IT managers have been working to implement a procedure known as "Defense in Depth", however those companies using this model almost always seem to forget certain aspects of the attack vectors in their organizations. Below we share some of our recent findings and explain why defense in depth should not be how you protect your crown jewels. In short, even with a fully implemented design, there will still be trusted system with exploitable vulnerabilities.
What is Defense in Depth?
In short it is the practice of layering your security so that if a control fails, another control will protect your enterprise. The problem with this approach is that it only takes one failure of a defensive measure to compromise an entire system, even with a layered defense. Another common issue is that even with properly implemented defense in depth on IT, there are other vectors not covered that are commonly exploited such as employee owned devices, social engineering vulnerabilities and improper procedures. The other issue with this process is that new vulnerabilities are found daily, and unless you have an automated way to cover these vulnerabilities proactively, they may have been exploited before the method has become public.
The problem with security models - The Struggle
Back in 2016 we started looking for a security model that would cover all of the vulnerabilities being seen in real world attacks. After looking at CDM, NIST and similar controls, we realized that all of them left open certain vectors and especially non IT vectors that could still be exploited by attackers. This finding is what spun off the Jigsaw Threat Mitigation Model which is a protected process for implementing true security with a model that covers all of the vectors observed in the last 5 years.
Nearly every customer we audit has findings that they did not identify during their own internal auditing that we were able to exploit and demonstrate during our penetration testing. Call today to schedule a penetration test or company evaluation.
As you can see we have implemented a method of protecting customers that goes above and beyond typical IT security based models. Our model includes the human element, physical non IT attacks and other items not covered by most security models. While we don't go into specifics about how Jigsaw Security implements this framework, we have provided a guide for MSSP's that allow them to get an idea of the scale and scope of what a real comprehensive security plan consist of.
Download our Guide Below
For More Information
If you have questions about how Jigsaw Security protects our customers and provides MSSP's with the tools to centrally manage clients, feel free to email us or chat using the chat feature on our website. There's a very good reason why we provide managed security to MSSP's, in short it's because we have the most complete set of tools available in the market today.