Risk Management: Depth or Breadth?
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Years ago, as viruses began to use email in lieu of infecting computers though floppy disks, organizations had to find additional layers of protection to combat the threat; in came the use of email anti-virus (AV) technologies. As viruses morphed into well-designed Trojans, worms and other stealthy system-compromising and network-infecting pests, intrusion prevention technologies were added to the stack. Commonly referred to as 'defense in depth', this strategy uses multiple layers of defense in a coordinated fashion throughout an information technology system at both logical and physical tiers to protect the integrity of information. Turns out, this remains a relatively decent method for protecting the organization. With multiple layers of protection, ranging from the network perimeter down to the kernel of the computer system, the likelihood of an attack is minimized.
However, there is growing movement toward a 'defense in breadth' strategy as an optimal way to protect the organization. This way, once any single layer of depth is penetrated and compromised, it becomes very easy to move up and/or down the stack to bypass the other layers of defense. There are numerous vulnerabilities from which to choose to make that initial connection into the stack; hackers typically avoid the hardened areas anyway. According to the Verizon Business 2010 Data Breach Report, the most common entry point for most attacks is initiated through stolen or weak credentials. How well are we controlling the user accounts? How well are they educated to protect themselves? Are our users over-privileged? There is plenty to think about here.
CSOs/CIOs should look outside the big firms to find new technologies to help them ensure the most effective 'defense in depth' measures possible; cloud-based patch management, network/device/application control, token-free two-factor authentication, and data integrity via hash-based timestamps are just a few options. CIOs also need to look for protection across the layers to build out a true 'defense in breadth' strategy. Here are a few steps to take: