Defence in Depth: Better Results From a Layered Security Strategy

Defence in depth is a security concept where businesses adopt a layered approach to cybersecurity policies and practices.

The purpose of this is to cover many bases and reduce your overall risk. The idea being that you’re still afforded protection even if one of the elements is compromised.

With so many attack surfaces to protect at all once, and with limited budgets available to small businesses, it can a challenge to put together a strong stack for your clients.

So, what should you be thinking about in a depth of defence strategy? We take a look at what you need to consider.

The Rising Tide of Cybercrime

We can all see from the reports in the media that trends in cybercrime have seen the volume and frequency of attacks increase at an alarming rate in recent years.

These attacks are a threat to everyone. Businesses large and small all need to invest in proper security measures to protect their businesses and their customers. Everyone in the supply chain is a risk and are at risk.

According to Forbes, global cybercrime damages are expected to increase by 15% over the next two years. And with this trend likely to continue, the need for increased regulation will require more sophisticated protection.

The Benefits of a Layered Approach in a Defence in Depth Strategy

There are plenty of reasons why a defence in depth strategy is a strong choice for MSPs.

Complexity of Threats – In today’s landscape, cyber threats occur across a broad spectrum. More than just phishing attempts or malware, your security response needs to cover many more bases than ever before.

Redundancy – Relying on a single security measure is a risky prospect. If the single system you rely on is compromised, then your system is left wide open.

Minimising Impact – With many different tools working in chorus, you can be sure that if you are breached, having a layered defence means you’re less exposed. If an attack gets through your firewall, for example, further egress can be prevented in application security.

Improving Detection and Response – Different security tools are designed to pick up on different triggers, across different stages of an attack. Whether this is a breach, unauthorised activity or modifying files.

Remember: The more complex the defence, the more work it is for attackers to get what they’re after.

World-renowned hacker and security consultant Kevin Mitnick says: “You can’t rely on one single point of protection; the hackers will find a way through, eventually. Defence in depth provides a complex barrier that increases the cost and time needed for an attacker to penetrate, often discouraging them in the process.”

Key Components in a Defence in Depth Strategy

What defence in depth looks like for your MSP will depend on the sorts of clients you serve. However, here are some of the things to think about when putting your own strategy together.

Having good password hygiene and multi-factor authentication (MFA) is always a good idea for any security strategy. Consider access to systems given to new staff at the onboarding stage with regular robust reviews and off-boarding to revoke access too.

As well as that, here are some other elements your strategy may need to consider:

Network Security

Network security is the control and monitoring of traffic across your network. It covers firewalls, network segmentation, secure VPNs and more.

Here you can deploy intrusion detection and prevention systems, virtually segment your networks and implement conditional access policies.

Application Security

There are many different ways to apply security at the application level. There are conditional access policies, automated patch management and real-time monitoring of the application.

Ensuring applications are coded to secure standards and watching out for zero-day exploits will ensure there’s no easy back-door for attackers to use too.

Endpoint Security

An endpoint is defined as a physical device that connects to a network, and includes things like laptops, mobile phones, tablets and other wireless devices.

Whereas traditionally, antivirus software would be protecting your devices from malware, it’s no longer enough to stop today’s sophisticated threats.

Virtual private networks (VPN) or virtual local area networks (VLAN), Endpoint Detection and Response (EDR) are all good examples of methods for keeping endpoints safe. You can also deploy device encryption and endpoint backup solutions if necessary.

Data Security

Data loss prevention (DLP) tools prevent sensitive data from being lost, stolen or accidentally shared. They monitor how files are shared and often employ AI and machine learning to detect suspicious and anomalous behaviour.

Data encryption and data masking can hide sensitive data from unauthorised eyes. Locking down sensitive data can make it difficult for hackers to use this data against you in a ransom.

Backup and disaster recovery tools are there to help you restore your data if the worst happens. The quicker you’re able to recover from data loss the better for your business and your clients.

How Partners Can Help MSPs Deliver Defence in Depth Security

With so many areas to manage all at once, and potentially many vendor partners to work with, it’s easy to fall into vendor fatigue. And it means more time spent paying invoices, following product roadmaps and rolling out updates, etc.

Leveraging Vendor Partners’ Expertise

One strategy could be to work with partners that already vet and choose complementary vendor products to adopt into your stack.

Pax8 are cloud marketplace specialists who select cloud security products that will bring the most to the MSPs they serve. Any new vendors they select must share this ethos, be ready to integrate with the platform and fill a gap somewhere in their catalogue.

Brigantia are another distributor of cybersecurity solutions who carefully select vendors to help their MSP channel partners grow. They’re active in the MSP community, and keep their finger on the pulse of cybersecurity innovations. This means they can look ahead for products to fill gaps in the market that may compliment their list of partner vendors.

Partnering with an MSSP

A managed security service provider (MSSP) is an MSP who’s decided to specialise in cybersecurity solutions. Choosing to partner up with an MSSP could be another solution in adopting a more sophisticated defence strategy with your clients.

This is perfect if you want to focus on other things and let someone else provide specialist cybersecurity management.

