The previous article in this series illustrated why a layered security approach to Cybersecurity is important from the standpoints of both a business/enterprise and its customers. In this third and final article, author Ravi Das lays out the components of a layered security approach, including those that prevent and others that detect Cyberattacks.
The Components of a Layered Security Approach
When trying to craft a Layered Security Model for your organization, it’s very important to first create a plan for it, test it out in a Sandbox like environment (where you test all of the security layers you plan to implement, in a controlled environment), and if all goes well, deploy them into the actual production environment. In fact, the Layered Security Model you ultimately decide upon should be a part of your overall Security Plan.
Next, we’ll review the important components to be included in an overall, Layered Security Model. Broadly speaking, there are two types of components:
- Preventative Components: These are tools that allow the CIO/CISO and their respective IT Security staff to mitigate Cyberthreats as much as possible before they become a reality.
- Detective Security Controls: These are tools that also permit the CIS/CISO and their team to take a proactive security stance when it comes to combatting Cyberthreats. Being proactive in this regard means that steps are being taken ahead of time to thwart any potential risks to the organization. Typically, these would be used in a Threat Hunting or Penetration Testing exercise.
Preventative Security Components
Preventative Security Components include the following:
- Malware/Spyware Detection. Typically, this primarily involves deploying the appropriate Anti-malware and Anti-software software packages on all an organization’s servers, workstations, and wireless devices. However, deployment of such software is not enough; to be effective, a regular schedule must be implemented, and the software updated, on a regular basis by the IT Security staff.
- Software Upgrades. The IT Assets described above also need to have a regularly-scheduled and timely software updates. In this regard, Microsoft comes out with software patch schedule on the second Tuesday of every month; this is known as “Patch Tuesday.” Bulletins are normally published immediately following the release of these patches, which classify them as Immediate, Medium, or Low priority. (Learn more about this at Microsoft’s security guidance portal.)
- System Hardening. When a new security tool is first acquired, it is normally set to the thresholds that have been set by the vendor. Keep in mind that these are only minimal, and will likely not help prevent a major Cyberattack from occurring. For that reason, it’s important that the IT Security team take the time to carefully ascertain what the real requirements are for their particular environment and set those thresholds accordingly before deploying these new tools.
- Network Access Control. Network Access Control involves two critical aspects, appropriate devices, and appropriate permissions.
- The deployment of the appropriate devices. This involves the implementation of the Routers, Firewalls, and Network Intrusion devices that constitute a major part of your lines of defense. In this regard, it is very important to get away from the mindset that deploying more hardware is better. The truth is that this only increases the attack surface available to the Cyberattacker. Instead, a risk analysis should be done first, to determine where hardware devices should be strategically placed.
- Establishing appropriate permissions. In this regard, a perfectly balanced set of rights and privileges should be established to give your IT Security staff and other employees access to conduct the daily tasks required for their positions. The mantra here is: “No More, and No Less.” These permissions should be monitored on a regular basis to make sure that no employee (or an unauthorized user) is gaining illegitimate access to any IT Asset.
- The use of Encryption. Any information and/or data that is being transmitted within the organization and especially externally, must be encrypted at the highest levels possible. In most circumstances, this would involve the use of 1026 Bit Encryption. If the business or corporation is large enough, then the use of a Public Key Infrastructure should be used, in which both Public and Private Keys are used for the purposes of Encryption and Decryption.
- Security Awareness Training. This is probably one of the most crucial components of a Layered Security Model. Employees must be trained on a regular basis (at least once a quarter) on how to identify Cyberthreats that are both external and internal (especially that of Insider Threats) to the organization, and how to maintain the proper levels of “Cyber Hygiene.”
Detective Security Components
Detective security components include the following:
- The Use of Change Management. Any sort of change or configuration that is going to be implemented in the IT Infrastructure must be ascertained before it is deployed. The primary reason for this is that any change could have a cascading effect upon add-ons that have been implemented within the main system. Such a cascading effect will only create more gaps and holes for the Cyberattacker to covertly penetrate the system and cause even more damage. Thus, it is very important to make use of a good Change Management tool to ensure that all changes are effectively and safely managed.
- File Integrity Monitoring. In this scenario, all files that are sent as attachments within Email messages (both inbound and outbound) must be scanned to see if they contain any malicious links, macros, or corrupted .EXE files. Using Firewalls and Routers can be of great help here, as if they detect anything untoward, those respective data packets will be dropped immediately and won’t make their way into the business or corporation.
- The Use of Log Monitoring Tools. This is one of the best weapons that an IT Security staff can have in their arsenal. Log files contain extremely detailed information and data on all activity that transpires from within an IT and Network Infrastructure. This includes the servers, software applications, workstations, wireless devices, and even the network devices. The typical events that are captured in a log file include the following:
- What happened within a system
- Who did it
- When it transpired
- Where the event occurred.
The use of Artificial Intelligence (AI) can be a great boon here, as it can analyze a log file in a matter of seconds and alert the IT Security staff of any unusual behavior or anomalies.
- Vulnerability Management. Exercises must be conducted on a regular basis to unearth any system vulnerabilities or weaknesses, especially those that have gone unnoticed for long periods of time. As mentioned earlier in this article, the use of Threat Hunting and Penetration Testing tools will discover such weaknesses and will even recommend steps to remediate the problem.
- The Use of Incident Alerting Tools. These types of devices alert the IT Security staff of any anomalous or malicious behavior that is taking place. The main disadvantage with these devices is that they can generate a lot of false positives, which can lead to the time-consuming process of combing through all of alerts to determine which threats are real and which are not. Once again, using Artificial Intelligence (AI) can be of great help here, as it can filter the alerts and warnings to determine which are for real. At that point, the viable warnings can be triaged and acted upon in a quick and expedient manner.
Conclusion: Additional Benefits of Layered Security
This article series has examined what Layered Security is, why it is important, as well as its relevant controls and components. Using this kind of approach is a must these days, given the dynamics of the constantly changing Cyber Threat Landscape. But there are other benefits as well, and they include the following:
- When a Layered Security Approach is used, there are much higher statistical odds of fighting off different kinds of Cyberattacks, such as those of Ransomware, Business Email Compromise (BEC), Trojan Horses, Worms, Viruses, Malware, and Distributed Denial of Service (DDoS) attacks.
- Using multiple layers of security will make your lines of defense much more efficient and effective in capturing a potential Cyberattacker early on.
- Potential Cyberthreats have a greater statistical probability of being detected early in the process when there are multiple layers of security in place. This can greatly reduce the risk of a company experiencing downtime if their system is hit by a Cyberattack.
- Because many tiers of security are being used, the IT Security team is less burdened, and this translates into financial savings for the organization as well as increased worker productivity.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.