Cyber security defense in depth is an approach that emphasizes comprehensiveness through connected and overlapping systems rather than implementing individual protections piecemeal or as bare necessity dictates. The term is borrowed from military strategy and assures the most effective cyberdefense; it also carries special significance for government-related organizations.
What is Defense in Depth?
Put simply, defense in depth emphasizes depth over breadth in cybersecurity protection. But deep and enmeshed protections do not come at the expense of broad protection; instead, the goal is ensuring that cybersecurity controls connect and synergize “all the way down.”
To help you understand this approach to cybersecurity, this guide provides:
- A deep dive into the strategy’s origins and fundamentals
- An overview of one all-purpose framework that uses it
- A close look at regulatory requirements that involve it
To implement a defense in depth approach, get in contact with a security program advisor.
Defense in Depth Strategy: Origins and Fundamentals
The term “defense in depth” comes from military strategy. In this context, it refers to focusing on counterattacks and ceding one’s position to launch a counter more effectively.
In cyberdefense, however, it means layering interconnected protections. On their own, these protections may be effective at achieving a specific outcome. When a complex and sensitive outcome is desired, the controls work together to create a deeper and more effective defense.
For example, consider the following areas of cyberdefense implementation the Center for Internet Security (CIS) spotlights in an analysis of election security defense in depth:
- System-wide update and patch management
- Perimeter defenses, such as firewalls
- User authentication safeguards, like password complexity
- Detection and response for individual assets
- Network segmentation based on business needs
- Monitoring for and prevention of intrusions
- Limiting access beast on the least privilege principle
All of these protections can be effective on their own. But they’re not defense in depth unless they work together and talk to each other. Network segmentation and firewalls isolate traffic streams; authentication and least privilege controls build on this to make monitoring for, detecting, and responding to intrusions much easier.
In this way, defense in depth network security, perimeter security, and asset security protections are all more effective, both individually and collectively, because of their connectivity.
In other words, the whole is greater than the sum of its parts.
Generalist Frameworks for Defense in Depth
Cyberdefense is a product of program implementation, where the program comes from or is developed in response to cybersecurity frameworks. These may be requirements for a given industry or suggestions for best practices. One of the most prolific framework publishers is the National Institute of Standards and Technology (NIST).
NIST stipulates several guidelines that inform governmental, industry-specific, and other compliance requirements (see below for two examples of NIST compliance implications).
But NIST is also a great source for cybersecurity education, learning what broad concepts mean and how they work in practice. To that effect, one particular NIST framework provides general, widely-applicable examples of defense in depth strategy, both in theory (program design) and practice (specific controls).
The NIST Cybersecurity Framework (CSF)
One of the most widely referenced cybersecurity texts is NIST’s Framework for Improving Critical Infrastructure Cybersecurity, also known as the Cybersecurity Framework (CSF).
The CSF does not explicitly refer to the Framework Core as a defense in depth strategy. It organizes controls into Categories and Subcategories in service of five core Functions.
Nonetheless, the Functions work together to create defense in depth, as follows:
Identify – 28 controls for monitoring for and identifying risks to your organization:
- Asset Management (ID.AM): 6 Subcategories
- Business Environment (ID.BE): 4 Subcategories
- Governance (ID.GV): 4 Subcategories
- Risk Assessment (ID.RA): 6 Subcategories
- Risk Assessment Strategy (ID.RM): 3 Subcategories
- Supply Chain Risk Management (ID.SC): 5 Subcategories
Protect – 34 controls for maintaining security and preventing attacks:
- Identity Management and Access Control (PR.AC): 7 Subcategories
- Awareness and Training (PR.AT): 5 Subcategories
- Data Security (PR.DS): 8 Subcategories
- Information Protection Processes and Procedures (PR.IP): 12 Subcategories
- Maintenance (PR.MA): 2 Subcategories
- Protective Technology (PR.PT): 5 Subcategories
Detect – 18 controls for detecting attacks and potential incidents:
- Anomalies and Events (DE.AE): 5 Subcategories
- Security Continuous Monitoring (DE.CM): 8 Subcategories
- Detection Processes (DE.DP): 5 Subcategories
Respond – 16 controls for quarantining and eliminating incidents:
- Response Planning (RS.RP): 1 Subcategory
- Communications (RS.CO): 5 Subcategories
- Analysis (RS.AN): 5 Subcategories
- Mitigation (RS.MI): 3 Subcategories
- Improvements (RS.IM): 2 Subcategories
Recover – 6 controls for longer-term continuity and stability:
- Recovery Planning (RC.RP): 1 Subcategory
- Improvements (RC.IM): 2 Subcategories
- Communications (RC.CO): 3 Subcategories
In this breakdown, the Functions are essential; in theory, any defense in depth program should account for them. The Categories, their Subcategories, and the Informative References for each point to multiple ways to achieve this in practice.
Compliance Implications of Defense in Depth
Organizations that work with the US military need to demonstrate defense in depth by implementing the Cybersecurity Maturity Model Certification (CMMC). Depending on what level is required, per their contract, they need to implement different sets of controls and perform self-, third-party, or government-led assessments annually or triennially.
