Defense in depth is a well understood and widely implemented approach that can better secure your organization’s network. It works by placing multiple layers of defense throughout the network to create a series of overlapping and redundant defenses. If one layer fails, there will still be other defenses that remain intact. However, a lesser known yet equally important approach is the concept of detection in depth.

While defense has and always will be a cornerstone of cybersecurity, your organization also needs the ability to detect and respond to attacks. That’s where detection in depth comes in, providing a similarly redundant, overlapping approach. Fortunately, most organizations today have an arsenal of security detection and response tools available that can accomplish this. The architecture of your network and how it relates to defense in means interoperability between your intrusion prevention and your flow monitoring tools, your advanced malware solution, and your Domain reputation system

Using IPS as an example: It may alert to an attack originating from, or directed to, your organization’s assets. When that alert is sent, an incident responder will typically query other sensoring systems and available historical reputational data to better understand the attack and what steps, if any, to take. This is where detection in depth begins. Building on that example, if your organization has increased depth or capabilities with tools like DNS logging, host based IPS logs, advanced malware solutions and Netflow, the incident responder will have a much more accurate and complete understanding of the alert. Similar data from different tools or sources can then help confirm the activity, while different data may show new components of the attack that were not visible with the first source.

With detection in depth it is important to understand that it is the quality of your data sources – not quantity – that drives better understanding. While four high quality sources will always be better than one, three very high fidelity sources can be much better than five poor ones. Equally important is interoperability of your data. How these detection capabilities complement each other and work together is critical to the success of your investigations. The context that different sources can bring has to be automated. In our earlier example (an IPS alert), if there are ten different attack data sources that the incident responder has available, the responder will log into one or two until they find some relevant data and then move on. This often leaves masses of data untouched. Merging those differing capabilities or sources and presenting to the responder in a unified view, reduces response time and helps eliminate guesswork, leaving no available stone unturned.

The Achilles heel of detection in depth is how to gather all the relevant sensoring data, combine it, provide the needed context from historical attack data, and then provide consolidated alerts that contain as much as possible of the organizational understanding of the attack. To overcome this, you must have a foundational detection and response framework based on interoperability. One way to help understand how far along in maturity your organization is with detection in depth, is to look at how much effort your incident response team spends getting the data contextualized and compared. Is your process automated enough that they can spend all of their time working on the results? Or do they spend most of their time gathering data before they can even start?

In cybersecurity creating a series of overlapping and redundant defenses is critical to success. By adding a similarly constructed approach for detection and response throughout your network that unifies all available threat information, your organization can gain even more security and peace of mind.


Gavin Reid


Public Sector