TEN LAYERS OF DEFENSE
This page is an expansion of the article in the December 2024 issue of ISE magazine article, linked below:
To our knowledge this is the first comprehensive methodology for complete, holistic and multi-layer cybersecurity.
It will continue to be developed from the original article and is cognizant of the constraints of smaller organizations as covered in our SMB page.
This page is a partner to our Virtual Chief Security Officer Service. While this page is informative, the VCSO service is transformative in that it actually implements the work shown here.
Introduction
Every day, articles on cybersecurity give quick advice – two or three things “you must do.” Just this fall, CISA published “Four Easy Ways to Protect Your Business”. Even CISA’s NSTAC 5 Step Zero Trust Report only addresses some of the issues covered here. All great and many are aligned with this page.
However, not one such source provides a simple and comprehensive plan of action that builds defenses for the entire organization, one step-at-a-time, significantly reducing risk at low cost. This is exactly the intention of this page.
Multi-Layer Security: because you're only as strong as the weakest link.
Here, we have organized the most important best practices in ten defensive layers. Simply, if one layer is breached, then there’s another immediately behind it. In addition, we follow the two principles of Zero Trust: “Never Trust, Always Verify” and “Assume Breach.”
Cybersecurity lives in the world of “you’re only as strong as your weakest link.” So, while 10 layers of defense are required, there’s no escaping that many actions are involved as each weak link is strengthened. What this approach brings is a sense of order and reduced stress, all at very little external cost! Okay, enough preamble, let’s start with the first and most important layer.
1st Layer of Defense
Executive Commitment
All good defense is built on a solid foundation. So, the first layer of defense is exactly that:
- A Commitment and realization that cybersecurity is not just an IT issue leads necessarily to an executive-level responsibility for cybersecurity. It impacts the entire organization’s business, legal and financial operation and, by definition, should provide oversight and responsibility. Without this commitment, the organization has a high probably of failure.
- Now defenses can be built from a solid structure of a written Security Policy encompassing the whole organization. It creates the context of all work.
- As defenses mature, an ongoing, measurable Security Plan of required actions reflects the requirements of your business, systems, and networks.
These two documents will be central to both regulatory compliance and competitive positioning.
There is no escaping that good cybersecurity hygiene must now be a way of life, just like anti-lock brakes, seatbelts and air bags are in your car.
2nd Layer of Defense
Asset Curation or Stewardship
Protection of all assets: data, systems and software, is critical. Encryption is key for critical customer data, intellectual property, etc., mitigating theft. If you have operational devices, their software and data must also be encrypted. This effectively defines what is known in Zero Trust as the “Protect Surfaces.”
Automated updates of software, network devices, and end-user systems minimize human errors and accelerate fixing newly discovered attacks. Segmenting and hiding network and data elements nullifies attacks. If they can’t find it, they can’t break it.
Backups are often the threat actors’ primary target. Key to asset management is backing up data, software, user and system information and disconnecting it from the rest of the system and the Internet to eliminate outside access. This prevents actors from corrupting even encrypted data.
Defense and Resilience to attack of mission critical data is never complete until the backups are restored and content Verified as valid and free of “foreign objects” (i.e. malware!)
All these actions should be costed to understand the impact of breach, loss and corruption and therefore to understand the Threat Tolerance. I.e. what can the organization afford to build into the Security Plan over time.
Relationship Between the First Two Layers of Defense
3rd Layer of Defense
System Access
Next, ensure defense from illicit user access. Anyone inside or outside the organization must use multi-factor authentication, MFA/Passkeys, and strong passwords. Human resources must vet employees and contractors, building and executing ongoing training to guard against insider threats and social engineering of key staff.
HR must remain vigilant as this is not a one-time task. Users of the systems must only be given sufficient privilege to undertake their assigned tasks. No exceptions – even executives.
4th Layer of Defense
Policy Management
Identity, authentication, privilege, and access control management. HR must ensure that every user (including executives) may only have sufficient privilege to undertake their tasks (known as Least Privilege) and may only access systems from approved equipment at approved locations, on approved networks and allowed times. This goes for all third-party contractors, devices, and software.
