Five defense-in-depth layers for business security success
Here are the ideal steps your organization can take toward true defense-in-depth across the entire enterprise
Defense in depth is a simple enough idea, similar to the concept of the closely ranked Roman centuries of the ancient world, with the next line of soldiers waiting for any enemy who hacked through the front rank. We can use this (albeit less violently) as a cybersecurity strategy to protect the most sensitive data at the heart of any organization’s IT environment. But where the Romans faced a battlefield with a clear front line, the cyber battlefield involves complex multidimensionality. The average employee has access to more than 30 business applications and accounts – all of which can be privileged, and therefore a target. IT teams need to understand which workforce access areas pose the most risk in order to assemble their ranked defenses.
The first step, of course, is to figure out where these extra layers of defense will go. The easiest way is to follow the data, as available research shows us the areas of the workforce’s IT landscape that are most at risk. Predominantly, it shows that attackers have moved away from targeting traditionally privileged IT administrators to only targeting the broader workforce. It’s easy to see why: More than half of organizations’ workforces have direct access to sensitive corporate data as they work from a variety of locations, on many different devices.
>See also: Combating common threats to information security
The five workforces have the greatest risk
Weak or disruptive authentication mechanisms
80 percent of breaches begin with compromised credentials, so we know that single-factor authentication isn’t enough. Multi-factor Authentication (MFA) is now the industry standard, but just as we’re innovating, attackers have developed their own ways to circumvent legacy MFA policies, such as tampering with QR codes, hijacking cookies, and MFA bombing.
The defensive team: instead of just adding more layers of authentication, try to make them smarter and more autonomous instead. Security teams should use behavioral analytics and automation to better understand individual users’ access habits to build context for what constitutes risk over time. This avoids forcing users to jump through multiple hoops, but allows smart controllers to take out a threat with extra layers of defense – such as extra MFA factors – when necessary.
Less than half of IT teams use identity security controls on enterprise-provided user machines. This leaves workstations, servers and virtual machines open to ransomware, phishing or other endpoint-focused attacks. It only takes one unprotected device to be the start of a ransomware attack.
The defensive team: Organizations can blend adaptive MFA with endpoint rights controls to help manage risks arising from a hybrid work environment where any user’s workstation can be a target.
High-risk enterprise applications
Businesses have many amazing applications at their fingertips, with the average user having access to 5-10+ high-value business apps. These contain sensitive resources such as customer information, intellectual property and financial data, making them a prime target for attackers. Unfortunately, 80 percent of businesses have encountered users who misused or misused these apps in the past year. Simply requiring login is not enough to keep them safe – the moment a user walks away from the screen while still logged in, all that valuable data is exposed.
The defensive team: a login only verifies a user’s identity at one point in time – so effective security controls here will continue to monitor, record and audit user actions after authentication. Improving the visibility available to security teams offers many benefits, including being able to identify the source of a security incident (and therefore respond) much more quickly.
Third Party Providers
Almost all businesses benefit from using third-party tools, but they also present risks, as integration often requires creating superuser access to customers’ systems. Unfortunately, this is growing as a popular attack vector, with over 90 percent of organizations experiencing a security incident to an external partner.
The defensive team: it is important to strike a careful balance between security and productivity, as it makes no sense to cripple the purpose of the third-party product with indulgent security. Finding a way to systematize third-party privileged access control and monitoring will go a long way—especially if it can be done without relying on VPNs, passwords, or agents to do so.
Credentials that live outside of single sign-on
We already know that the key to reducing identity compromise is to properly secure user credentials. This is most effective through single sign-on (SSO), but with the different services used by each individual, you often end up with many apps and logins outside of that environment, and some apps simply don’t support modern context-based authentication. To make matters worse, these logins and passwords are often stored in insecure locations or shared between colleagues for convenience.
The defensive team: Where SSO cannot be implemented, it is important that all users have access to strong enterprise-level vault-based password storage. We know that any user can become privileged under the right circumstances, so they should all be protected with the same importance as, say, an IT administrator. Not only will a password vault increase overall visibility and control for cybersecurity teams, but it makes life easier for users to automatically capture and retrieve credentials as needed.
>See also: What you should know about user authentication and cyber security
Build up the defensive teams
In the process of stacking these defensive layers, it is important to consider the details of each organization’s attack surface. Approaching user security more holistically, layer by layer, and with a zero-trust attitude top-of-mind enables the development of more robust defenses in general.
David Higgins is the Senior Director of the Field Technology Office at CyberArk
Cyber security jargon affecting communication between C-suite and specialists — Kaspersky research has found that over two-fifths (42 per cent) of UK C-level specialists believe that cyber security jargon is the biggest cause of a lack of risk understanding at the top of organisations.
Top 10 Most Disastrous Cyber Hacks of the 2020s So Far — This article takes a look at the 10 most disastrous cyber hacks perpetrated on organizations this decade, so far.