E-BOOK
LAYERED CYBERSECURITY:
A TACTICAL GUIDE
Building Protection that’s Comprehensive,
Complementary and Cost-effective
�Executive Introduction
While many organizations understand the basics of layered security,
our new hyper-distributed IT reality—where everyone is remote,
everyone is mobile, and everyone is less secure—requires us to revisit
and refine this best practice.
The notion of layered security isn’t new. But with companies needing to
mobilize for the new business normal amid threats that are increasingly To help, SonicWall has prepared a layered approach to meet the needs of
sophisticated, more varied and more frequent, layered cybersecurity your boundless workforce while keeping your business objectives a priority.
has never been more relevant.
While there are different schools of thought on which layers are the most
The idea behind layered cybersecurity is simple: The more obstacles important (e.g., logical, most critical, easiest to implement, etc.) this guide
you place in front of an attacker, the better your chances are to offers a top-down look at the vulnerabilities you should mitigate first.
identify and stop the attack before your network, data or business
It should also be stated that a modern layered security strategy
are compromised.
should be grounded and managed in a unified, harmonized and
un-siloed environment.
“This is what layered security is all
about: understanding how the bad guys
are attacking us. This is a battlefield and
they’re charting it out.”
Bill Conner
President & CEO
SonicWall
2
� COMBATS: SO CIAL ENG INEERING | PHISHING
LAYER 1
Security Awareness
You’ve purchased a full complement of the latest and greatest
cybersecurity solutions, hired the best cybersecurity team, and
patched every vulnerability you could find. On paper, your security
posture looks great—until an attacker convinces one of your employees
that they’re with IT and talks them into giving up their credentials.
Phishing and other social engineering tactics have a long, successful
track record—and the current pace of change in the business world
is giving them an even bigger advantage. With an unprecedented
number of remote employees using more devices than ever, vulnerable
to more attacks than ever, it’s never been more crucial to educate
employees about the dangers of attacks that exploit human behavior
and curiosity. It will require a top-down culture shift driven by the
C-Suite—but when done correctly, Security Awareness initiatives can
successfully mitigate the biggest security risk in any organization.
Security Awareness should include:
• Frequent, consistent and ever-evolving employee cybersecurity education
• Routine but unannounced penetration testing, particularly for phishing,
downloads and telephone exploits
• Understanding and complying with established procedures, which could
include everything from sites to avoid or which sanctioned apps or
services to use.
• Tiered ramification for non-compliance
• Using established best practices and training in the real world
(eg., social media)
3
� COMBATS: UNAU THORIZED ACCESS
LAYER 2
Strong Authentication
You have your front door (or wall in this case) in place, but you still
need to look through the peep hole to see who you can let in. It’s
a labored metaphor, but the premise has been around as long as
mankind has been building walls, doors and moats.
This is the role of identity and access management (IAM), which is a
wide-ranging area of information technology that classifies processes
and controls to confirm only appropriate — and vetted — users have
secure access to your networks, services and data.
Luckily, most end users are familiar with two-factor authentication
(2FA) or multifactor authentication (MFA), so adoption shouldn’t be
too difficult if deployed properly and with consistent communication.
4
� COMBATS: PHISHING | BUSINE SS EMAIL COMPROMISE (BEC) | ACCOUNT TAK EOVER ( ATO)
LAYER 3
Email Security
One of the truths of email-borne threats is that attackers are quick
to respond to mega-trends. The work-from-home rush along with the
terrible COVID-19 pandemic are just the latest examples that makes
email the top attack vector by far for hackers. Sadly, these will not be
the last.
Moreover, government regulations now hold your business
accountable for protecting privacy data, ensuring it is not leaked and
ensuring the secure exchange of email containing sensitive customer
data or confidential information.
Thankfully, a range of advanced email protection options are available,
including on-premise appliances to cloud-native services.