This is the basis for Zero Trust Policy Management and Enforcement. This will be the place to understand how to architect the system: Understand where transcations flow through the system revealing where enforcement needs to happen. How much will be cloud based? How to use service providers that implement these functions? Selection of tools for this defense, if needed, is part of the Virtual CSO service varying from using standard system software to use of more sophisticated tools such as Universal Zero Trust Network Access.
5th Layer of Defense
Organizational Integrity
Strengthening departmental and external vulnerabilities: best practices across every area of the organization, outsourced and contractors. It’s easily forgotten that every organization uses third parties and their software. It must fall upon the executive responsible for security to oversee all manner of third parties who have access to sensitive information.
For example, recruiting companies, CPA, web hosting companies, legal firms, external network service providers, etc. must all be verified. No potentially weak link may be trusted—ever.
This is at the heart of holistic security that addresses potential weak links across the organization – not just within IT. Use of third-party service providers and Cloud providers are part of this defense
Holistic Cybersecurity Defense - Department-by-Department
6th Layer of Defense
Supply Chain Management
Supply Chain Security: Even the largest companies are guilty of not collaborating to continually validate their supply chains’ organizations, processes, products or services. Suppliers and customers have a shared responsibility.
“Never Trust, Always Verify” operates this defense so that responsibility can be delegated not abdicated. The supply chain is anyone providing a service, product or software that is not under your immediate control.
7th Layer of Defense
Basic Software Protection
It was important to first establish best practices defensive measures. Beyond backups, these required no additional outside spend.
Now we can turn to defenses which are likely already included via software subscriptions. i.e., basic anti-phishing, anti-malware, firewalls, VPN, free or low-cost password managers are also a good idea, as are low-cost identity managers. This essential software is the necessary next layer of defense.
Basic Threa Prevention Software Defense
8th Layer of Defense
Breach Defense
So far, the defenses here have primarily been to guard against attacks to the “system” and its users. Now it’s time to apply the Zero Trust principle “Assume Breach.” Even if, for whatever reason, the previous layers of defense have been breached, then it’s required to detect and remove threats that are already in the network or system.
Most ransomware attacks are of this advanced, complex nature and are explained in our cyberpedia. When penetration occurs, malware looks for weakness, lies in wait until signaled by its host, and then uses illicit software to move to areas of weakness and begin the attack.
I have deliberately not used technical terms here because there is Detection and Response software available to detect and remove such attacks. The choices and areas of enforcement vary and are an important aspect of our Virtual CSO function. Deciding on which of the literally thousands of defensive tools, if any, will be part of the security plan.
9th Layer of Defense
Monitoring & Measurement
Monitoring everything above should be automated. It’s a critical element of the defense. Both software and procedures must report when people or processes are not within policy, when people or systems are blocked, anomalies occur, and when overall risk improves, reporting it to a dashboard.
Measurement of Risk Reduction (using CybyrScore) and cost benefits achieved. Each advance is measured as risk decreases and new recommendations are adopted as part of the Security Plan.
10th Layer of Defense
Vigilance
None of these defenses are one-offs. Like it or not, good cybersecurity has now become a way of business and personal life. Awareness of new threats, ongoing adaptation of policies, techniques, improvements and compliance to new regulations, and careful adoption of GenAI will be a constant part of your defense. Part of our role is to highlight the most noteworthy of the thousands of news items each month and more than 400 cybersecurity terms as they evolve.
Conclusion
Implementing these defenses is part of our Virtual CSO service. Each advance is measured as risk decreases and new recommendations are made. The intention of this article was to create an implementable structure to reduce your risks across your organization at very limited cost. Inside these 10 layers of defense are the detailed actions of which kept it down to about 30 on this page.
This structure fulfills another important function: the reduction of stress on the systems and the individuals responsible for cybersecurity. Without structure and process of so many moving parts and people, stress and human error become inevitable. See more on this in the Hidden Power of Zero Trust.
Sharing these ideas is important but implementing them with you is why we created our Virtual CSO service described at cybyr.com/vcso. Unlike general guidance where you are left to figure out what and how to do it, the purpose of our Virtual CSO service is to chaperone these actions discussed on this page by taking them for you and with you so that they become part of your system.
The intention of this page is to create an implementable structure to reduce risk. We hope that has been achieved so you can look forward to a secure 2025.