieval castles stood as impregnable fortresses for centuries, thanks to their meticulous design. Fast forward to the digital age, and this medieval wisdom still echoes in cybersecurity. Like castles with strategic layouts to withstand attacks, the Defense-in-Depth strategy is the modern counterpart — a multi-layered approach with strategic redundancy and a blend of passive and active security controls.
However, the evolving cyber threat landscape can challenge even the most fortified defenses. Despite the widespread adoption of the Defense-in-Depth strategy, cyber threats persist. Fortunately, the Defense-in-Depth strategy can be augmented using Breach and Attack Simulation (BAS), an automated tool that assesses and improves every security control in each layer.
Defense-in-Depth: False Sense of Security with Layers
Also known as multi-layered defense, the defense-in-depth strategy has been widely adopted by organizations since the early 2000s. It's based on the assumption that adversaries must breach multiple defense layers to compromise valuable assets. Since no singular security control can provide foolproof protection against the wide array of cyber threats, defense-in-depth has become the norm for organizations worldwide. But if every organization uses this strategy today, why are security breaches still so common?
Ultimately, the primary reason is a false sense of security from the assumption that layered solutions will always function as intended. However, organizations shouldn't put all their faith in multi-layered defenses — they must also stay up-to-date against new attack vectors, possible configuration drifts, and the complex nature of managing security controls. In the face of evolving cyber threats, unsubstantiated trust in defensive layers is a security breach waiting to happen.
Perfecting the Defense-in-Depth Strategy
The defense-in-depth strategy promotes using multiple security controls at different layers to prevent and detect cyber threats. Many organizations model these layers around four fundamental layers: Network, Host, Application, and Data Layers. Security controls are configured for one or more layers to maintain a robust security posture. Typically, organizations use IPS and NGFW solutions at the Network Layer, EDR and AV solutions at the Host Layer, WAF solutions at the Application Layer, DLP solutions at the Data Layer, and SIEM solutions across multiple layers.
Although this general approach applies to nearly all defense-in-depth implementations, security teams cannot simply deploy security solutions and forget about them. In fact, according to the Blue Report 2023 by Picus, 41% of cyber attacks bypass network security controls. Today, an effective security strategy requires a solid understanding of the threat landscape and regularly testing security controls against real cyber threats.
Harnessing the Power of Automation: Introducing BAS into the Defense-in-Depth Strategy
Understanding an organization's threat landscape can be challenging due to the vast number of cyber threats. Security teams must sift through hundreds of threat intelligence reports daily and decide whether each threat might target their organization. On top of that, they need to test their security controls against these threats to assess the performance of their defense-in-depth strategy. Even if organizations could manually analyze each intelligence report and run a traditional assessment (such as penetration testing and red teaming), it would take far too much time and too many resources. Long story short, today's cyber threat landscape is impossible to navigate without automation.
When it comes to security control testing and automation, one particular tool stands out among the rest: Breach and Attack Simulation (BAS). Since its first appearance in Gartner's Hype Cycle for Threat-Facing Technologies in 2017, BAS has become a valuable part of security operations for many organizations. A mature BAS solution provides automated threat intelligence and threat simulation for security teams to assess their security controls. When BAS solutions are integrated with the defense-in-depth strategy, security teams can proactively identify and mitigate potential security gaps before malicious actors can exploit them. BAS works with multiple security controls across the network, host, application, and data layers, allowing organizations to assess their security posture holistically.
LLM-Powered Cyber Threat Intelligence
When introducing automation into the defense-in-depth strategy, the first step is to automate the cyber threat intelligence (CTI) process. Operationalizing hundreds of threat intelligence reports can be automated using deep learning models like ChatGPT, Bard, and LLaMA. Modern BAS tools can even provide their own LLM-powered CTI and integrate with external CTI providers to analyze and track the organization's threat landscape.
Simulating Attacks in the Network Layer
As a fundamental line of defense, the network layer is often tested by adversaries with infiltration attempts. This layer's security is measured by its ability to identify and block malicious traffic. BAS solutions simulate malicious infiltration attempts observed 'in the wild' and validate the network layer's security posture against real-life cyber attacks.
Assessing the Security Posture of the Host Layer
Individual devices such as servers, workstations, desktops, laptops, and other endpoints make up a significant portion of the devices in the host layer. These devices are often targeted with malware, vulnerability exploitation, and lateral movement attacks. BAS tools can assess the security posture of each device and test the effectiveness of host layer security controls.
Exposure Assessment in the Application Layer
Public-facing applications, like websites and email services, are often the most critical yet most exposed parts of an organization's infrastructure. There are countless examples of cyber attacks initiated by bypassing a WAF or a benign-looking phishing email. Advanced BAS platforms can mimic adversary actions to ensure security controls in the application are working as intended.
Protecting Data Against Ransomware and Exfiltration
The rise of ransomware and data exfiltration attacks is a stark reminder that organizations must protect their proprietary and customer data. Security controls such as DLPs and access controls in the data layer secure sensitive information. BAS solutions can replicate adversarial techniques to rigorously test these protection mechanisms.
Continuous Validation of the Defense-in-Depth Strategy with BAS
As the threat landscape evolves, so should an organization's security strategy. BAS provides a continuous and proactive approach for organizations to assess every layer of their defense-in-depth approach. With proven resilience against real-life cyber threats, security teams can trust their security controls to withstand any cyber attack.
Picus Security pioneered Breach and Attack Simulation (BAS) technology in 2013 and has helped organizations improve their cyber resilience ever since. With Picus Security Validation Platform, your organization can supercharge its existing security controls against even the most sophisticated cyberattacks. Visit picussecurity.com to book a demo or explore our resources like "How Breach and Attack Simulation Fits Into a Multi-layered Defense Strategy" whitepaper.
To grow your understanding of evolving cyber threats, explore the Top 10 MITRE ATT&CK techniques and refine your defense-in-depth strategy. Download the Picus Red Report today.
Note: This article was written by Huseyin Can Yuceel, Security Research Lead at Picus Security, where simulating cyber threats and empowering defenses are our passions.
One Response to Perfecting the Defense-in-Depth Strategy with Automation