Back to videos

Defense in Depth: Your Security Layers

Defense in depth is a concept used in information security in which multiple layers of security controls (defense) are placed throughout an information technology system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited. We divide this into 3 core controls: Physical Controls, Technical Controls, & Administrative Controls.

Prefer to read? (Transcription)

TOM: But anyway, welcome to another Deeper Dive Quicklook. This one is defense in depth, and we’re going to talk about layers and we’re going to talk about cheese, we’re going to talk about CEOs, and anything else that comes up. Put your questions in the Q&A box or the chat box. Kindsey and I are monitoring all of that and I’d be happy to go through it. This will only be about 20 or 30 minutes.

Of course, I’m Tom Kirkham, founder and CEO of IronTech. I do these every Tuesday. Sometimes Kindsey does them. I think Brad’s scheduled to do one coming up. Matt’s done one. Once they master it, then you’ll never hear from me again. [laughs] But no, they’re all good at it. They’re really knocking it out of the park every time. This is kind of my bag, but I could give it up if necessary, especially the main webinar.

We did one at 10:00 this morning. I don’t know if there’s anyone on this call that was part of the 10:00, but I have done that one so many times, it gets harder and harder to do it. Although, having said that, it was a very informative webinar, and we upgrade it from time to time, so we added some slides to our main one that, even if you’ve seen our hour-long, broad overview that mentions the framework and some of the other things, there’s still some new stuff in it. If you saw one of those webinars even a couple months or a month ago, we have some new information. I’ve also added it to this because it is somewhat related.

So, let’s get the show going. You’ve heard me talk about this, the onion layers or the onion security model. I always wondered why it was called the onion. I just thought it was the layers, but it’s actually because the more layers there are, the more it makes the hackers cry. So there’s a crying hacker. Sad. He’s a sad hacker with a stupid haircut.

But let’s take a look at the onion. Just to refresh everyone’s memory, the onion model is basically whatever you’re trying to protect is the core of the onion. This gold that you see in this slide is the assets. The cybersecurity framework that we use can be applied to not just IT stuff; it can be applied to any security. For example, your office door lock and video surveillance are two physical controls. It’s two layers of security to help prevent a physical intrusion. So the cybersecurity framework that we use can be used for a lot of different things, and the onion model that we use can be used for a lot of different things.

Now, as you can see here, there’s a lot of different layers and technical and administrative controls and all these different things that you can apply. We look at all of those things. This is the right way to do it.

Another analogy or another model, some vendors refer to this as a Swiss cheese model. In some ways, I like this better because the Swiss cheese model assumes that you have holes. Remember, we’re going to assume there will be a breach one day, and we’re going to play for it. And part of the planning is to deploy different controls to make that breach quicker to respond to and kill it off, and just knowing what to do. In the case of a ransomware attack, are we going to have to restore from backup, and how long is that going to take?

So the Swiss cheese model basically is different layers of cheese, and where those holes do or do not line up, if they don’t line up, then the next layer or the next slice of cheese stops the attack. And you can see that the second and third layer have stopped a couple, but as always, every time we do have a breach and we do a post mortem, which is where we go through and we see what broke – why did this breach occur? Because we want to tweak things. And there’s always something to change. It’s like airplane crashes, shuttle disasters, any major disasters. There’s departments of government and things like that that go through and do a post mortem on it.

I had the privilege of meeting the head of the NHTSA – I think I’ve got that right – that did the first shuttle disaster post mortem. He headed up the department that did that. His dad was a representative from Arkansas. But regardless, these post mortems are what improve our security over time.

Now, sometimes – and more often than not – a breach occurs because of a new technique or a new objective or some new technology that the hackers are deploying. So we learn a lot and all of this. So the Swiss cheese model is another way to look at that. We don’t want those holes to line up. If we do our job right, you do your job right, those holes won’t align.

When we talk about defense in depth, that is a layering tactic – an onion or Swiss cheese, whatever you want to do – and the whole “defense in depth” phrase was conceived of by the National Security Agency, the NSA, the one that I frequently say got hacked. Because anybody can be hacked. If the NSA can be hacked, anyone can be hacked. But basically, it’s a tactic and a philosophy that has a comprehensive approach to information and electronic security.

Now, there is a military term that is similar to this security or infosec term, but it’s slightly different. Sometimes the military strategy – well, almost always, military strategy involves both defensive and offensive depth. You don’t do like the French and have a single layer that they did in World War II. They built a Maginot Line. It was a remarkable feat of engineering, of human achievement, covering vast stretches of geography – at the expense of modernizing their air force, their navy, their army. They poured all of their resources into the Maginot Line. England and others, Germany especially, spent money on air forces and tanks, and artillery too, but not to the degree that the French did.

At any rate, a defense in depth in the military deal is sometimes they’ll retreat intentionally. They’ll yield that space to buy time to do other things, to develop a counterattack if they’re doing it defensively. Sometimes they might even do it offensively. Sun Tzu goes into these things in his book quite a bit.

But this defense in depth basically boils down to the 3 control areas: physical, technical, and administrative. You hear me talk about this every single webinar. We talk about these controls because when you compartmentalize the elements, the layers, you understand each and every technical control that’s part of your stack, you have good administrative policies and procedures – that’s an administrative control – and, where applicable, like biometrics, if you understand what’s available with physical controls, then you know where to implement those as well. So let’s take a look at some examples of that.

These are common layers. I think there’s 3 on here. I’m missing one. Oh, I don’t have backup on here. Well, backup/disaster recovery is one of our core layers. We always put this in. Well, some people don’t get security training. If you can only buy one thing, get security awareness training. But regardless, EDR is part of it. That’s the super turbo deluxe antivirus. Those of you with industrial control systems like SCADA devices need a SIEM. That’s a technical control we put on the network that analyzes logs from Internet of Things. That’s what an ICS is, or a SCADA device. It is an Internet of Things. We can pull a log from a Nest thermostat, a home thermostat. We can pull a log from my Echo clock, from my Alexa speaker system.

We can pull logs from these devices. It doesn’t matter what the operating system is. We don’t install anything on the device. That’s why we don’t care what the OS is. We just want to be able to pull the log, and then we analyze those logs for abnormal events. And it’s near real-time, so yes, we can still – and it uses artificial intelligence and some other stuff to alert us, because this is a tremendous amount of data that’s coming in. So it has the smarts to alert us and anything that we need to check, and through administrative controls we can specifically mark things for alerting us or turn certain alerts off.

Security training, that’s another layer. That’s the one you’ve got to do. That’s an administrative control with a technical component – the actual website and technology that we provide for you to keep everybody up to date and score them and see how your entire organization is doing. But it starts first and foremost with that administrative layer.

I mentioned biometrics already. Data handling and access policy, I mentioned that already. I think I did. Might’ve been the run-through. But data handling, if you need to leave the office and you put something on your laptop, make sure data at rest is always encrypted. Even if it’s in your office, it should always be encrypted because somebody could break in and steal a server. It doesn’t happen as much anymore because computers are less expensive, so people aren’t generally stealing computers for just the computer itself. If they’re going to steal it – well, I think you’d be a pretty dumb criminal to break into a law office or a water utility office and steal a server and not look and see what datasets you’ve got first before you try to find somebody to buy the server, fence it. You want to see if there’s a dataset that can be put on the Dark Web and sold and see how much money that’s worth. It should be worth by far more than that laptop or that server or whatever it is you stole.

Of course, we always do password complexity requirements. Those are administrative controls. And a spam filter is a technical control. It’s technical with administrative controls. The administrative controls are how tight or how loose is the spam filter, and those dials are set as a function of the culture, the personality of the client or the company, and most of the time we don’t change ours. It fits the vast majority of our clients. But our clients aren’t SpaceX. They’re not Lockheed Martin. Those organizations have much, much tighter spam filters, much different complexity requirements, much different biometrics.

And it’s not only that they need to protect things even more seriously; they have larger budgets, too. So the more budgets you have, the more layers we can add to the onion. But no one’s budget is unlimited. Theoretically, the NSA’s budget is unlimited, but they got hacked. And it was through social engineering, just like the Twitter hack. What was that, about a month ago, I think? That Twitter hack was through social engineering Twitter engineers.

Incidentally, IT people are more likely to fall for a phishing attack than finance, media companies. So if you’ve got an IT staff, if they’re not security specialists – and even our security specialists have fallen for it. In fact, we get spear phished all the time, and it usually gets through one layer of that Swiss cheese. We’ve got more layers.

If we get a spear phishing attack and they’re wanting money wired to an account in New York, that’s got to go through some accounting controls. That’s another layer. Accounting controls is an administrative layer that can be – and your security team should know this, but those accounting controls are put in there as administrative controls, and it’s a part of your overall security strategy. I can’t stress this enough: Infosec is not a subset of IT, and we’re going to talk about that a little bit later.

As all of you know, the NIST CSF, or Cybersecurity Framework – maybe you don’t know – it’s got those 5 things to it. You can boil it down to “do these 5 things.” If you want to implement a good cybersecurity and dramatically improve your security posture, you do these 5 things. You identify what needs to be protected. I’ve got industrial control systems, I’ve got accounting files, I’ve got customer files, I’ve got legal documents and so on. I’ve got to protect all that suff.

Then you look at, what do I need to protect it? I need encryption. Data at rest has to be encrypted. I don’t need everybody in the company to be able to access the QuickBooks files. Even if they don’t have QuickBooks on their computer and they can’t open the file, you still don’t want to let them have access to that network share because that creates another attack vector for a ransomware attack. Because ransomware will search everything on the network it can get access to, and if that QuickBooks folder is shared to everyone on the network but there’s only 2 people using QuickBooks, 1 of the other 8 people in your office can fire off a ransomware attack. And even though they don’t use QuickBooks, it still hits it and it still compromises it and locks up the data.

You’ve got to deploy things to detect it. This is a combination of technical controls with human beings. Most of our stuff, if not all of it, technically, human beings are monitoring constantly.

And then if you have an event, you’ve got to have a response plan. And if you have an event that is serious enough, you’ve got to have a recovery plan.

We talk about this in the main webinar, and we may do a Deeper Dive on this, because there’s a lot more to the Cybersecurity Framework in the details of these 5 things. But at a high level, if you do these 5 things and you’ve got them planned and covered, you’re going to be ahead of 99% of the organizations out there. It’s mind-boggling how poor our security is as a country of companies and utilities and law firms and accountants and things like that.

If you’ve seen the main show, you’ve seen this before. If you do these 3 things – security awareness training, an EDR or an MDR, which is what we do, and then you’ve got a good backup and resilience plan or disaster recovery plan, or business continuity plan – with our stuff, you’re going to have at least 2 layers for all 5 of the NIST Cybersecurity Framework things you need to do to be secure. Those 3 tools, in our case, will get you at least 2 layers on all 5 of those things.

The other examples of layers continue to build upon this. Some of the things are just like an intrusion detection system. That hits the detection part of the NIST Cybersecurity Framework. A managed EDR, like we use – and we orchestrate response – hits the “respond” category of the framework. Identifying core assets is all of our job. What do we need to protect? Is it a QuickBooks file? Is it an ICS or a SCADA device? We’ve got to identify those things and then build a plan for protecting it, detecting intrusions, and so on.

And recover, one of our EDRs can actually automate a recovery of a ransomware attack, but just in case it fails – which it never has so far – we’ll also have a backup plan with backup and resilience. Those will be implemented through both technical controls and administrative controls.

Here’s a bad thing. It’s frightening when I see companies that outsource their IT. Now, that’s not a bad thing in and of itself, but if they’re not paying someone to look at the backups and verify that they’re there and verify that they’re going to be able to recover – and there’s lots of different ways to do this; it’s a function of time and money. The shorter your downtime that you require, the more expensive it is. It’s that simple. You can say, “We can tolerate being down for a couple of hours because to get to where it’s 5 minutes, our budget will have to balloon up 300%.” Now, we do have a real inexpensive solution that you can get literally up and running, with certain systems, in minutes. And almost all of the data can be recovered. Depending on the dataset size, we can get that going – sometimes recovery is about you prioritize what needs to be recovered first. It’s a function of time and money. The shorter the time, the more money it costs.

If you’ve seen the main webinar, you’ve seen this before, but there’s a lot more stuff we could go into. But you still want to look at other layers, and chances are you have other layers. In fact, I know you do because you’ve got a firewall on your network. That’s yet another layer.

Most of the people on this call have got not a proactive firewall, and it probably has ports open that it shouldn’t for compatibility. That’s where a company like us comes in and says, “Let’s scan the network and see what is open through the firewall.” We’ll make a decision on closing or opening more ports.

Now, this slide is something new that we’ve added. This is the way an organization chart should be structured. It doesn’t matter if you’re not a Fortune 500 company that’s got a CFO and a Chief Marketing Officer and a Chief Information Officer. You need to think about these as roles, and the duties corresponding to those roles. Regardless of who’s wearing the operations hat, that role needs to be filled, and each one of these has different objectives and things that they’re responsible for.

This is the correct chart. Notice an MSSP. That’s what IronTech is. It’s a managed security services provider. You guys that outsource may be using what we call in the business a break/fix IT guy or gal or company that charge by the hour, time and materials. Some of you may be using an MSP, and they may be monitoring your backups and checking them periodically and reporting on them and letting you know that it’s all good – or letting you know that it failed last night. That’s fine too.