Regardless of the deployment strategy, organizations must use
a layered security solution that goes beyond anti-spam and anti-
malware. A sound secure email solution should include dedicated,
advanced-threat protection capabilities, and protect against targeted
phishing with malicious attachments and URLs, business email
compromise (BEC), as well as impostor-based attacks.
5
� COMBATS: DE VICE COMPROMISE | MALWARE
LAYER 4 Security would be much easier if organizations only had to maintain
oversite of a controlled, defined environment. But users and devices
Mobile & Remote
move in and out of networks — and it’s the organization’s responsibility
to ensure mobile workers have secure access when they leave the
Access Security
network perimeter.
With SonicWall SMA, organizations can provide a field-proven and
secure remote access solution that boosts productivity, supports
mobility, and enforces compliance through proper user and device
authentications.
Work-from-Anywhere Secure Access. A robust layered security
strategy should include capabilities to support:
Internal • Grant anywhere, anytime secured access after establishing
user and device identities, location and trust
Applications • Apply multiple access layer security based on granular
Management Employees &
Contractors & Data policy-based access controls, Multi-Factor Authentication
(MFA), Application level VPN, and Geolocation policies
Off-Site
Auditors IT Admin
Remote
Mobile Access
Appliance
Internet
Remote Partners &
Workers Vendors
On-Prem Applications &
Data
Multi-Factor
Authentication
Wireless Users Guests
LDAP / AD / RADIUS
Access Corporate Data Center
6
� COMBATS: DE VICE COMPROMISE | MALWARE
LAYER 5
Wireless Security
Just because employees or users are within the perimeter of your
network, doesn’t mean any and all threats have been mitigated.
In the modern work environment, users are connected wirelessly
to the network via Wi-Fi access points. This can introduce risks
depending on what content they access while at work or what sites or
applications they use.
Both scenarios can present new risks that should be identified and
stopped by advanced secure wireless solutions.
More robust offerings will also include easy-to-use wireless
management consoles and Wi-Fi planning tools to add more
convenience and help reduce costs.
7
� COMBATS: DE VICE COMPROMISE | MALWARE | UNK NOWN USB DRIVES
LAYER 6 But one of the most critical best practices is to use device control capabilities
to stop unknown USB keys from connecting to the endpoint. With SonicWall
Endpoint Protection
Capture Client, for example, administrators can create customized policies
for known and unknown USB devices. For instance, they could allow all mice
and keyboards, but block unknown USB keys while allowing approved or
registered ones.
End-users’ curiosity is a risk factor in itself. Forever seeking connectivity, Once in place, endpoint protection will help you monitor and mitigate
users will often connect to any available network without considering cyberattacks that compromise an endpoint, ensuring malware can’t laterally
potential ramifications. spread through your network or organization. The EPP has two roles: first, it
serves as your last line of defense within your network and should provide
They’ll also click on unknown links, fall victim to phishing emails, download additional sandboxing capabilities and security policies; second, it is your
applications from an untold number of unvetted sources and potentially, first line of defense on mobile computers and should have the ability to be
worst of all, insert unknown USB drives into their machines. These endpoints managed remotely.
then become attack vehicles leveraged to penetrate your defenses.
The more advanced endpoint security solutions will also feature automated
Safeguard these endpoints (e.g., laptops, computers, servers, etc.) — and ‘rollback’ controls to help administrators return a compromised device or
protect users from themselves — with next-generation antivirus (NGAV) machine to a safe state.
solutions or an endpoint protection platform (EPP).
8
� COMBATS: ENCRY P TED MALWARE
LAYER 7 What better way to launch a successful attack than to hide it from
discovery? Smart cybercriminals mask their attacks inside traffic
SSL/TLS Decryption
encrypted by SSL/TLS standards. This helps them sneak malware by a
single-layer network defense.
& Inspection During the first half of 2020, a full 1 in 12 SonicWall customers with
DPI-SSL turned on saw malware on encrypted traffic, according to the
mid-year update to the 2020 SonicWall Cyber Threat Report. That's a
growing attack vector that requires critical attention.
