How defence in depth can outwit cyber attacks

Technology Human

By Teemu Myllykangas 

It’s a challenge every security practitioner knows well. As defenders of the company network, we need our protection mechanisms to succeed everywhere, all of the time. Meanwhile, our adversaries only need to succeed in one place and at the time of their choosing.


This conundrum is known as the defender’s dilemma. Considering this dilemma, it’s not hard to understand why companies seem to be fighting a losing battle with attackers. With constant news of data breaches and other successful cyber attacks hitting the news, the odds are seemingly in the adversary’s favour.

The attacker’s dilemma 

But it’s not time to throw up our hands. There is a strategy that can be employed to turn this dilemma on its head. It involves forcing unwanted intruders to jump through several more hoops to make their attacks successful – making that a lot less likely to happen.

This strategy is defense in depth, and it is sometimes compared to a castle. As with a castle, not just one but several layers of protection stand at the ready. Should an attacker penetrate one layer, other layers are in place to stop further advances. Each layer plays a specific role, protecting in its own way, as part of a greater whole.

Several layers of security means that an attacker must get it right multiple times in order for his attack to succeed. It not only means more barriers to an attacker, but more opportunities for detection, more trip wires for the attacker to run into. The defender’s dilemma becomes the intruder’s dilemma.

Not only that, for each hurdle the attacker must overcome, the attacker’s cost structure increases. The attacker must put more time, energy and money into breaching your company, which works as a deterrent.

Defending the castle 

Which layers make up an effective security program employing defense in depth? If we return to our castle analogy, we have the castle wall.

Vulnerability management plugs holes in the castle wall so threats cannot slip in through the cracks. Then there’s the drawbridge, where gateway protection stops all visitors, lowering only for those deemed appropriate. Inside the castle are various structures. Endpoint protection guards each of these to protect from individual compromise. And should all of these layers fail and a threat somehow penetrate the fortress, detection and response alerts the guards so the threat can be eliminated.

With GDPR having come into force this year, these layers aren’t just “nice to have.” Securitywise, the GDPR does not detail specific requirements for keeping data safe. But because implementing solid security practices is critical to protecting data and being compliant, a comprehensive security program encompassing threat prediction, prevention, and breach detection and response should be in place. Each of these is a critical part of that program and of GDPR compliance.

At F-Secure we like to say that the best response to cyber threats is to foresee them. Vulnerability management is the step where we correct weaknesses in the company network before they can be exploited.

The general idea of this still holds true, but actual analogy of a wall itself was more appropriate ten or fifteen years ago, when the network perimeter was more stable and defined. Back then, an IT admin only needed to worry about desktops, laptops and servers.

In contrast, today’s organisational IT assets can include virtual machines, cloud and on-premise devices and services, IoT devices, BYOD devices, and even operational technologies to take care of. The network perimeter is in flux, and securing it requires a different approach compared to years ago. Cyber security has grown considerably more complicated.

Lower your cost, raise your attacker’s cost 

The great thing about vulnerability management is that it’s an opportunity to significantly lower the cost of security. It’s far less costly to deal with security before serious problems arise than during a crisis or incident recovery. After all, known vulnerabilities and their exploitation are still the root cause of most breaches. And the majority of exploits are based on vulnerabilities already known to security practitioners for at least a year.

Not only does vulnerability management lower costs for your organisation, but it raises the cost structure for an attacker. This is exactly what we’re after. An attacker needs to be able to find a vulnerability, despite your company having a vulnerability management platform in place. Because you’re finding and fixing known critical vulnerabilities, the attacker needs to work harder. He or she must spend more time and money to find a way in. Should the intruder still manage to do so, if you’re fixing vulnerabilities and misconfigurations on internal-facing systems, he or she will encounter fewer opportunities for lateral movement.

What to look for in a VM tool 

Cyberattack03

As the initial step in the modern cybersecurity defense program, a good vulnerability management platform, such as F-Secure Radar, offers first of all visibility. If you don’t know what you have, you can’t protect it.

With the complexity of today’s network infrastructure, it’s all too common to have forgotten shadow IT assets lurking in dusty corners. It’s important to gain visibility into what kinds of devices and assets you have, and what their vulnerability status is.

Once we know what our attack surface looks like, we can begin to check for flaws in it. This is where scanning comes in – we scan systems and web applications for publicly known vulnerabilities. With Radar for example, we can scan systems such as web servers, firewalls, email servers and gateways, routers and switches, domain controllers, DNS servers, antivirus gateways, and workstations – and the software and operating systems on them. We can also check both commercial and custom web applications. New applications still in development can be scanned to catch vulnerabilities before they can cause problems later.

A solid vulnerability management platform will also include credible reporting, as well as a way to streamline the workflow. This means management of tickets, automation of scheduled scans, and assignment of vulnerabilities for prioritized patching.

In summary, rapidly changing, complex business IT environments lead to a broad attack surface. Only constant scanning and ruthless control can help you find vulnerabilities before anyone else does, lowering your security expenditures and raising the bar for attackers, making it harder to breach your business.

Teemu Myllykangas is F-Secure Corporation’s Solution Director (Radar).