Quick disclaimer: We won’t be talking about specific security tools in this post, because, as you will see, layered security isn’t about specific tools. It’s about building visibility into your network, and since your network is unique the tools that makes sense for you might not make sense for someone else.
That said, layered security makes sense for everyone. Implementing it is one of the suggestions often given to people looking to better the protection on their network. It’s one of the security mindsets we recommend adopting in our ebook.
So, what is layered security? It’s about three things:
Detection and protection are the obvious things that every network needs and should already have. It’s the things that sit on the edges of the network, trying to keep bad guys and bad software out. It’s traditional firewalls and intrusion prevention systems on the outside; it’s intrusion detection systems and anti-virus software on the inside. And, if you can afford it (and afford to manage it), it’s also visibility with tools like a SIEM, collecting and correlating data from endpoints, switches, and everything in between.
Disruption is about protecting yourself inside the network, making it harder for somebody who’s gotten in to move around. And before you balk and say “If I’m doing my job right, no one unauthorized will get in,” stop. It’s time to adopt the “assume breach” mentality. Operating with the assumption that you won’t be able to keep every criminally minded person out means you’ll be able to think clearer about how to disrupt them when they do get in.
It’s the comprehensive nature of layered security that makes it effective. Unfortunately, it’s also what makes it expensive. That’s why, even though it’s good advice, it’s a bit impractical for smaller businesses. They simply can’t afford all the things they would need to truly layer security throughout their network.
So, what to do? Assuming that detection and protection are taken care of, they should focus on disruption. And specifically focus on protecting their most important assets first.
But what are the most important assets? That’s going to depend on who in the company you ask. We will naturally consider the things we are closest to most important. The biggest challenge will be narrowing your list of “most importants” down since a case could be made for almost anything.
“Hey, we need our accounting server.” Well, yes, but you could probably back up your accounting server. If somebody takes your intellectual property, that’s a different story.
Often, identifying your most important assets is something best done by a committee that’s looking at everything critically and asking the question: “What piece of information would be the most harmful in the wrong hands?”
Determining the tools
Once you know the assets you want to protect, then you can pick the tool.
If your most important asset is intellectual property that lives on developers’ laptops, your focus won’t necessarily be one big SIEM device or visibility that way. Assuming you’ll have prioritize based on budget constraints, then perhaps, no, you will want host based solutions to protect and monitor the laptops, instead. Right? Your priorities determine your tools.
Think of the company assets like a bullseye. In the center you have the asset you’ve identified as most important. You protect that first then move to the next ring out, whatever is next on the most-important list. Once that’s protected, you move to the next ring, and so on, and so on.
It may take a few months or a few years, but eventually you will reach that final ring and will have layered security throughout your network.