The concept of building a layered security solution, which is called defense in depth, is not alien to security world including cyber security.
The oldest implementation of Defense in Depth known to humanity, dates more than 5000 years back. When guru Dhronacharya implemented Chakraviewh during Mahabharat war to capture Yudhisthir. While that plan was not as successful as they wanted it to be, but the concept still provides much stronger security than any other solutions.
Despite of cyber security knowing this principal since decades, it is difficult to see it being implemented in real world. One of the reasons for this is increasing cost of security solutions. While it is wise not to spend thousands of dollars to protect asset worth hundreds, but what is wiser is to increase organizational security posture without increasing cost of security.
One of the ways to implement Defense in Depth without increasing security cost is to look and configure every Operating System, every application, and every appliance with security mindset. Given below are some of the examples of such security configurations at different level:
- Operating System hardening
- Configuring HIPS and Firewalls at Operating system level, other than traditional AV solutions.
- Switches can be configured with VLANs and PVLANS, including post security and mac security features
- Wifi devices can be configured access control and mac filtering
- Routers can be configured with management plane and control plane security along with traditional packet and session filtering solutions.
- File and FTP servers can have stronger file permissions with encryption
- Printers and Print servers can hardened and configured with spool encryption
- Configuring Group policies and local policies in windows environment
- Eliminating Telnets and using SSH using password protected Keys for *nix hosts.
- Configuring log auditing and multifactor authentication for accessing cloud applications.
These are just some examples of reconfiguring existing devices with security mindset, while the list can be very exhaustive this is just tip of the iceberg, and actual implementation is only limited to one’s technical abilities and imagination.
Thus, stating budget constraints for not implementing defense in depth is merely an excuse or a sign of lack of knowledge.
Here is link to my patent that elaborates on this concept: https://patents.justia.com/patent/10044755