20202020
Encrypted
EncryptedMalware Spread
Malware Spread
11 10.91%
10
9.63%
9.39% 9.44% 9.42%
9.17%
9.07%
9 8.96%
Spread %
8.46% 8.51%
7.58% 7.54%
7.47% 7.46%
7 7.04%
6.45% 6.49% 6.45%
6
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2019 2020
www.sonicwall.com
Source: 2020 SonicWall Cyber Threat Report
9
�The respected cybersecurity experts offer solutions to conscientiously
decrypt, inspect and re-encrypt SSL and TLS traffic. For some, functionality “Be sure to ask whether the vendor
is integrated on advanced firewalls. Other vendors sell dedicated SSL
inspection appliances. offers full-proxy or artifact-based
Also, be sure to ask whether the vendor offers full-proxy or artifact-
based inspection. The former is expensive and slows performance, while
inspection. The former is expensive
artifact-based technology — like SonicWall’s Reassembly-Free Deep Packet
Inspection (RFDPI) — can stop more attacks without impacting speeds.
and slows performance, while artifact-
The approach that’s sensible for your organization will depend on your based technology can stop more
particular performance, security deployment and financial objectives.
attacks without impacting speeds.”
Reassembly-free Deep Packet Inspection (RFDPI)
CPU n
TLS/SSL CPU 4 TLS/SSL
Traffic in Traffic out
CPU 3
CPU 2
Inspection time Inspection capacity
CPU 1
Less More Min Max
Reassembly-free packet
scanning eliminates proxy
and content size limitations.
10
� COMBATS: NE W OR ‘ NE VER-BEFORE-SEEN ’ THRE ATS
LAYER 8 The use of cloud or network sandboxing services complements the power
of your firewall. This technology delivers real-time inspection of suspicious
Real-Time Sandboxing
files that firewalls don’t have a known signature to check against. Sandboxing
should also be available across multiple avenues of attack, Next Generation
Firewalls (NGFWs), endpoint, email and cloud application security,
for example.
Cloud sandboxing is at its best identifying and blocking ‘never-before-seen’
attacks that are so new they cannot be stopped by static controls. Advanced
sandboxes can isolate suspicious files for further analysis until a decision
is determined — all in real time. This layer reduces the chance of breach
or infection.
Multi-engine threat prevention. The SonicWall Capture
Advanced Threat Protection (ATP) cloud sandbox, with
Real-Time Deep Memory Inspection , stops unknown and
TM
never-before-seen attacks from compromising your network.
If a threat is unknown, the multi-engine technology analyzes
the malware until it can render a good or bad verdict — all
executed in seconds.
A Hypervisor
A B C D B Emulation
C Virtualization
D RTDMI™
CAPTURE ATP SANDBOX
11
� COMBATS: PRO CESSOR THRE ATS | SIDE- CHANNEL AT TACK S
LAYER 9 Innovative security vendors offer advanced deep memory inspection
technology that identifies and stops both malicious PDFs and Office
Advanced Memory &
files, but also defends against advanced processor-based attacks.
For example, SonicWall Real-Time Deep Memory Inspection (RTDMI)
TM
Side-Channel Inspection provides CPU-level instruction detection granularity (unlike typical
behavior-based systems, which have only API/system call-level
granularity) to detect malware variants that contain exploit code
targeting processor vulnerabilities, including MDS, Spoiler, PortSmash,
The most disturbing vulnerabilities — and potentially future attack Foreshadow and more.
vectors — are occurring at the processor level. Advanced side-channel
threats, like MDS, Spoiler, Spectre, Meltdown, Foreshadow and RTDMI protects organizations from processor and side-channels
PortSmash, are shifting the cyber war to an entirely new arena, which attacks and is included as a part of the SonicWall Capture Advanced
is extremely difficult to monitor or patch. Threat Protection (ATP) sandbox service. The table on the next page
outlines the speed in which RTDMI detected these advanced threats.
