Driving Change: Updating Defence in Depth for 2023 and Beyond

By James Rees, MD, Razorthorn Security

Here we are, at the end of 2023. It’s high time for updating defence in depth strategies across all organisations, and let me tell you why.

We’re all aware of the uptick in high profile cyber attacks and compromises, across all sectors. Ransomware specifically has caused more economic loss and pain for the business world than any other information security event previously, and attacks are speeding up at a steady rate with larger and larger targets and ransoms being asked.

Malicious actors are mobilising and becoming far more organised than ever before.

It’s time for the security community to catch up, and the business world has to support us in this endeavour because these attacks are not going to stop any time soon.

The Urgency to Catch Up: A Call to Action

I have spoken extensively with other information security professionals in the field; many more I have spoken to during interviews for our podcast, Razorwire, and it’s become apparent to all of us that we need to be updating defence in depth models, reviewing our countermeasures and placing significantly more emphasis on modern information security tooling. All alongside the usual robust GRC activities. In doing so, we can take steps to impede the operations of these coordinated malicious actors, harness emerging tools and solutions to bolster defences to swiftly and effectively adapt to the strategies employed by threat actors.

We also need to fill the huge skills gaps in our industry by mentoring and training up the next generation of security professionals. We have to do this soon, because the longer we delay, the bigger the advantage we hand to our adversaries. As I said – we have to step up.

As you may know, the defence in depth model is where we layer people, process and technologies to provide blended protection for the organisation we are protecting. It’s commonly represented either as an iceberg or an onion. Personally, I prefer an iceberg as it represents the layered security from the visible through to the invisible. 

This model has been used for many years and for most of that time the layers have stayed reasonably static, although as time and technology has changed and been further developed, the model has expanded exponentially. However, the fundamentals have remained constant.

Updating Defence in Depth Strategies

Given the rapid evolution of threats in recent years, it’s clear that we need to rethink and revise this model. For instance, one layer of the iceberg might be network security measures such as firewalls and intrusion detection systems. As more organisations move their operations to the cloud and adopt remote working policies, traditional network perimeters have become less relevant. We need to focus more on securing data wherever it resides and ensuring secure access regardless of location.

Furthermore, there’s a growing realisation that technology alone won’t solve our security problems. We need to put more emphasis on the human element – training employees to recognise and respond to attacks, fostering a security-conscious culture within our organisations and hiring or cultivating the right talent with a diverse range of skills.

Another layer might be incident response – having plans in place for how to react when an attack does occur. But with the rise of ransomware and other sophisticated attacks that can cripple an organisation’s operations for days or weeks at a time, we need to expand this layer to include business continuity and disaster recovery planning.

Lastly, in this article in any case, we should incorporate emerging technologies like artificial intelligence and machine learning into our defence in depth model. These can help us detect anomalies and unusual patterns that could indicate an attack much faster than human analysts could. They can also help automate routine tasks so that our security teams can focus on higher-level strategic work.

Conclusion: A Strategic Imperative for the Future

In conclusion, while the defence in depth model has served us well over the years, it’s time for a refresh. Our adversaries are constantly evolving their tactics and techniques – we must do the same if we hope to keep pace. It’s not just about adding more layers or buying more tools; it’s about thinking strategically about what each layer should consist of given today’s threat landscape.

As information security professionals, we must take the lead in driving these changes within our organisations. But, for this to be a success, we also need support from business leaders who understand that investing in security is not just a cost of doing business, but a strategic imperative for the survival and success of their organisations.

Contact us today to review your defence in depth strategy and find out how to strengthen your defences.