Cybersecurity is a challenging profession due to the constant struggle between cyber defenders and hackers. A cyber defender is constantly trying to develop means of detecting and protecting against new attack vectors, and hackers are always looking for means to overcome these protections.

It’s inevitable that, sometimes, cybersecurity defences will fail. Hackers are inventive and will inevitably find a way to sneak past an organisation's defences. The goal of the cyber defender is to minimise the impact of these events.

One way of accomplishing this is by implementing defence-in-depth, in order to minimise an organisation's reliance on any one set of cyber defences. While perimeter-based defences can be effective at protecting against most attacks, the ones that slip through can be devastating.

While many organisations implement defence-in-depth for their sensitive data, using data security solutions, the same may not be true for applications. Vulnerable internal applications can be exploited by an attacker with access to the protected network, making runtime application self-protection (RASP) an important missing piece of cyber defence-in-depth.

What is Defence-in-depth?

Defence-in-depth is a term that originally came from traditional warfare. It refers to the fact that defences with a single layer of defences can be easily compromised by an attacker who can bypass or overcome that single line of defence.

A good way to think about defense-in-depth is in the context of the defences of a medieval castle. If you’re attacking a castle, the defenders have a significant advantage since they are not reliant on any one line of defence.

At a minimum, an attacker will have to overcome a cleared field designed to kill charging attackers with ranged weapons (arrows, muskets, etc.), a moat, a drawbridge, a castle wall, a keep, and towers. When one defensive position is on the verge of being overcome, the defenders can fall back to the next one. As a result, it’s extremely difficult to take a castle by force.

The same concept applies to cybersecurity defences as well. Many organisations take a perimeter-focused approach to security, where all of the network defences are located in one layer (typically at the network firewall).

If an attacker can penetrate that first line of defence, the organisation may not have the ability to monitor or prevent attacks within their protected network.

Why You Need Defence-in-depth

The concept of perimeter defences seems to work logically since the goal of the defences is to keep the attacker on the outside. As long as the defences are successful, the organisation is not threatened by the attacker.

However, perimeter-based defences can be overcome in a variety of ways. One option is finding a hole in them. A well-designed phishing email or an attacker that exploits a zero-day vulnerability can slip past the defences and reach the defenceless internal network.

Other attacks are designed to bypass the perimeter defences entirely. Most organisations assume that anyone connected directly to the internal network can be trusted. However, this can be defeated by a malicious insider or tricking an employee into plugging infected removable media (like a USB drive) into their computer.

A new technique is called warshipping, where an attacker mails hardware to a company that can be used to exploit their network. These devices can even be concealed in the cardboard of a shipping box, making them difficult to detect even by a paranoid security team.

With any of these attack vectors, the hacker is already inside the network and behind the firewall or other perimeter-based protections installed on an organisation's network.

If an organisation hasn’t implemented defence-in-depth, this may allow the attacker to search the network for vulnerable software and sensitive data and exploit it with impunity.

RASP: The Final Defensive Layer

The main problem with defence-in-depth is that it can be expensive both in time and manpower to monitor every aspect of an organisation's internal network. However, if the organisation is relying on perimeter defences to protect their data and internal applications from attack, failing to do so may leave them vulnerable to attack.

Protection of sensitive data against unauthorised access and exfiltration is a problem that is well-known and well addressed. If an organisation has deployed an effective data security solution, it should be capable of identifying any stores of sensitive data and monitoring access to them. Any access by an unauthorised party can be swiftly detected and blocked.

But what about “authorised” access to data? If an internal application, which may be out of scope for a traditional penetration test or vulnerability scan, is vulnerable to attack, a hacker with access to the internal network may be able to compromise it.

This is where runtime application self-protection (RASP) becomes a valuable addition to an organisation's defence-in-depth strategy. RASP is designed to provide customised protection for an application by wrapping around it and monitoring its inputs, outputs, and behaviour.

Anything outside of the ordinary will cause the RASP solution to raise an alert or even take action to block the potential attack.

The design of RASP systems allows it to detect even zero-day attacks against protected applications based on behavioural analysis, and its ability to be implemented as a wrapper makes it easy to deploy for even existing applications.

The combination of a strong data security solution and RASP-based protections allow an organisation to easily implement defence-in-depth for its most valuable resources: sensitive data and the applications that use it.