Cyber Defence in Depth: A Layered Strategy to Achieve Resilience

Verizon’s 2024 Data Breach Investigations Report analysed 30,458 security incidents and 10,626 confirmed data breaches – a record high. Compared to 2023, Verizon found a significant jump in attacks exploiting vulnerabilities, as well as attacks involving ransomware or extortion.

Similarly, our own research is finding a record number of known records breached this year (pun not intended), despite it only being May.

What can organisations do to protect themselves and buck this trend?

Get the basics right

Effective security needn’t be expensive.

In fact, implementing security measures is far less expensive than cyber insecurity.

Even just implementing Cyber Essentials-style measures can prevent most common cyber attacks:

  • Firewalls
  • Access control
  • Patch management
  • Malware protection
  • Secure configuration

You can enhance these technical measures with staff awareness training. This is not only a cost-effective measure, with elearning options available, but also actively helps prevent incidents: Verizon found that 68% of data breaches involved a “non-malicious human element”. This includes falling for a phishing attack or simple human error.

Moving beyond prevention

Prevention is an essential layer of security – but not, in itself, enough.

Broadly speaking, achieving defence in depth requires three layers of defences:

  1. Prevention
  2. Detection
  3. Response

Some frameworks – such as the attribute values in ISO 27002:2022 (‘cybersecurity concepts’) – split these into five layers:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Either way, the principle is the same: no single measure works 100% of the time – even if correctly implemented.

You should therefore take a more dynamic approach. One in which individual security measures work together effectively and make up for each other’s weaknesses.

The idea is that if one layer fails, the others still prevent an attack from succeeding. Failing that, they significantly reduce the impact of a successful attack.

Why you need cyber resilience

Here’s what Group CEO Alan Calder had to say about the need for cyber resilience:

It’s long been clear to me that cyber attacks are multi-pronged. The idea that you can repulse them with a single line of defence is just barmy.

Millennia of human history teach that attackers will find their way through multiple lines of defence, and that survival – or what we call ‘resilience’ in business and cyber terms – depends on having more lines of defence than an attacker can overcome.

Many years ago, the way to get into a well-defended, multi-walled fortress was to subvert a gatekeeper to let you in. Even further back, the tactics involved a wooden horse.

But cyber attacks aren’t focused simply on overcoming technical defences. Defence in depth must therefore be based on a GRC [governance, risk and compliance] approach.

Understanding the need for an intelligent, risk-based approach to cyber security drives my view that cyber defence in depth is the secret to survival.

This reflects in recent EU laws like DORA (the Digital Operational Resilience Act) and NIS 2 (the Network and Information Security Systems Directive). Our head of GRC consultancy, Andrew Pattison, discussed them further in this interview.

How does defence in depth work?

Again, it involves layering your defences, with each making up for another layer’s weakness. It addresses the notion that you’re ‘only as strong as your weakest link’.

Here’s a malware example:

  1. Perimeter defences (firewalls, scanning of incoming emails and downloads, etc.).
  2. Application whitelisting and sandboxing.
  3. Network segmentation and segregation, which also means limiting what user accounts can do – if you control access, code can’t execute outside the infected system.

The broader idea is that, should malware enter, you want to prevent it from executing in an environment where it can do meaningful damage. Failing that, you want to stop the malware from spreading.

This requires an understanding of how malware typically works. As information security manager Adam Seamons explains:

Typically, malware tries to get through the organisational perimeter to individual computers, to spread further within your networks from there.

The malware is looking to compromise a computer, so it can compromise your network account, then look for places to do more damage. Moving from computer to computer, encrypting data on each, for example – that’s a ransomware-type situation. Or the malware may look to jump onto other systems to look for, say, payment card data.

How to approach defence in depth

Adam explains:

The key is to envisage how your controls might be circumvented. You must identify the weaknesses – the parts that are vulnerable – in your process or system.

Those weaknesses are what a smart attacker will find and attempt to exploit – your security system is only as strong as its weakest point.

Also remember that it’s best to have multiple measures within each layer, particularly for prevention. That’s because individual measures typically only reduce the likelihood or the impact of a risk, but not both.

As to the different layers themselves, make sure you’re covering:

1. Prevention

Trying to prevent cyber attacks from succeeding, or a data breach from occurring at all. Failing that, your preventive measures attempt to reduce the impact of an incident.

To determine what preventive measures are right for your organisation, conduct a risk assessment. This looks to answer questions like:

  • What assets are you trying to protect?
  • How might those assets be compromised?
  • Who or what may compromise those assets?

Risk assessment also lies at the heart of ISO 27001, the international standard for information security management. This standard is an excellent place to start if you want to implement defence in depth.

2. Detection

Preventive measures can fail despite your best efforts. That’s why you need to be able to detect anomalies – suspicious activity that may signal a security incident.

In other words, you need detective measures.

These typically involve automated security monitoring tools, which look for unexpected activity – signs that your defences may have failed. If the tools find something, they should alert a person to investigate and, if necessary, escalate the situation.

3. Response

Detection is only useful if followed up with a response. Where you’re dealing with a real or potential incident, you’ll need to investigate what’s going on.

Analyse the situation: is the incident real? And do you have to notify a regulator under e.g. the GDPR (General Data Protection Regulation)? If you do, be conscious of reporting deadlines: this is normally within 72 hours of discovery, but can be less, depending on your specific legal requirements.

The broad next steps include:

  • Establishing the exact damage done – i.e. establishing the scope;
  • Containing the incident to stop it from spreading;
  • Eradicating the threat/root cause;
  • Recovering systems; and
  • Post-incident review.

Our free cyber incident response guide goes into more detail.

Want to learn more about cyber defence in depth?

We’re always happy to help. Please get in touch, and we’ll get back to you as soon as possible.

We first published a version of this blog in September 2022.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.