What is the benefit of a Defense-in-Depth (DiD) approach? From the Punic Wars to WW2, history shows that when you have multiple layers of defense, even the most motivated and well-resourced attackers will struggle to breach the final objective. Given the proliferation of increasingly sophisticated and evasive cyberattacks in the wild, today’s security leaders must get better at DiD.
The recent rise of advanced in-memory and zero-day threats highlights why DiD is increasingly important. In just one year—2020—attacks using the memory-based threat Cobalt Strike rose by 161 percent. Meanwhile, there were 80 zero days observed to be exploited in the wild in 2021, more than twice the number in 2019. Fileless and in-memory attacks are a key component of supply chain attacks, which are amongst the most devastating to any organization.
Organizations already rely on multiple layers of cybersecurity to guard their perimeters via firewalls and intrusion detection systems (IDS), network segmentation, and endpoint protection. But is a single control at every layer sufficient? Consider endpoints, which are an organization’s largest attack surface. A single layer of endpoint security, such as that provided by endpoint protection platforms (EPP) and endpoint detection and response (EDR) to spot and isolate malware, is no longer enough.
This is because many of the new threats that appear on endpoints and network assets are either unknown or live in device memory during runtime. So a single layer of an EPP or EDR solution that scans your disc and operating system for previously detected attacks with a “signature” is not enough to mitigate risk. Attack chains like the 2021 breach of Ireland's national health system (the HSE) and the 2022 ransomware attack on the Costa Rican government show the massive damage these attacks frequently cause.
Defending against advanced threats means digging a new layer of trench. It's time to build Defense-in-Depth.
Defense-in-Depth means putting in place multiple layers to stop threats that evade your first line(s) of defense, including on endpoints. So even if one layer is bypassed, there’s another, different, layer to stop the threat continuing.
Defense-in-Depth has obvious benefits. Yet when defending against advanced threats, many organizations ignore Defense-in-Depth at the endpoint level. They use a single layer of protection for their endpoint security. Solutions like next-generation antivirus (NGAV) and EDR platforms are used as a “one size fits all” response to endpoint threats.
This is a mistake. As Ponemon reported back in 2020, almost 80 percent of breaches that originate at the endpoint come from malware AV and EDR solutions didn’t recognize. More than half (51 percent) of respondents said their existing EDR solutions were “not effective at detecting advanced attacks.”
This security gap is even more critical today. Three of the top five attack methods last year happened in device memory.
Solutions like extended detection and response (XDR) claim to provide holistic protection against even the most sophisticated attacks. They do this by correlating data across endpoints and networks. But even they don’t offer foolproof protection against fileless and in-memory threats.
This is because vendor-provided XDR solutions use the same probabilistic operating methods as NGAV and EDR. So while XDR might put more eyes on an organization's endpoints and network, they have the same blindspots. Fileless and in-memory threats still get through.
Rather than relying on any one layer to stop threats, Defense-in-Depth means building in redundancy. So if one layer of solutions or controls misses a threat, another can catch it eventually. Each layer should integrate seamlessly with the others in your stack, and ideally, be fast to deploy. No single layer is foolproof. But together, all layers create a defensive posture that’s almost impossible to bypass.
At the endpoint level, all organizations need an effective AV and EPP or EDR solution to stop known malware and ransomware threats.
However, as mentioned, these kinds of solutions use probabilistic technology. This means they spot threats by scanning endpoints and finding files and behaviors that are different from the norm. Unfortunately, probabilistic, scanning-based solutions can’t see malware that operates in device memory during run time or is totally new to them—i.e. zero day attacks.
In response, security teams should consider additional tools like Moving Target Defense (MTD) technology, which is built to stop signature-less and evasive threats. According to Gartner, “By 2025, at least 30% of commercial network, host and software security solutions will incorporate moving target defense techniques/technologies, up from less than 5% today.”
MTD stops threats by making application runtime environments dynamic—moving the data targets. Importantly, it doesn’t need to recognize a threat to stop it automatically, which means it doesn't need additional headcount to run. (Defense-in-Depth without expense in depth.) Moreover, MTD works on endpoints without creating noticeable system load.
Instead of relying on one solution or solution set to stop all threats, Defense-in-Depth means augmenting the weak points different controls have with other, compensating controls. This is the core idea of Defense-in-Depth. And it’s why Defense-in-Depth must be applied to an organization’s endpoints and servers.
Whether it’s NGAV, EPP, or EDR; scanning-based solutions miss the fileless, in-memory, and zero-day threats targeting endpoints. To stop them, you need another layer—such as Morphisec’s MTD technology. Unlike cybersecurity solutions which focus on scanning for known patterns, MTD preemptively blocks attacks on memory and applications, remediating the need for a response. To learn more about Morphisec’s revolutionary Moving Target Defense technology, read the white paper: Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy.