Defense in depth is a strategy that entails applying multiple layers of protection to deter and prevent successful attacks. In military terms this involves multiple lines of defense instead of a single fortified defense. The theory is that if attackers are forced to break through multiple defense lines to achieve their goal the attack will lose momentum before achieving success – they may break through the first or second line of defense but give up before achieving their goal.
In information security the strategy is similar, applying multiple layers of defense, but often the purpose is to enhance detection as well as deter attackers. Enhancing detection can occur through either forcing the attacker to touch more systems and perform more reconnaissance or through extending the amount of time necessary for a successful attack, both of which give automated detection systems and log monitors time to recognize and correlate the attack activities and take appropriate action.
In practice, defense in depth can take many forms. The recent CryptoLocker malware provides an example of a situation in which defense in depth has worked well for us at Davenport. We have three main layers of defense that have thus far prevented any infections or serious damage from CryptoLocker:
- Email filters. Incoming email is filtered by our Google services for both spam and malware. Many of the emails we have received over the past two months have contained CryptoLocker malware and have been correctly quarantined by our Google filtering services. One popular email message subject for many messages received by Davenport employees was: “Authorization to Use Privately Owned Vehicle on State Business”. The quarantining of incoming messages buys additional time for the other layers of protection to update detection signatures.
- OpenDNS. We use the OpenDNS service to filter malware and botnet traffic. This service protects all devices that are attached to Davenport’s wired or wireless networks. Details on OpenDNS’s protections against CryptoLocker can be found here and here.
- Endpoint protection. All Davenport-managed devices (servers, desktops, laptops, etc.) employ malware protection technology, involving both software execution control policies as well as antivirus detection and removal software. Software execution control policies specify where software is allowed to start from on a system – if it is launched from a non-approved location it will not run. Antivirus, although seen by some as an outdated method of protection, still plays an important role in keeping our systems safe from current threats – all threats investigated by the security team were detected by our current antivirus solution and prevented from infecting the machine.
Using these successive layers of defense we have so far experienced no CryptoLocker infections. That is a clear sign that defense in depth can be highly effective in information security.