Banks learned long ago not to rely on one lock, one gate or one guard for protection. In the same way, IT security is never about one tool, one protocol or one software patch. Protecting modern IT infrastructures means blocking attack vectors at each layer of the stack (system; software; and network), as well as defending against potential threats and detecting suspicious activity.
This security strategy, known as layered security, is the preferred approach of the military and government agencies such as the United States Department of Homeland Security. It rests on a proposition that no single security solution can protect against all threats.
Layered security can be visualized using the proven defense-in-depth model originated by the military. In this model, security controls are placed throughout the IT system to provide multiple layers of defense, thus protecting applications and data from a myriad of attacks. As the Department of Homeland Security states, “There is no single or set of defensive techniques or programs that will completely avert all malicious activities. Multiple defensive techniques and programs should be adopted and implemented in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful compromise.”
Layered security, also known as Defense in Depth “employs a holistic approach to protect all assets, while taking into consideration its interconnections and dependencies, and using an organization’s available resources to provide effective layers of monitoring and protection based on the business’s exposure to cybersecurity risks,” according to The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Aligning components
CIOs wanting to create layered security often face the difficulty of coordinating the offerings of their various enterprise software vendors.
Fortunately, an entire ecosystem of layered security options – including end-point protection, application protection, network security devices, event correlation and process controls – can be combined to deliver a layered security strategy that provides comprehensive, enterprise-level protection with prevention, detection and response.
While the traditional ERP vendor support model generally focuses on the security of their own platforms, third party support providers such as Rimini Street can scrutinize the entire IT stack, including homegrown applications and software that is no longer supported by the vendor. This is important, since commercial products that are no longer supported or have a limited support lifecycle may never see another security patch.
A word about patching
Dramatically complicating every effort to coordinate components into a coherent layered security structure are the periodic software patches released by enterprise vendors. Not only are these updates sometimes late or incomplete, the rounds of regression testing, downtime and business interruption they cause can be a significant burden for organizations. This likely explains why so many companies apply patches occasionally, if at all. The delayed application of patches impacts system security, allowing hackers to exploit known vulnerabilities.
That is why we recommend “virtual patching” technologies that help recognize and block attempts to exploit software vulnerabilities whether they have been patched or not. For example, Rimini Street Advanced Database Security is enhanced with technology from McAfee, and is a virtual patching technology that I’ll say more about in a follow-up post.
Virtual patching is just one element of a layered security model, but it’s an important measure that organizations should be considering for their defenses.
Where to start?
To implement or enhance a layered security model, evaluate each piece of your infrastructure. The essential steps are:
- Inventory (categorize and document what you have today)
- Configuration (a secure configuration is the best baseline)
- Access (correct provisioning and de-provisioning are key)
- Monitor and Audit (visibility and auditing to block current and future threats)
- Vulnerability Protection (reduce the surface area for attacks)
Note that while these components will be relevant in every environment, each should be tuned to the unique risk tolerance profile of the organization. Determining your organization’s risk profile – balancing Confidentiality, Integrity, and Availability – is a complex subject in its own right. For some excellent guidance, see ISACA’s “Key elements of an Information Risk Profile.”
