Medieval castles remained impregnable fortresses for centuries, thanks to their meticulous design. Fast forward to the digital age, this medieval wisdom still echoes in cybersecurity. Like castles with strategic provisions to resist attacks, the Defense in Depth strategy is the modern counterpart: a layered approach with strategic redundancy and a combination of passive and active security controls.
However, the evolving cyber threat landscape can test even the most hardened defenses. Despite widespread adoption of the Defense-in-Depth strategy, cyber threats persist. Fortunately, the defense-in-depth strategy can be enhanced using Breach and Attack Simulation (BAS), an automated tool that evaluates and improves every security control at every level.
Defense in Depth: False sense of security in layers
Also known as multi-layer defense, the defense-in-depth strategy has been widely adopted by organizations since the early 2000s. It is based on the assumption that adversaries must breach multiple layers of defense to compromise valuable assets. Because no single security control can provide foolproof protection against the wide range of cyber threats, defense in depth has become the norm for organizations around the world. But if every organization uses this strategy today, why are security breaches still so common?
Ultimately, the main reason is a false sense of security resulting from the assumption that layered solutions will always work as intended. However, organizations should not place all their faith in layered defenses – they must also stay current with new attack vectors, possible configuration drift, and the complex nature of managing security controls. In the face of evolving cyber threats, unfounded confidence in defensive layers is a security breach waiting to happen.
Refining the defense-in-depth strategy
The defense-in-depth strategy promotes the use of multiple security controls at different levels to prevent and detect cyber threats. Many organizations model these levels around four core levels: Network, host, application and data layers. Security controls are configured for one or more levels to maintain a robust level of security. Typically, organizations use IPS and NGFW solutions at the network layer, EDR and AV solutions at the host layer, WAF solutions at the application layer, DLP solutions at the data layer, and SIEM solutions at multiple layers.
While this general approach applies to nearly all defense-in-depth implementations, security teams can’t simply deploy security solutions and forget about them. In fact, second the Picus Blue Report 2023, 41% of cyber attacks bypass network security controls. Today, an effective security strategy requires a solid understanding of the threat landscape and regular testing of security controls against real cyber threats.
Harness the power of automation: Introduce BAS into your defense-in-depth strategy
Understanding an organization’s threat landscape can be difficult due to the vast number of cyber threats. Security teams must review hundreds of threat intelligence reports daily and decide whether each threat could affect their organization. Beyond that, they need to test their security controls against these threats to evaluate the performance of their defense-in-depth strategy. Even if organizations could manually analyze each intelligence report and perform a traditional assessment (such as penetration testing and red teaming), this would take too much time and resources. Simply put, it’s impossible to navigate today’s cyber threat landscape without automation.
When it comes to security control testing and automation, one particular tool stands out among the rest: Breach and Attack Simulation (BAS). Since its first appearance in Gartner’s Hype Cycle for Threat-Facing Technologies in 2017, BAS has become a valuable part of security operations for many organizations. A mature BAS solution provides automated threat intelligence and simulation for security teams to evaluate their security controls. When BAS solutions are integrated with the defense-in-depth strategy, security teams can proactively identify and mitigate potential security gaps before malicious actors can exploit them. BAS works with multiple security controls at the network, host, application, and data levels, allowing organizations to assess their security posture holistically.
LLM-based cyber threat intelligence
When introducing automation into your defense-in-depth strategy, the first step is to automate your cyber threat intelligence (CTI) process. Operationalization of hundreds of threat intelligence reports can be automated using deep learning models such as ChatGPT, Bard, and LLaMA. Modern BAS tools can even provide their own LLM-based CTI and integrate with external CTI providers to analyze and monitor your organization’s threat landscape.
Simulation of network layer attacks
As a critical line of defense, the network layer is often challenged by adversaries with infiltration attempts. The security of this layer is measured by its ability to identify and block malicious traffic. BAS solutions simulate malicious infiltration attempts observed “in the wild” and validate the security level of the network layer against real cyber attacks.
Evaluate the host layer security posture
Individual devices such as servers, workstations, desktops, laptops, and other endpoints make up a significant portion of the devices in the host tier. These devices are often targeted by malware, vulnerability exploitation, and lateral movement attacks. BAS tools can evaluate the security level of each device and test the effectiveness of host-level security controls.
Exposure assessment in the application level
Public-facing applications, such as websites and email services, are often the most critical yet most exposed parts of an organization’s infrastructure. There are countless examples of cyber attacks initiated by bypassing a harmless-looking WAF or phishing email. Advanced BAS platforms can mimic the actions of adversaries to ensure that security controls in the application work as intended.
Protecting data from ransomware and exfiltration
The rise of ransomware and data exfiltration attacks is a stark reminder that organizations must protect proprietary and customer data. Security controls such as DLP and access controls in the data layer protect sensitive information. BAS solutions can replicate adversarial techniques to rigorously test these protection mechanisms.
Continuous validation of the defense-in-depth strategy with BAS
As the threat landscape evolves, an organization’s security strategy should evolve as well. BAS provides a continuous, proactive approach for organizations to evaluate each level of their defense-in-depth approach. With proven resilience against real cyber threats, security teams can trust their security controls to withstand any cyber attack.
Picus Security pioneered Breach and Attack Simulation (BAS) technology in 2013 and has been helping organizations improve their cyber resilience ever since. With Picus Security Validation Platform, your organization can strengthen existing security controls against even the most sophisticated cyber attacks. Visit picussecurity.com to book a demo or explore our resources like “How breach and attack simulation fits into a multi-layered defense strategy” White paper.
To deepen your understanding of evolving cyber threats, explore the top 10 MITER ATT&CK techniques and refine your defense-in-depth strategy. Download the Red Picus Report Today.
Note: This article was written by Huseyin Can Yuceel, Security Research Lead at Picus Security, where simulating cyber threats and strengthening defenses are our passions.