Go Beyond Defense-in-Depth for Resilient Security

In his third security role in the health care industry, Steve Bartolotta is used to finding gaps in security programs.

At one company, employee security training fell short, a security information and event management (SIEM) system had been purchased but not completely implemented, and there was confusion about which business group was responsible for which systems. While the health care company had purchased some good security technology, the lack of a holistic approach to defense left gaps.

“I came into a new company that had certain systems in place, and they had made certain investments, but they were not using everything to their fullest advantage,” says Bartolotta, who is now the chief information security officer (CISO) for Community Health Network of Connecticut (CHNC).

Bartolotta focused on making the business more resilient to attacks, using available cyber-security frameworks as guides. His advice: “Trying to fix everything at once is impossible, so try to focus on a few key things.”

However, deciding the areas on which to focus is challenging. While security professionals have touted defense-in-depth as a key strategy for creating good security, Bartolotta thinks layered defenses are problematic.

Defense-in-depth continues to make sense as a general concept, he acknowledges, but adds that companies now need to focus less on absolute prevention and more on training people in security, hardening the infrastructure against attack, and creating processes that continually monitor for breaches.

That strategy matches the approaches by many other CISOs, who are moving away from strict defense-in-depth approaches and focusing more efforts on detection and response. The defense-in-depth strategy has focused on layering defenses to prevent attacks from gaining a foothold, but attackers are succeeding anyway, according to Ollie Whitehouse, technical director of the NCC Group, a security services firm.

“The aggressors are outstripping defense pretty much at every turn, and we need a sea change in how we defend our networks,” Whitehouse says. “We just do not have the technology today, and concepts like the kill chain [the different stages of cyber-attacks] are very powerful, but we are not able to fully use them yet.”

In the end, companies should not think in terms of the layers of a defense-in-depth strategy. They should focus on making their network, data and people more resilient. Whitehouse and others recommend five ways to start.

1. Pick a framework and commit.

Companies should first pick a yardstick by which they will measure their program. While compliance regulations are a necessity, they do not necessarily promote good security.

CHNC’s Bartolotta has worked with many different frameworks and guidelines for establishing better information security. The SANS Institute’s “Critical Security Controls for Effective Cyber Defense” gives companies a good recipe for where to focus their efforts.

The relatively new NIST “Cybersecurity Framework” is a comprehensive set of guidelines for analyzing an organization’s security needs. Organizations, such as HITRUST in the health care sector, have tailor-made frameworks for firms in that industry.

“In many ways, it doesn’t really matter which one [you choose],” Bartolotta says. “Just pick a relevant framework and go with it.”

2. Take people into account.

Any successful program needs to account for the human element for two reasons. First, the people making budgetary decisions need to understand the threat to the business—not abstract security concepts. As part of any strategy, a CISO should focus on getting support from the board and executives, making communication a key skill.

“The most skilled CISOs have a real capacity to boil the issues down into understandable language,” says Doug Johnson, senior vice president of payments and cyber-security policy at the American Bankers Association. “They need to let the board understand that this is not about technology, and to describe where the vulnerabilities and the potential impacts are going to be.”

The second reason is that humans are the greatest vulnerability in the network. Companies that focus merely on technology will likely fail to prevent a breach, because a cyber-security strategy needs to address not only technology, but people and processes as well, says Tammy Clark, CISO at the University of Tampa.

“As a result, their user populations don’t necessarily have anyone reinforcing the ‘right things to do,’ or there’s little support from the top levels of executive management for safe computing practices,” she explains. “Don’t forget multiple large data breaches started off with a single user clicking a link in a phishing email. That’s the reality.”