Time to Rethink Layered Security

When defending territory, armies deploy multiple layers of defense against attackers. They may plant mines in the path of invaders, followed by booby trapped trenches, with fortifications and troops and other resources deployed not only along the front line, but for some distance behind the front line.

Similarly, air and missile defense systems will have different types of defenses that can stop hostile aircraft or missiles at long, medium, and short range, and potential target areas may have bomb shelters to protect people from any hazards that penetrate the defenses.

Cybersecurity also relies on a layered approach to ensure that if an attacker gets past one line of defense, something else can stop them and mitigate the damage they can do.

Different Approaches to Layered Security

Today, when we think of cybersecurity, we focus on technology solutions. But cybersecurity has always been more than only technology – it also includes physical security and administrative policies.

Physical security is clearly crucial to protecting your network. If an unauthorized individual can access a logged-in terminal, or a malicious insider could seize an opportunity to steal a laptop or external hard drive, your data and network are at risk. The philosophy of layering security should therefore also be applied to the physical realm. One layer could be limiting access to the building, the next layer could be requiring biometric access for sensitive areas such as server rooms, another layer could be security cameras and guards.

Administrative policies include layers of protective measures such as ensuring that only current employees have user IDs, setting and enforcing strict policies regarding which employees have access to what information, mandating training on company security policies, and more. Technological controls are often used to help manage and enforce administrative policies.

While physical and administrative security are critical, in the rest of this post, we’ll explore the technical side of layered security. We’ll focus on how changes in the way we work and changes in network architecture call for a reconceptualization of the layered security concept.

Old School Technology for Layered Security

Once upon a time, employees worked from company offices, using software and servers that were in the same physical location. Only a small percentage of users needed remote access, typically salespeople or service engineers whose jobs required being on the road. The layers of security were focused on securing the perimeter.

The model for protecting corporate assets through technological means was not that different than for physical protections. Like a castle with a moat, a drawbridge, troops atop castle walls, inner fortifications and an extra-secure treasury, typical technology included a firewall to block attackers, complex passwords, antivirus software for detecting known threat signatures, and user training.

The explosion of remote work in the wake of the COVID pandemic, coupled with the growth of SaaS and cloud computing has rendered the perimeter model completely obsolete. Increasingly sophisticated social engineering attacks, combined with novel AI-assisted malware development, has rendered many of the traditional layers ineffective.

Layered Security in a Zero Trust World

The threat environment today is very different than it was just five years ago. As we described in “The Complex New Normal of Network Access” users can be in or out of the office, accessing data that is either in (on the company network) or out (in the cloud). The four scenarios in this structure each present unique challenges from a security standpoint.

Instead of thinking about deploying multiple layers to protect a sensitive center, we propose a conception of layers that is based on key Zero Trust principles:

• Identification and authentication: Are you really who you say you are?
• Protecting users from threats
• Protecting apps from overprivileged access and threats
• Mitigating potential damage
• Recovery

Identification and Authentication

It used to be that complex passwords, changed on a regular basis, were considered adequate to verify identification. That no longer holds true. User credentials can be – and often are – purchased on the dark web. Social engineering methods are highly effective at convincing people to provide their passwords. Cheaper computing power makes brute force attacks feasible, especially when some users still choose passwords that aren’t sufficiently complex. Many companies are moving from passwords to passkeys, which are considered inherently more secure.

More commonly, multifactor authentication (MFA) is added as a second authentication layer. MFA requires an additional factor beyond a password, such as a code from an SMS to the user’s phone, an authenticator code or a biometric identification, to log in. IP-based access can be added as yet an additional layer.

MFA, however, is not foolproof. Care must be taken that cybercriminals can’t easily social engineer their way around an MFA reset, as Caesars Entertainment learned the hard way, or intercept session cookies after the user has provided the additional factor.

Using a Cloud Access Security Broker (CASB) can ensure that the same identification controls are applied to cloud resources, as well as allowing for the application of other administrative controls to cloud resources.

Protecting Users from Threats

Malware delivered via phishing attacks is still the leading vector for cyberattacks. While user training is a standard first line of defense against phishing attacks, it is woefully inadequate on its own. Study after study shows that some percentage of trained users will fall for sufficiently sophisticated phishing emails. Given the huge number of phishing emails received each day, the odds are against any organization avoiding user clicks.

Remote Browser Isolation (RBI) is a Zero Trust way to protect users from malicious links. With RBI the browser being used to access a web site is a virtual one, located in an isolated container in the cloud. On their device browser, the user interacts with a rendering of the site. No actual code can reach the user’s device.

Ericom’s Secure Web Gateway (SWG) combines RBI with Content Disarm and Reconstruction (CDR), technology that removes any potentially dangerous active elements from email attachments.

Another advantage of this isolation-based SWG implementation is that it is clientless, so no special software needs to be installed on user devices.

Protecting Apps from Threats

In addition to protecting users from malicious websites or downloads, it is important to protect organization apps from threat actors and malware that might be transferred from user devices.

Web Application Isolation (WAI) is similar to remote browser isolation but works in reverse. A firewall provides one layer of protection for resources on your servers, but software vulnerabilities can still be exploited. With WAI user interactions with your applications are via rendered versions: They have no direct access to the application surface. Should your application have a vulnerability, a threat actor would not be able to “see” it, much less exploit it. If a user device was infected with malware, it could not reach your network via your application.

A CASB gives companies the ability to extend their data loss prevention (DLP) tools and policies to cloud-based resources.

Mitigating damages

Even organizations with the most security-conscious IT departments can fall victim to a successful cyberattack. When that happens, it’s important to rapidly minimize any damage. The first layer of protection involves restricting user access to only the data and applications that each individual needs to do their job, a Zero Trust principle known as “least privilege access.” Special care needs to be taken with admin and super admin accounts to make sure they cannot be exploited.

Microsegmentation works hand in hand with least privilege access. Microsegmented network architectures minimize east-west traffic (traffic between servers), further limiting the harm that a cybercriminal can do.

Least privilege access and microsegmentation are the “bomb shelters” of cybersecurity. They do not directly stop an attack, but they can successfully prevent or minimize damage from an attack.

Recovery

The last fallback, if everything else has failed and a cyberattack has compromised your network is a proper backup protocol. It should include offline storage that cannot be compromised and locked up in a ransomware attack, with frequent backups so little data is lost in the event of an attack.

Conclusion

Layered security is a concept that has been around for a long time. Militarily, it has probably been around as long as armies have gone to war. In the cybersecurity space, layered security has been deployed since the earliest days of the internet. With recent revolutions in network architectures and work patterns, old layers have been rendered obsolete and worse, ineffective. It’s time to rethink layered security in light of the new reality.

The easiest way to move to a state-of-the-art Zero Trust based approach to cybersecurity is with a comprehensive Security Service Edge (SSE) such as Ericom’s Cloud Security Platform, which is tailored the needs of small and midsize enterprises, and makes it quick and easy to install the layers relevant to today’s threat environment. Contact us today to discuss how to put our isolation-based solutions to work protecting your organization.

---

Share this on:

---

About Nick Kael

A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.