CMMC Level 1 and Level 2 require implementing controls from NIST SP 800 171. Level 1 comprises 15 Practices Foundational Practices, derived from SP 800 171’s Requirements. At Level 2, organizations will have to implement 110 total Practices for Advanced security, comprising all of SP 800 171. CMMC Level 3 will require implementing an as-yet undetermined amount of Practices adapted from NIST SP 800 172 for Expert security. These protections build on Basic and Derived Requirements in SP 800 171.
Taken together, these CMMC Practices constitute a compliant defense in depth for DoD contractors. You’ll need to layer NIST practices to work with the US military.
NIST SP 800 171: CMMC Levels 1 and 2
The breakdown of controls in NIST SP 800 171 is similar to the Framework Core of the CSF and uses some of the same terms. It comprises Basic and Derived Requirements, distributed across Requirement Families analogous to the CSF’s Categories.
The difference is that all Requirements are in service of the same function: protecting Controlled Unclassified Information (CUI). This is what defense in depth means for DoD contractors.
The controls in NIST SP 800 171 break down as follows:
- Access Control (AC) – 21 Requirements (2 Basic, 19 Derived) for limiting and monitoring access to CUI, beyond account and physical controls (IA and PE).
- Awareness and Training (AT) – 3 Requirements (2 Basic, 1 Derived) for training staff on security roles, responsibilities, and best practices to protect CUI.
- Audit and Accountability (AU) – 9 Requirements (2 Basic, 7 Derived) for consistent assessment of security systems and accurate reporting, as needed.
- Configuration Management (CM) – 9 Requirements (2 Basic, 7 Derived) for installing and maintaining secure settings across all CUI-related hardware and software.
- Identification and Authentication (IA) – 11 Requirements (2 Basic, 9 Derived) for controlling user accounts, including credentials and access permissions.
- Incident Response (IR) – 3 Requirements (2 Basic, 1 Derived) for responding to threats, attacks, and other cybersecurity incidents to ensure full and swift recovery.
- Maintenance (MA) – 6 Requirements (2 Basic, 4 Derived) for repair and remediation to be conducted at regular intervals and after special events.
- Media Protection (MP) – 9 Requirements (3 Basic, 6 Derived) for safe storage, handling, processing, and destruction of any media containing or connected to CUI.
- Personnel Security (PS) – 2 Requirements (both Basic) for screening anyone who comes into contact with CUI, including personnel, visitors, and other individuals.
- Physical Protection (PE) – 6 Requirements (2 Basic, 4 Derived) for restrictions and limitations on physical and proximal access to CUI and environments containing it.
- Risk Assessment (RA) – 3 Requirements (1 Basic, 2 Derived) for testing, monitoring, and managing all threats and vulnerabilities that could impact CUI.
- Security Assessment (CA) – 4 Requirements (all Basic) for assessing the overall effectiveness of security systems’ design and application and adjusting if necessary.
- System and Configurations Protection (SC) – 16 Requirements (2 Basic, 14 Derived) for segmentation, encryption, and other methods for secure communication.
- System and Information Integrity (SI) – 7 Requirements (3 Basic, 4 Derived) for preventing and correcting flaws, malicious code, and other threats.
Note that the 15 Practices required for CMMC Level 1 assessment are adapted from both Basic and Derived Requirements in select families. And organizations should be prepared for full implementation of all NIST SP 800 171 Requirements at Level 2.
NIST SP 800 172: CMMC Level 3
As noted above, the specific scope for defense in depth at CMMC Level 3 have not been determined yet. What is known is that organizations will have to implement all Requirements from NIST SP 800 171, along with a selection of controls from NIST SP 800 172.
SP 800 172 builds on the same Requirement Families from above, adding Enhanced Requirements to the Basic and Derived Requirements of SP 800 171.
In total, SP 800 172 comprises 35 Requirements:
- 3 AC Enhanced Requirements
- 2 AT Enhanced Requirements
- 3 CM Enhanced Requirements
- 3 IA Enhanced Requirements
- 2 IR Enhanced Requirements
- 2 PS Enhanced Requirements
- 7 RA Enhanced Requirements
- 1 CA Enhanced Requirement
- 5 SC Enhanced Requirements
- 7 SI Enhanced Requirements
The Enhanced Requirements add to the depth achieved through NIST 800 171 with greater connection and synergy across all Families. What this means is that maximum defense in depth for DoD compliance, at present, will require implementing up to 145 unique Practices.
The best way to prepare for this, at any level, is to work with a CMMC advisor.
Optimize Your Defense in Depth Strategy
Defense in depth is one of the most effective approaches to overall cyberdefense. It borrows concepts from military strategy, and the way that these apply to cybersecurity have been laid out in generalist security frameworks from NIST. Defense in depth also has compliance implications, particularly for organizations that work with the military or other parts of the US government.
RSI Security will help your organization meet compliance requirements that apply to you, or implement and manage a defense in depth program for greater overall cybersecurity.
To rethink your cybersecurity operations, get in touch today!