“Defense-in-depth really comes down to one thing, and that’s visibility,” said Trustwave’s Steve Baer. “What’s going on? What applications are in flight? What data is in use? Where does it go? Who touches it? And in some cases, there might be external partners getting involved. Does that introduce more or less risk to my environment? I need visibility into that supply chain.” A full complement of threat vectors must be covered in or- der for this strategy to work. For example: • Applications can be compromised through successful phishing attacks, faulty plug-ins, ineffective/underutilized patching policies, and other vulnerabilities. • Data can be held captive through ransomware and related encryption. • Endpoints may be penetrated by advanced persistent threats, spoofed credentials, viruses/malware, weak au- thentication followed by privilege escalation, or the occa- sional zero-day threat as it is released “into the wild.” • Networks may be improperly accessed through clients or servers. • Sysadmin can fall victim through spoofed credentials or compromised equipment. “If defense-in-depth means that I need multiple kinds of protections to make my organization safe, I’m perfectly cool with that,” commented AlertLogic’s Jack Danahy. “But the problem is that people don’t think enough about defense-in-breadth. Organizations will transform themselves digitally and head off into the cloud. And while they might have done a good job of securing the customer premises, when they move into the cloud, they haven’t done all that thinking. They need to think broadly as well as deeply because we’ve seen organizations spend an overabundance of resources in a one area, and then be taken down by a simple failure in an area where they haven’t spent as much time.” In some cases, they haven’t spent any real time thinking about it at all. Copyright © 2020 AVANT Communications, Inc. 25
Managed Security Trends and Insights Page 25 Page 27