Last year, Gartner forecast that worldwide spending on security and risk management would soon exceed $150 billion, a year-on-year increase of more than 12%. A great deal of this increased focus on security spending is down to the emerging challenges organizations are now facing, from distributed working to broadening attack surfaces. Traditional security architecture is comprised of controls designed to detect and remedy breaches, with some organizations even going one step further by adding directive controls such as policies that govern certain procedures. This approach to security infrastructure has been the status quo for years, but the cybersecurity landscape isn’t known for standing still.
Today’s risk factors and threats demand a more holistic approach to security, one that aligns its practices with business objectives to create a new culture of security within an organization. That’s where Enterprise Architecture (EA) comes in, with countless reports touting its benefits over a more traditional piecemeal approach. In our latest Cyber Threat Briefing, SureCloud’s Risk Advisory Senior Director, Craig Moores, and Senior Consultant, Hugh Raynor, discussed the vital role that enterprise security architecture is now playing in our efforts to combat security threats.
Craig and Hugh began their discussion by talking about defense in depth (DiD) modeling and how it has informed some of the thinking behind creating a robust security architecture. Defense in depth is an approach to security that involves layering defensive mechanisms on top of one another to safeguard sensitive data or reinforce potential weak spots. It’s not enough for today’s organizations to simply focus on one set of controls or one “layer” when it comes to safeguarding their environments.
One of the mistakes organizations often make is that they invest heavily in a single control set and then rely on it to keep them secure. For instance, when trying to protect a web application from a common attack like SQL injection, an organization might invest heavily in input sanitization and filtering to ensure no malicious code gets through. But what if that control fails? An organization would need to consider a secondary control, such as a web application firewall, that can catch malicious activity that slips through the net. And on it goes, through the security chain.
Defense in depth modeling works because it puts organizations in the mind of the attacker. If an attacker hits one roadblock, they’re unlikely to give up. They’ll try another method or point of entry, so it’s important that organizations layer their security with this in mind. It’s this kind of thinking that is one of the cornerstones of enterprise security architecture.
Too many organizations today take a control-first approach when designing their security architecture, when in fact taking a threat-centric approach will yield better results. Of course, budgets and resources can only be stretched so far, and businesses can’t possibly know what cyberthreat trends are around the corner, but what they can do is tailor their risk management approach in line with what they think an attacker is likely to target and choose appropriate risk mitigations.
It’s best not to depend on a single control or platform that seems to tick every box, but instead take an iterative approach to control development that reflects an organization’s gathered intelligence as well as its own pace of growth. This is another example of how security and business objectives can link and evolve together, which is core to the design and implementation of modern security architectures. Whether organizations are looking to protect a small online environment or safeguard a wide-spread corporate network, the same principles of learning and scaling apply.
Let’s say we’re trying to secure a house. Traditionally, you might have been content with putting a padlock on the door. If you were particularly concerned about the front door as a point of entry, you might put two, three, four or even five of the same brand padlocks on the door to make sure it was completely secure. But once a threat actor has learned to pick that lock, adding more padlocks isn’t going to help. Sure, it might slow them down, but there’s nothing materially different about the security, whether you have one padlock or ten. What defense in depth does is think more carefully about using different locks. We might have a padlock on the outside, and then one from a completely different manufacturer on the inside that’s more difficult to pick. If typical locks become easy for attackers to circumvent, we might add something more advanced like a fingerprint scanner or facial recognition software.
In other words, security controls need to evolve as a business expands, learns and fends off more attacks. Over time, the business will gather intelligence on what works, what doesn’t, where attackers are likely to strike and what methods they’re likely to use, and it can then adjust its security architecture accordingly.
In order for these layered controls to be effective, and to decide what the next layer should be, monitoring and testing are critical components of enterprise security architecture. Of course, it’s impossible to manually test every control across an entire enterprise, but that’s where threat modeling and threat intelligence come into play. Organizations should first identify the crown jewels of their business and focus all of their manual testing efforts there. From this, testing of all other controls can be largely automated. It should also be designed as part of an overall plan for enterprise security. Security architectures might have some level of automation, but they cannot run themselves, or keep themselves relevant. Things like configuration management and change management, for instance, still require human input.
Toward the end of the session, a question came in from one of the viewers regarding cost. Often, security isn’t seen as a driver of revenue or something that has an inherent return on investment – at least not in a conventional, measurable way. However, by taking an enterprise architecture approach that aligns security more closely with business interests and objectives, an organization can turn aspects of security, such as monitoring and testing, into huge drivers of value. Every failed control or attempted breach can be regarded as a learning opportunity, informing future action in a way that can prevent security architecture development from feeling like a sunk cost.