Throughout the MSP industry the acronyms of layered security, layered defense, security stack is commonly used and refer to the practice of using numerous technologies for the protection of business assets. For those of us with a history in the intelligence community and/or military, these acronyms were a derivative of what we called defense-in-depth. Simply put, this provides the defense and depth to reduce the impact of a threat. When one layer of security fails, the next layer is intended to detect, deter and/or block the adversary from advancing further throughout the attack cycle.
When communicating layered security to SMB owners, it’s important to note that it isn’t just a benefit, but rather a requirement for today’s IT environments and their borderless perimeters. The increasing use of work-from-home personal computing devices and cloud-based Office 365 has liquefied the once hardened perimeter, giving attackers multiple vectors and opportunities to establish a foothold into the small business environment. Each of these attack vectors requires its own threat monitoring, as part of a defense-in-depth strategy.
Each layer a.k.a. point product, is purposely built to solve a unique cyber use case. For example, anti-virus was originally built to protect a computing device from malicious software infections. With today’s adversary armed with a plethora of automated black-market attack code in conjunction with non-computing attack vectors, anti-virus while still a necessity, is no longer enough. While SMB owners were historically convinced that a firewall and anti-virus was sufficient, it is important to note that these two layers alone do not detect and prevent today’s common attacks such as RDP hijacking, reverse PowerShell, Office 365 compromises, ransomware, zero-day exploits, crypto-mining, etc. and the list goes on.
With each new successful attack type, the birth of new security products and/or features are created to address the threat. Each year, attacks are continuously evolving to address the threat, the business owner is tasked with accepting the risk or investing into yet another layer of security.
An attack vector is the entry vehicle used by an adversary to gain unauthorized access or a foothold on the small business’s IT environment, most commonly with a clear motive, and that is, the theft of something with monetary value (credit cards, intellectual property, etc.).
There are three common attack vectors wreaking havoc across North American small businesses today while every successful SOC-as-a-Service is enhancing their layered security defense-in-depth strategy.
Network – Most commonly throughout the SMB industry is the layer to address prevention of malicious traffic from entering and/or leaving the network. Firewall example layered usage typically spans unauthorized protocols and services, packet filtering and stateful inspection.
Endpoint – First thing that comes to mind is next generation malware, endpoint detection and response, breach detection of TTPs, host-based intrusion prevention, all with the goal of preventing/detecting and or deterring endpoint-based attacks. Significant investment over recent times trend in continuous layered investment.
Cloud – The forgotten, least protected and probably most proliferated example throughout most small businesses is Office 365. In fact, many data breaches, successful endpoint attacks, ransomware and the alike occur because of a compromised Office 365 user account. Should this attack vector be the original foothold, in all reality, the game is over, as internal spear phishing, mail forward rules, among other attack techniques guarantee a high probability of success. It’s imperative to know that early detection of cloud threats typically deter attackers from ever advancing to the endpoint, encouraging many MSPs, SOCs and SMB owners to prioritize layered security budgeting to address this vector.
Have you ever found yourself struggling to explain layered security to small business owners? Just like football, the first line of defense consists of linemen who are there to primarily block and tackle. The second layer of defense is made up of linebackers with a partial responsibility of proactively identifying what circumvents the defensive line. The third layer, obviously the position of safety, with the ultimate goal of preventing a touchdown, or in cyber to prevent the intrusion from advancing into something more severe such as a data breach. Whether its football or cyber, one thing is certain, the opposition will advance without a defense-in-depth layered approach.
Layers play a crucial role in protecting small business networks and their assets, but evasion and gaps will always remain, making it difficult for MSPs to keep pace with attackers. In order to combat today’s adversary while implementing a defense-in-depth strategy, the MSP is tasked with several challenges:
Insight / Visibility – The MSP needs continuous monitoring of the three common attack vectors adversaries leverage to gain a foothold on the network. Any vector without a layer, presents a blind spot and the inevitable is destined.
Correllation – Whether it is the MSP technical staff or the SOC analyst, it is vital to be able to pivot off of layered threat data to determine the incident cause while remediating the threat. This includes the pivoting across vectors from cloud to network to endpoint
Remediation / Isolation – When an unfortunate incident does occur, the responsible party is required to apply the fix and depending upon the severity, needs the ability to isolate the device from spreading the threat to other devices.
Event Triage – This is the process of investigating suspicious and malicious threat data from layers of purpose-built apps and escalating them to an incident accompanied with a remedy.
We’ve highlighted three attack vectors requiring continuous monitoring, numerous non-disputable security layers, and challenges of defense-in-depth. As a managed service provider operator, the question is, does your SOC-as-a-Service implement layered security spanning the three common entry vectors into customer networks and how do you respond to these challenges a modern-day security operation center (SOC) addresses. To learn more about RocketCyber’s SOC-as-a-Service and how we address these challenges, schedule a meeting to speak with a RocketCyber security engineer today.