Cybersecurity Defense in Depth
Cybersecurity defense in depth is a critical strategy for protecting sensitive information and systems from increasingly sophisticated cyberthreats. This approach involves implementing multiple layers of security controls and measures, each designed to address different aspects of the cyber kill chain. By combining various defensive mechanisms, such as firewalls, intrusion detection systems, encryption, and user training, organizations can create a robust security posture that is more resilient to attacks.
Defense in depth is an essential cybersecurity strategy in the financial sector because it provides multiple layers of security controls to protect sensitive financial data, systems, and transactions. Given the high stakes of financial breaches, this layered approach helps reduce the risk of single points of failure and enhance resilience against cyber threats. Cybersecurity defense in depth is foundational in meeting the Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corporation (FDIC) regulatory expectations. The defense in depth strategy aligns with industry and regulator leading frameworks Cyber Risk Institute (CRI) Profile, Federal Financial Institutions Examination Council (FFIEC), and National Institute of Standards and Technology (NIST).
Defense in depth helps ensure that even if one layer is compromised, additional layers provide continued protection, reducing the likelihood of a successful breach. This comprehensive strategy not only safeguards valuable data, but also helps enhance overall trust and confidence in an organization’s ability to manage and mitigate cyber risks.
The National Institute of Standards and Technology (NIST) defines defense in depth as:
“NISTIR 7622 under Defense-in-Depth. The application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.”
Common Layers of Defense in Depth
Cybersecurity defense in depth is a multilayered approach to security that incorporates various components to help protect against a wide range of threats. Here are leading practice key components:
- Physical Security: Protects the physical infrastructure, such as data centers and hardware, through measures like access controls, surveillance, and environmental controls.
- Network Security: Involves securing the network infrastructure with firewalls, intrusion prevention systems (IPS), and segmented network architecture to help prevent unauthorized access and attacks.
- Endpoint Security: Focuses on securing individual devices like computers and other managed assets using antivirus software, endpoint detection and response (EDR) tools, and active patch management.
- Application Security: Helps ensure that software applications are secure throughout the software development lifecycle, using practices like code reviews, vulnerability assessments, and secure coding standards.
- Data Security: Protects data at rest and in transit through encryption, access controls, and data loss prevention (DLP) solutions to help ensure confidentiality, integrity, and availability.
- Identity and Access Management (IAM): Manages user identities and their access to resources through authentication, authorization, and accounting (AAA) mechanisms, including multi-factor authentication (MFA), role-based access control (RBAC), and auditable logging.
- Security Awareness Training: Educates employees about security best practices, organizational security policies, and role-specific social engineering threats.
- Incident Response: Involves preparing for, detecting, and responding to security incidents through incident response plans, forensic analysis, and continuous monitoring.
- Policy and Governance: Establishes security policies, standards, and procedures to help ensure compliance with regulatory requirements and guide the overall security strategy.
By integrating these components, organizations can create a comprehensive and resilient defense strategy that helps mitigate risks and enhance their overall security posture.
Examples of Defense in Depth Tactics
It is critical to understand that while there is no silver bullet cybersecurity solution and technology, a comprehensive cybersecurity strategy implements defense in depth with multiple technology solutions. These technology solutions/tactics may include the following:
- Multi-factor authentication (MFA): Use of multiple authentication types (something the user knows, something the user has, or something the user is) to verify a user’s identity.
- Network segmentation: Limit exposure between internal systems, data, and users.
- Behavioral analysis: Compare ongoing traffic behavior to pre-defined baselines to identify anomalies.
- Patch management: Track and apply updates to operating systems, software, and hardware.
- Intrusion detection and prevention systems (IDS/IPS): Use tools to detect malicious network traffic and provide alerts.
- User awareness/training: Frequently train employees and evaluate threats on a per-role basis.
- Backup and restoration strategy: Maintain secure copies of operational data and systems, and test copies to help ensure completeness and reliability.
- Endpoint/Extended/Managed Detection and Response (EDR/XDR/MDR): Logging and active monitoring of events throughout each managed system on the network.
Cybersecurity – Financial Services Regulatory Focus & Scrutiny
The Office of the Comptroller of the Currency (OCC) and the Federal Reserve have placed significant emphasis on cybersecurity to help ensure the stability and security of the financial system. Their regulatory focus includes establishing stringent cybersecurity standards and guidelines for financial institutions to protect against cyberthreats. These regulations require banks to implement robust cybersecurity frameworks, conduct regular risk assessments, and help ensure effective incident response plans are in place.
The OCC and Federal Reserve also emphasize the importance of continuous monitoring, threat intelligence sharing, and employee training to enhance cyber resilience. By enforcing these measures, they aim to safeguard sensitive financial data, maintain public trust, and prevent disruptions to the financial sector caused by cyberattacks.
Here are some key cybersecurity regulations and guidelines issued by the OCC and the Federal Reserve:
- OCC Guidelines:
- OCC Bulletin 2013-29: Provides guidance on third-party risk management, emphasizing the need for robust cybersecurity practices when dealing with third-party service providers.
- OCC Bulletin 2015-31: Focuses on the importance of cybersecurity assessments and encourages banks to adopt the Cyber Risk Institute (CRI) Profile to evaluate their cybersecurity preparedness. The Federal Financial Institutions Examination Council (FFIEC) issued a statement that the Cybersecurity Assessment Tool (CAT) will sunset on August 31, 2025. “Supervised financial institutions may also consider use of industry developed resources, such as [CRI], and the Center for Internet Security Critical Security Controls … While the FFIEC does not endorse any particular tool, these standardized tools can assist financial institutions in their self-assessment activities,” the statement said.
- OCC Bulletin 2020-10: Highlights the need for heightened cybersecurity risk management practices, particularly in response to increased remote work and digital banking activities.
- Federal Reserve Guidelines:
- SR 20-3/CA 20-2: Encourages financial institutions to adopt the FFIEC Cyber Risk Institute’s (CRI) Profile to assess their cybersecurity maturity and identify areas for improvement.
- SR 15-9/CA 15-8: Provides guidance on enhancing the resilience of large and complex financial institutions to cyberattacks, including recommendations for incident response, threat intelligence, and cybersecurity governance.
- Federal Reserve’s Cybersecurity Supervision Program: Focuses on evaluating the cybersecurity practices of supervised institutions, including their ability to detect, respond to, and recover from cyber incidents.
These regulations and guidelines aim to strengthen the cybersecurity posture of financial institutions, helping ensure they can effectively manage and mitigate cyber risks.
Comprehensive & Continuous Testing
Organizations must prioritize comprehensive and continuous testing to stay in front of an ever-evolving cyber landscape. Comprehensive testing helps ensure that each phase within a security program is scrutinized, and deficiencies are identified before an attacker exploits them. Continuous testing provides actionable insights to inform security decisions, helping ensure that a security program remains effective and responsive to emerging industry threats.
- Ransomware Assessment: Evaluates the effectiveness of controls against common ransomware tactics and techniques.
- Tabletop Exercise: Simulates a security incident to assess organizational response and provide corrective action recommendations.
- Penetration Test: Tests external, internal, and web assets against modern attack techniques and industry threats.
- Physical and Social End-User Awareness: Assesses the effectiveness of security training against in-person and technology-driven attacks.
- Managed Security Service Provider: Provides 24/7 monitoring and management of network events to help detect and mitigate threats in real time.
- Benchmark Assessment: Compares system baselines to industry best practices for security posture improvement.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
Register for our upcoming webinar:
Defense in Depth – Financial Services Regulatory Pressures