Cyber Basics: Layered Cyber Defenses

By September 19, 2016 Cybersecurity Readiness

For 21st century companies it is virtually impossible to conduct business without connecting private enterprise networks to the public internet. Such connectivity allows information to be shared quickly and cheaply, particularly for the conduct of commerce. However, it has also created a new status quo rendering anyone with an internet connection vulnerable to cyberattack. Safeguarding data has never been more important. Determining how best to do so, however, is a conundrum that still plagues many boardroom executives.

Cutting through the bewildering haze that often surrounds discussions of proper cybersecurity preparedness, the simple answer is use a layered defense.

There was once a time when a decent firewall and antivirus software were enough to protect a company’s data. The firewall kept out unwanted things like unauthorized viewers and malware, and the antivirus took care of anything that happened to slip through. With this winning combination then, why would anything else be needed?

The truth is that firewalls and antiviruses are pretty “dumb” programs. Both essentially perform the same basic task of finding matches between signatures on the files they scan and those on a predetermined list. The firewall therefore acts like a bouncer at a nightclub, allowing only certain kinds of people (web traffic) to enter. The antivirus acts as a security guard inside the club searching for people on the banned list who have managed to slip by the bouncer.

There are a few glaring problems with this setup. While a firewall can control what type of traffic enters a network port, it cannot scan the data inside encrypted files. Lots of web traffic, like the exchanges between banks or retailers with their customers, is secured with encryption. Hackers therefore often attempt to conceal malware inside this seemingly legitimate web traffic.

Firewalls and antiviruses are only capable of searching for known threats. In an era when hackers are growing in number and sophistication, new threats are proliferating exponentially. Waiting for software developers to write new code to patch these holes or forgetting to install the latest critical update leaves a company unnecessarily exposed to a potential security breach.

A final flaw of the traditional two-pronged defense is that, like all defenses, neither is one hundred percent effective. Both systems are as vulnerable to zero-day attacks as they are to unknown threats (zero-days are holes in software unknown by the manufacturer that are exploited by hackers to bypass security settings).

The virtue of a layered, next-generation cyber defense is that it takes all of these vulnerabilities into account. Ideally, such a defense would entail the use of intrusion prevention and detection systems (IPS/IDS) in addition to firewall and antivirus software.

IPS software acts as a more selective secondary firewall, the security check in the nightclub. Here, just as guests waved in by the bouncer are searched for hidden weapons and have their identification checked, web traffic allowed past the firewall is scanned by the IPS. Deep packet inspection allows the program to look for concealed malware inside even encrypted data. Credentials checks ensure that those entering have authorized usernames and passwords. Any suspicious activity detected by the IPS can be immediately shut out of the network.

The IDS concerns itself with the behavior of the web traffic that has been allowed into the network. Just as a club’s staff search for suspicious activity among their guests, the IDS looks for activity that is either unwanted or unusual. This includes very sophisticated malware, exfiltration of large quantities of data, and company employees accessing files they are not authorized to view. In any case, once a suspicious activity is identified, the IDS immediately triggers an alarm alerting the system administrator.

Unlike traditional firewalls and antiviruses, cutting-edge IPS/IDS software is capable of performing both signature-based searches and undirected behavioral-based searches. By making records of the regular behavior of web traffic entering and passing through a network, the IPS and IDS can perform statistical analyses to pinpoint anomalous (i.e., suspicious) activity on any given day. Administrators therefore do not necessarily need to tell them beforehand what threats to look for, and they are capable of offering nimble responses to even the newest and most sophisticated cyber threats.

A company committed to building a truly secure network would take security even deeper, adding redundancy and segmentation to their strategy. A private network can be divided into multiple internal networks, each guarded by their own internal firewalls and IPS/IDS systems. These would be like the VIP sections or staff-only areas in the nightclub, each guarded by their own bouncer or guard. To keep track of all the observations of his various security staff and cameras, the nightclub manager would have all that data streamed into one central security office—the equivalent of the security information and event management (SIEM) software of a network.

A layered network defense, incorporating IPS and IDS software, offers immeasurably better odds at thwarting data breaches than the traditional firewall and antivirus pairing. If implemented as part of a long-term comprehensive cybersecurity strategy, it could be the key to safeguarding valuable company data from even the most determined hackers. This is key. For ultimately, defensive cybersecurity software, no matter how sophisticated it becomes, will only work if it is seamlessly integrated with the right hardware, regularly tested for flaws, and used by employees trained to understand the importance of safeguarding their credentials.


*Note: There are myriad types of IPS and IDS, and there is even joint IPDS software. Many are passive systems that work solely through signature-based detection. This blog and infographic refer to statistical anomaly-based, or active, IDS.