Demonstrating Good Practice with Cyber Essentials

Cyber Essentials is a UK cyber security certification scheme designed to show an organisation has a minimum level of protection.  This is done through annual assessments to maintain certification and is backed by the UK government and overseen by the National Cyber Security Centre (NCSC).

There are five controls that Cyber Essentials covers. These are:

• Firewalls
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management

It’s worth noting that while this helps businesses demonstrate effective information safety, there are other frameworks that go further. Cyber Essentials Plus, ISO27001/ISO9001 and other frameworks may be necessary if you support businesses that operate overseas.

The Human Factor in Defence in Depth

The most popular attack vectors in today’s climate involve manipulating people to make mistakes. Social engineering and business email compromise as a result of phishing or smishing is a subtle way to gain access into systems. From there, malware payloads can be uploaded, privileges elevated and data stolen.

This is why it’s as important to consider the preparedness of users to be able spot malicious messages and bad links, and be aware of how much damage they can cause.

Security awareness training (SAT) is an essential component of a modern cybersecurity strategy. It’s just as important as any set of tools configured to minimise risk. I’ll go into more detail about the importance of SAT in another article.

The Challenges of Cybersecurity

As we know, effective cybersecurity does not come without its challenges.

For MSPs there are plenty of barriers to putting in place a comprehensive defence in depth cybersecurity stack.

Integration and Compatibility

With many products to integrate together for multiple customers across a number of different sites, it can difficult to get them all configured correctly in way that compliments other deployed applications, and doesn’t conflict with them.

These pieces of software all impact on the available resources and require updating regularly. Plus any bespoke web services need to be retested each time this takes place to ensure conflicts don’t arise that negatively impact on your clients.

Cost-Benefit Analysis

As you can imagine, a comprehensive defence strategy is not cheap, and while this is necessary for a robust defence, it can be unnecessary for the clients you manage.

A cost-benefit analysis will weigh up the cost against the financial damage of potential breaches. As well as how long it would take for the business to get back up and running again.

This is why some MSPs have a tiered approach to cybersecurity. A minimum level that you can comfortably provide which still minimises risk. And then some optional extras for those that demand a bit more security.

Staying Ahead of the Curve

As the technology experts it’s your duty to ensure your stack is up-to-date and able to meet the current challenges posed by today’s attackers.

Artificial intelligence has recently given MSPs innovations in the sorts of tools that can be used to thwart attempted breaches. However, AI is also being put to use by attackers too, and so more and more it’s becoming ‘table stakes’.

MSPs need to continue to move with the times and invest in new technology to keep up.

Demonstrating the Value of Cybersecurity

Many businesses are still under the illusion that they’re too small to be the target of a cyberattack.

As an MSP, especially one who considers cybersecurity essential to modern business success, you should be educating your audience to say that no one is too small. Everyone is a potential target.

You can use examples of recent breaches in the media to showcase how your solution could have prevented that breach. How it limits exposure to similar attacks and how it can save a business hundreds of thousands of pounds.

Other Things You Can Offer in Your Defence in Depth Cybersecurity Offering

Aside from those disciplines mentioned, you can additionally offer services that will improve the overall health and hygiene of their business.

Vulnerability Scanning

A vulnerability scan performed on a network detects potential weaknesses in an organisation’s defences. These can include unpatched servers, users without MFA enabled and much more. It’s worth regularly running a vulnerability scan as this can reveal vulnerabilities you may not be aware of before they become a problem.

Pen Testing

Penetration testing is an exercise that actively tries to gain access to your system by finding and exploiting vulnerabilities.

The testers begin with some initial reconnaissance before launching an attack. This might consist of a mix of social engineering, brute force attacks or SQL injections.

The findings are then reported back to the MSP, who can then act upon that information to shore up any vulnerabilities they discover.

Business Continuity Plan

In that moment when the worst happens, every organisation should have a solid plan in place to get their business back on its feet as soon as possible. Helping a business define its business continuity plan means you’ll know exactly which systems are essential, and the data they’ll need to recover as soon as possible. 

Final Thoughts on Defence in Depth

It’s obvious that any security measures you deploy for you clients should complement each other, limit redundancy and keep the risk to their business, and your reputation, at a minimum.

With threats on the rise, both in terms of frequency and sophistication, you’ve got to have your finger on the pulse for up-to-date technology. Consider leveraging the expertise of your vendor partners, or outsource cybersecurity altogether if it suits you.

Remember that manipulating the human element in the supply chain is one of the easiest methods for attackers to exploit. Security awareness training is a worthwhile investment if it’s carried out regularly, and the training is keep up-to-date.

We’re a long way from the basic deployment of antivirus software, firewalls and complex passwords. When attackers do make it past the perimeter fence, making further egress difficult is a wise strategy, and it may be enough to put attackers off completely.

Are you practicing a defence in depth cybersecurity strategy in your MSP business? Or maybe you’ve decided to outsource your cybersecurity offering to an MSSP? Has having a defence in depth approach saved your clients from being the victim of a major hack, or reduced the impact?

We’d love to hear your story in the comments.

You Might Also Be Interested In

• In-House or Outsourced Cybersecurity: What’s Best for MSPs?
• TubbTalk 155: How To Stop Mac Hacks In Their Tracks and Bolster macOS Security
• Sensational Takeaways from The MSP Show 2024

You might like: