Defense in Depth: The First Step to Security Certainty
Bad actors are constantly coming up with ways to evade defensive techniques put in place by government agencies, educational institutions, healthcare providers, companies and other organizations.
To keep up, network security needs what’s known as “defense in depth” — a strategy that leverages different security solutions to provide robust and comprehensive security against unauthorized intruders.
Think about securing your house — locks on your doors only protect your doors. But if you have locks on your doors and windows, a high fence, security cameras, an alarm system and two highly trained guard dogs, you have what we call “defense in depth.” The same goes for networks. When it comes to building a defense-in-depth strategy for your network, the first and most important feature is visibility — knowing what is on your network.
Why Visibility? Because You Can’t Protect What You Can’t See
If you can’t see it, you can’t protect it — it’s obvious if you think about it.
Without understanding the devices, hardware, software and traffic that are running on a network, security professionals are working with one hand tied behind their back — forced to react to threats as they arise from unknown vectors instead of being able to pre-emptively manage and control the threat surface as a whole.
Indeed, without this kind of visibility, we have no idea how large the attack surface even is. Every device that we can’t see is a security threat — whether intentional (a malicious actor) or not (an unpatched device) — and defense in depth becomes impossible.
The ‘Eye’ in DDI
With visibility, we typically talk about being able to understand the end devices that connect to a network — computers, smartphones, IoT devices and the like.
To get this kind of visibility, we can use IP Address Management (IPAM) — which together with DNS and DHCP is one of the core network services that make up DDI — to get a comprehensive picture of who is connected to the network.
Technically speaking, IPAM is a database of the allocated IP addresses across a network which, over time, lets you see who had what IP address and when. IPAM is a critical part of defense in depth.
This information gives us the ability to hunt down alerts and quickly figure out which device is generating malicious traffic, allowing us to rapidly resolve the threat.
Understanding the Attack Surface
Knowing what devices are connected to your network is only part of the visibility story. The other side is knowing what devices make up your network — the switches, routers, access points and other physical hardware that enables devices to connect and share information with one another. This threat vector is often forgotten or overlooked simply because these devices are often put into the network, set up and forgotten. They don’t need much attention because they just need to work.
But understanding them is extremely important to a defense-in-depth strategy. The networking team needs to be able to install, configure, update and secure these devices, but the security team also needs to be aware of what is out there and how it is protected.
As new vulnerabilities come out, the teams need to ensure that the devices are updated in a coordinated manner so that the network remains up and available to the end users. Of course, there should also be a programmatic way that the teams can understand if a vulnerability (PSIRT, CVE, etc.) will affect the networking gear that is running the network.
A Network Configuration and Control Management tool (NCCM), can give teams this kind of visibility, enabling them to maintain and configure the information associated with a network’s components. This helps network professionals control, manage and secure these network devices.
Just as the ability to manage and secure known network devices is important to defense in-depth, so too is knowing if an unauthorized or simply an unknown device is connected to the network. What is that device? Should it be on the network? If it is supposed to be, is the version of code up to your corporate standards? If it isn’t supposed to be on the network, where is that device located?
Being able to answer these questions gives teams full visibility into the devices on a network as well as their security posture. It is also critical that this NCCM be a multi-vendor solution to deal with the heterogeneous nature of today’s networks. Often, routers and switches can almost be seen as a commodity, but they can still represent an entrance for bad actors to access your network.
Putting It All Together: Leveraging Visibility for Security
So that’s what visibility is — but so what? How can it help defend in-depth?
For starters, it makes your security team more efficient. Once you have an overall picture of your network, your security ops team is better equipped to protect your network and its users.
Visibility enables them to quickly and efficiently identify vulnerabilities to be patched and the devices to be updated. With visibility, they can quickly and automatically identify and isolate devices that access malicious sites, and understand where those devices have been.
Visibility also gives them the ability to quickly identify and investigate security incidents with an authoritative database of information on the affected devices. For example, with a robust IPAM solution, teams can automatically identify rogue or unauthorized devices and isolate them from the network — shutting down unauthorized and unprotected vectors into your network without increasing administrative hassle. A strong NCCM solution can also help identify weak spots in your network architecture, eliminating blind spots that can impede the effectiveness and efficiency of your security and network solutions.
As the starting point for a whole manner of security processes and protocols that are critical to building defense in-depth, visibility can help keep your network, data, and users safe.
The only question left is, “What’s on your network?”