Practicing defense-in-depth: Implementing a defense-in-depth strategy

Implementing a defense-in-depth strategy can protect your customers’ Web applications from attack. Take a layered approach with intrusion prevention, encryption and code review.

It has become increasingly difficult to protect Web-based applications. Sophisticated hackers have successfully...

carried out attacks resulting in major expenses to enterprises. Solution providers can provide vital guidance and support to customers by suggesting, deploying, implementing and maintaining a defense-in-depth strategy that outlines how to secure their customer’s applications.

Customers can be reassured that they don’t need to make a large upfront purchase. Propose an initial training program focusing on the major sources of error.

Network managers supporting applications governed by regulations such as PCI DSS, HIPAA and SOX must meet the requirements of these regulatory standards. Solution providers specializing in these standards can assist customers by reviewing implementations prior to the formal audit and by keeping up to date on upcoming changes to regulations.

Meeting the specifics of the standards is necessary, but ensuring maximum protection requires in-depth defense. This involves implementing a variety of techniques, each using a different method to prevent breaches. Applications not subject to regulations may also support critical data, so solution providers must employ a variety of protection technologies with these applications, too.

Defense-in-depth strategy: Intrusion detection and prevention
Intrusion detection and prevention are the first layer in a defense-in-depth strategy. While standards specify the use of intrusion detection or prevention, they do not spell out which technologies to use. Intrusion protection products use either signature-based or anomaly based techniques.

Signature-based antivirus products are located at the edge of the network; they scan incoming requests and detect patterns matching previously observed penetration techniques. Signature-based products are continually updated with the latest observed attack types, but still cannot recognize zero-day attacks.  

Anomaly based antivirus products can often prevent zero-day attacks. These products detect attacks by monitoring activity throughout the network. An example would be a database request that returns hundreds or thousands of records when each request would normally return a single record. An anomaly based product would detect the unexpected behavior even though the attack technique had never been seen before.

Signature-based products are easy to implement. The solution provider simply installs the software and the product becomes effective immediately.

Anomaly based products take more time and effort. It is necessary to document each type of legitimate transaction and the pattern of activity it generates. The complexity of configuring anomaly based products to catch attacks while eliminating false positives gives solution providers who are experienced with the process an excellent opportunity to assist their customers.

Application-specific firewalls protect against specific types of threats. For example, XML firewalls protect SOA implementations by scanning the stream of XML directives.

Defense-in-depth strategy: Encryption
The most recent PCI standard requires that data transmitted over public networks be encrypted.  Even when encryption isn’t required, solution providers should consider encryption for their customers’ applications. Encrypting stored data adds an additional layer of protection. If a hacker succeeds in gaining access to a database, the information will be useless without the decryption key.

Defense-in-depth strategy: Code review
Developing code that is free of security vulnerabilities takes training, and even developers with this training sometimes make mistakes. Rushing projects too quickly, adding a new feature or correcting an existing problem makes errors more likely. Automated scanning products that review application source code can detect many types of vulnerabilities. A detailed  code review by a security solution provider can detect other errors.

Here, in-depth defense can pay off again. First, the solution provider can help train the customer’s developers. The solution provider can also run automated scanners over modified code, no matter how small the changes. When time permits, the solution provider can also personally review the code.

Defense-in-depth strategy: Sources of attack
The Internet is not the only source of attack, and the list of possible sources is growing. Remote employee access and laptops connected to the internal network after exposure to unprotected home networks have long been understood as a potential source of malware. Now, laptops are exposed to public wireless in coffee shops. Employee-owned smartphones  and USB keys are additional sources of viruses. All of these sources must be addressed with the appropriate protection products. Solution providers can review customers’ applications and networks and point out new sources of attack that customers may not recognize immediately.

No one type of protection is foolproof, but deploying the full array of these technologies can be expensive. Channel partners should assist customers in choosing the best solution for their specific needs.

Practicing defense-in-depth is important for the security consultant and the customers' employees, too. Training employees on security practices is vital for all customers, independent of any other protections utilized. No technology can protect when an employee carelessly discloses passwords or other similar critical information.

Training developers is another good critical need, especially for customers with a limited budget who cannot invest in a wider range of protections. In fact, one could argue that preventing vulnerabilities upfront is more effective than countering attacks later. 

Customers can be reassured that they don’t need to make a large upfront purchase. Propose an initial training program focusing on the major sources of error. Then propose additional training based on the success of the initial program.

Creating and implementing a defense-in-depth strategy for customers is a solid business endeavor for security solution providers. Solution providers who stay up to date on the latest attack types and defense technologies while tracking evolving compliance requirements can provide valuable assistance to their customers.

About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.

Next Steps

The 4 rules of a microservices defense-in-depth strategy

Dig Deeper on Managed network security services