But what you can’t expect them to do is to do post mortems. You can’t expect them to continuously monitor for intrusions. You can’t expect them to have really good administrative controls around security, because IronTech’s #1 job is to make you as secure as possible, and that fundamentally conflicts with IT’s main objective, which is to make the network run as efficiently and as productively as possible. They want to keep everybody productive. They want to cut down on help desk.

One of our deals is, if you are suspicious and you get a bad feeling in your stomach, you’ve got bad vibes on this email you just got, we want you to call and have us check it out and make sure it’s legit, and it’s not going to open up a can of worms. Or a can of ransomware worms.

Accounting, “Cybersecurity is too expensive” or “That new server is too expensive.” Depending on what department you are, the finance guy or gal has fundamental opposition. Now, in a company that has different people wearing these different hats, those things are worked out between them. They’re compromised on. “Okay, I’ll loosen security a little bit for maybe accounting, but I won’t budge on this one. But I’ll budge on what you need.”

In the event that we can’t work that out, we’ve got to go to the CEO because ultimately, if you get breached, your head’s on the chopping block. They’re not going to go to accounting and fire the accounting person because they demanded that the QuickBooks be open to everybody on the network because that’s not their area of expertise. That’s the CISO, or the virtual CISO in our case. That’s Chief Information Security Officer, is what that stands for.

And now Harvard Business Review just went through this, and some other executive business management organizations are saying this is the way it should be done. And we’re starting to see that in Fortune 500 companies. That’s why I wanted to bring this up. The MSSP – let’s say you’re using Bill’s IT Company for your outsourced break/fix stuff and you’re using IronTech for your security stuff. I need a direct path of communication to the CEO. If Bill and I disagree about something, we both go to the CEO because his head is who’s responsible. The buck stops with the CEO. If I can’t agree with accounting, if I can’t agree with marketing, if I can’t agree with operations, we both go to the CEO because he’s the one that’s ultimately responsible for this.

Now, they are changing – we’re beginning to see security get to the board. So when the board starts looking into security, they’re checking up on the CEO. But right now, if you have to answer to a board and you have a security breach, and it was something that you could’ve prevented, the board would be well within their right to fire you. But some board members are taking it a step further. I know the boards that I work on – not only is coronavirus part of it, but so is security. But that’s because that’s my specialty. The coronavirus, the COVID-19 thing is not, but it’s become one. Not the COVID cyberthreats, but the actual COVID infection stuff. It’s kind of related. Viruses are viruses are viruses, right?

The main takeaway from this – I don’t want to beat it too much. The main takeaway is security is not a subset of IT. It’s not, and it shouldn’t be. That would be like putting accounting under IT, or marketing under IT. It’s got to be equal footing, and it’s got to have a direct path to the CEO because ultimately the CEO understands the risk to his business. It could be a fire risk, it could be a physical theft risk. But with the way that the business is growing right now, it is absolutely a cybersecurity risk analysis that he has to know and understand what position he has put his company in, or not put his company in.

That went a little longer than I intended. Q&A time. You guys know all the contact stuff, and you’ve seen the little boy there. That’s to make it easy. We can make it all easy for you. If you haven’t done a high-level security assessment, let us know and let us get you on the calendar. We’re doing, what, 4 webinars this week, Kindsey?

KINDSEY: Yes, 4.

TOM: We’ve got 4 webinars this week, and the sooner you can get on the calendar to get a security assessment, the better off you’re going to be. It’s not going to take much of your time. We’re not high-pressure sales. In fact, I’m about as high pressure as you’re going to hear. Well, maybe Brad a little bit.

But at any rate, it’s not high pressure because we know everybody that’s on these webinars needs it. We just want you to know that you need to get on there and get this done and get it behind you to at least get an idea of what your costs are and things like that. But we also continue doing these education things because when you are ready, we’ll be here for you.

But I would encourage you – I really don’t know why everyone doesn’t schedule a security assessment. But at any rate, I don’t see any questions.

KINDSEY: Doesn’t look like it.

TOM: What’s next week’s Deeper Dive?

KINDSEY: It’s about phishing. It’s titled, “Phishing: Don’t Get Hooked!”

TOM: Oh yeah. Who’s doing that one?

KINDSEY: Brad will be doing that one.

TOM: Brad?


TOM: Oh wow. Is he going to give away fishing lures? [laughs] I ought to turn my camera on and show everybody. Where’s that fishing lure? I’ll give it to Brad. He can surprise everybody with it. There we go.

All right, thanks, everybody, for attending. I hope you learned something. You keep coming to these things, keep taking notes, pretty soon you’ll know everything that I know and Kindsey knows and Brad knows and Matt knows. And then you know everything that you know, and that makes you smarter than any of us. We’ll see you next time.

KINDSEY: Bye, guys.