Best Practices for Building Defense-in-Depth Layers

In today’s threat landscape, multiple defense-in-depth layers are one of the only ways security teams can achieve peace of mind. Why? Two reasons stand out:  

1. Attack surfaces are getting bigger. The rise of remote work and digital transformation initiatives like DevOps have stretched attack surfaces past most security teams' ability to define them. It is impossible to create a totally secure network perimeter. As the Twilio breach showed, threat actors can bypass even advanced two-factor authentication (2FA) protocols. 
2. Threats are becoming more evasive. Threats that enter a network environment are getting harder to spot and are moving further from their initial point of access. A study by the University of Eurecom (FR) reviewing over 170,000 real-life malware samples revealed that the use of evasive and in-memory techniques capable of bypassing the protection provided by NGAV/EPP/EDRs accounts for over 40%. Lateral movement is a feature in at least 25% of all cyber-attacks.  

The rise of targeted and evasive threats means that no single layer of security at any level, from endpoints to critical servers, can be relied upon to stop attacks by itself. Instead, just like layers of identity checks and bodyguards protecting a VIP, security teams need to put a multi-layered security obstacle course between critical assets and potential threats.  

Defense-in-depth is about more than just deploying multiple security products. It's a process where organizations harden their people, processes, and technology to produce a highly resilient security outcome and effective ransomware prevention.

Here are our recommended best practices for building defense-in-depth layers: 

1. Start with the People — According to Verizon's most recent data breach report, 82% of all security breaches last year involved human error. Network-connected individuals enable attacks by being socially engineered, making mistakes, or allowing malicious access intentionally.

This statistic shows the importance of hardening the "human layer" in any defense-in-depth strategy. But although many organizations train individuals annually to prove compliance or meet insurance requirements, research proves that only a few do so often enough to turn the dial on their security posture.  At best, the human resources are the last line of defense.  

More training is needed. However, security should rely on something other than adherence to policy. It's essential to make sure that proper controls like multi-factor authentication (MFA) are in place as a backup.  

2. Recognize That Flat Network Architecture ≠ Security — Devastating cyber-attacks are not just the result of skillful threat actors or advanced techniques. Often, a victim's own network design is a cybercriminal’s greatest asset. 

The default policy in flat network environments is to allow all devices and applications to share information. Although this makes networks easy to manage, the security downside is that once a single network-connected asset in a flat network is compromised, it is relatively easy for threat actors to establish lateral movement into other parts of the network.  

'To stop this from happening, security teams should use some form of network segmentation and subnetting to protect vulnerable network assets and slow down lateral movement.  

Network segmentations also enables security teams to response and isolate threats without disrupting the entire organization.  

3. Use Best-of-Breed Technology at Each Layer—Over 70% of security professionals prefer best-of-breed solutions rather than platform-based controls, and with good reason. Security programs that suit a vendor's marketing strategy don't always fit their customers' real-world needs.

Against advanced attacks like ransomware, one-size fits all tools or tool sets can leave gaps and create administrative burdens incompatible with business needs.  

A better alternative is to tailor defense-in-depth tool stacks to each environment and business situation as needed. Security teams must look at how users and systems function within these layers and pick the best solutions.  

To stop known threats, endpoints and servers must, at a minimum, have an effective antivirus (AV) in place. Ideally, endpoint protection (EPP) and endpoint detection and response (EDR) will also be present. It's important to also have internal-facing solutions like a security information and event management (SIEM) or security orchestration, automation, and response (SOAR) platform that can centralize security logs, and enable security teams to identify, investigate and mitigate risks.   

Around the network perimeter, firewalls are essential, and internet-facing assets need to be protected by Web Application Firewalls (WAFs).  

4. Ensure security solutions and applications are properly updated and configured —According to the 2023 Verizon Data Breach Investigation report, unpatched vulnerabilities and misconfigurations accounted for over 40% of incidents. It is insufficient to use best-of-breed security controls. These solutions, the organizations business applications and operating systems must be continually patched and properly configured. 

For example, In 2021, the ProxyLogon vulnerabilities on Microsoft Exchange impacted thousands of organizations worldwide. While Microsoft issued instructions on corrective actions, variants such as ProxyShellMiner, are still currently active.  

Deploying Automated Moving Target Defense to protect against evasive and in-memory cyber attacks   

Alongside these best practices, the reality is that even with fully deployed security AI and automation, the average time to identify and contain data breaches is 249 days.  

It is therefore important to protect endpoints, servers and workloads against attacks capable of evading the protection mechanisms provided by detection-based technologies.

Automated Moving Target Defense (AMTD) is an essential defense-in-depth layer because it stops threats in a vulnerable and often unprotected space—device memory during run time.  

Code and memory exploitation techniques like process injection and PowerShell compromise are among the top ten most commonly seen MITRE ATT&CK techniques. AMTD mitigates this risk by morphing memory and making it essentially invisible to the threats that target it. This means that memory assets and vulnerabilities like hash passwords and bugs are inaccessible to threat actors. 

As a layer in a defense-in-depth security posture, AMTD stops zero-day, fileless, and in-memory attacks that bypass controls at other levels. AMTD also serves as a highly effective anti-ransomware tactic, and has been showcased preventing attacks like LockBit.

Morphisec offers a range of AMTD solutions for endpoints and Windows and Linux servers. To learn more about this new technology why Gartner calls AMTD “the future of cyber”,  read our whitepaper Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy.