. 2018 Sep 9:345–404. doi: 10.1007/978-3-319-95669-5_10

Table 10.2.

Examples of defense-in-depth protective measures

Protective layers	Protective measures	Protective functions
System Boundary or Perimeter	Firewall(s) External Networking Demilitarized Zone (DMZ) Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Encryption/Decryption in boundary Protection Devices Data Loss Prevention Honeypot/Honeynet Anti-Virus/Anti-Malware	Block unauthorized information transfers and scan for malicious or prohibited content Allow connections only to trusted addresses Isolate system resources from external access; provide address space for protective devices and tools Monitor external activity and log unapproved traffic; IPS blocks untrusted messages Ensure sensitive (“red”) content is converted to unreadable (“black”) before release from a protected environment Detect and block unauthorized efforts to extract (“exfiltrate”) data Trap would-be attackers in a “sacrificial” server; gather data for attack analysis Detect/defeat malware at system boundary
Network	Network-Based Intrusion Protection/Access Control Enclave Segregation with Firewalls Anti-Virus Labeled/Protected Messaging Message Integrity Checking Encryption	Monitor network traffic, detect suspicious or prohibited use, block unauthorized use Provide customized protection for separate network enclaves Detect/defeat malware in network traffic Restrict traffic to authorized participants, prevent/detect message corruption or tampering Detect tampering with network traffic Eliminate unprotected data on the network
Endpoint	Operating System (OS) Lockdown/Hardening Host System Security (HSS) User Accounts OS Control File Protection Administrative Separation of Privileges Firewalls/Intrusion Detection	Disable functions not required for system operations that may create vulnerabilities Detect/prevent unauthorized or suspicious access attempts, malware, other hostile actions Enforce access controls, user authentication, principle of least privilege, etc. Prevent unauthorized changes to controls Restrict access to security controls and settings Customize protection for endpoint devices
Application Software	Logging and Auditing Software Testing and Trusted Software Specialized Firewall(s) e.g., Web Application and XML Content Monitoring/Filtering	Detect suspicious/prohibited access to apps Rigorously analyze and test software to preclude malicious code and other vulnerabilities; detect/prevent unauthorized modifications Apply customized protection to applications Detect suspicious or unauthorized processing
Data	Logging and Auditing Encryption of Data at Rest Data Loss Prevention (DLP)	Detect suspicious or prohibited access to data Ensure even theft or other physical compromise cannot obtain sensitive data Block unauthorized data access/exfiltration

Protective layers

Protective measures

Protective functions

System Boundary or Perimeter

Firewall(s)

External Networking

Demilitarized Zone (DMZ)

Intrusion Detection System/Intrusion Prevention System (IDS/IPS)

Encryption/Decryption in boundary Protection Devices

Data Loss Prevention

Honeypot/Honeynet

Anti-Virus/Anti-Malware

Block unauthorized information transfers and scan for malicious or prohibited content

Allow connections only to trusted addresses

Isolate system resources from external access; provide address space for protective devices and tools

Monitor external activity and log unapproved traffic; IPS blocks untrusted messages

Ensure sensitive (“red”) content is converted to unreadable (“black”) before release from a protected environment

Detect and block unauthorized efforts to extract (“exfiltrate”) data

Trap would-be attackers in a “sacrificial” server; gather data for attack analysis

Detect/defeat malware at system boundary

Network

Network-Based Intrusion Protection/Access Control

Enclave Segregation with Firewalls

Anti-Virus

Labeled/Protected Messaging

Message Integrity Checking

Encryption

Monitor network traffic, detect suspicious or prohibited use, block unauthorized use

Provide customized protection for separate network enclaves

Detect/defeat malware in network traffic

Restrict traffic to authorized participants, prevent/detect message corruption or tampering

Detect tampering with network traffic

Eliminate unprotected data on the network

Endpoint

Operating System (OS) Lockdown/Hardening

Host System Security (HSS)

User Accounts

OS Control File Protection

Administrative Separation of Privileges

Firewalls/Intrusion Detection

Disable functions not required for system operations that may create vulnerabilities

Detect/prevent unauthorized or suspicious access attempts, malware, other hostile actions

Enforce access controls, user authentication, principle of least privilege, etc.

Prevent unauthorized changes to controls

Restrict access to security controls and settings

Customize protection for endpoint devices

Application Software

Logging and Auditing

Software Testing and Trusted Software

Specialized Firewall(s) e.g., Web Application and XML

Content Monitoring/Filtering

Detect suspicious/prohibited access to apps

Rigorously analyze and test software to preclude malicious code and other vulnerabilities; detect/prevent unauthorized modifications

Apply customized protection to applications

Detect suspicious or unauthorized processing

Data

Logging and Auditing

Encryption of Data at Rest

Data Loss Prevention (DLP)

Detect suspicious or prohibited access to data

Ensure even theft or other physical compromise cannot obtain sensitive data

Block unauthorized data access/exfiltration