Soon, advanced organizations (e.g., nation-state attackers)
could exploit processor vulnerabilities to access credentials and
cryptography keys, potentially providing cyberattackers administrative
access to full systems, networks or devices.
12
�Identifying Zero-Day Attacks in Real Time • Based on data from VirusTotal, a market-leading malware
repository, SonicWall is identifying never-before-seen malware
(Before VirusTotal)
variants a full 1.9 days before VirusTotal receives the samples. In
The SonicWall RTDMI engine looks inside multiple layers of packaging some cases (see table below), SonicWall is discovering new threats
and obfuscation to find well-entrenched malware that conventional months before samples are submitted.
anti-malware solutions don’t uncover. It identifies zero-day attacks
• In early 2019, RTDMI detected a surge in archive files containing
in real time, often before they are listed in industry malware
an obfuscated JavaScript file that used PowerShell.exe to execute a
search portals.
downloader that downloaded a variant of the popular ransomware
family GandCrab. This complex threat had not been posted on any
of the popular threat intelligence portals.
Vulnerability Publically Announced RTDMI Detection Confirmed
Meltdown 1/3/2018 1/30/2018
Spectre 1/3/2018 6/13/2018
Foreshadow 8/14/2018 8/15/2018
PortSmash 11/2/2018 11/15/2018
Spoiler 3/5/2019 3/5/2019
MDS (ZombieLoad, RIDL, Fallout) 5/14/2019 5/15/2019
TPM-FAIL (CVE-2019)-11090) 11/12/2019 1/7/2020
13
� COMBATS: SHADOW IT | MALWARE IN CLOUD APPLIC ATIONS
LAYER 10
Real-Time Security for
Cloud Apps & Services
Shadow IT is a growing risk for many organizations. Employees often
don’t have ill intentions and just want to complete their work, but Internet: SaaS & Web
nevertheless they can introduce unverified or untested applications or Sanctioned SaaS Security | Shadow IT Visibility
services into your network, leaving your organization vulnerable.
That’s where cloud application security (CAS) solution comes into play.
This type of solution plays a critical role in discovering and managing
SaaS applications, including Office 365 and G Suite. Gateway
Log Collection API Integration
Access to SaaS
App Control Policy Enforcement Direct Access
The solution should seamlessly integrate with the sanctioned SaaS to SaaS
applications using native APIs, providing: visibility, and compliance Cloud App
Security
monitoring and auditing.
NGFW
The approach empowers IT departments to roll out SaaS applications Mobile
without compromising security and compliance. Administrators can set Users
consistent policies across all the SaaS applications deployed within the BYOD 3rd-Party
organization from a single console. From there, they can use available
HQ Managed Devices Branch
DLP and compliance reporting templates to quickly close security gaps
and set custom policies to fulfill business and regulatory needs.
14
� COMBATS: WIDE-SCALE AT TACKS WITH KNOWN SIGNATURES | MALWARE VIA NON-STANDARD PORTS
LAYER 11
Capture
Next-Generation Firewalls
Security Center
NGFW NGFW
Internet
Next-generation firewalls (NFGW) are the massive, foreboding walls Corporate
that defend your traditional core network. When properly deployed, Headquarters
3G/analog failover
next-generation firewalls are tremendously successful at stopping
known cyberattacks.
When shopping for firewalls, consider the services that go with it. The
firewalls itself will be labeled with various speed specifications, ports,
power supplies, expansion modules, etc., but the true differentiation is
often found in the accompanying security services.
$ Sales network
Secure wireless zone
Be sure to review each vendor for their offerings around SSL/TLS Printers
inspection, protection for non-standard ports, cloud sandboxing,
gateway antivirus (GAV), intrusion prevention services (IPS), content Engineering network 18-port switch Storage
filtering, anti-spam features and application controls — all of which
should be consider the sub-layers of your security posture. PoE
cameras
For distributed organizations requiring advanced flexibility in their Finance network
network design, SD-WAN technology is a perfect complement
firewalls deployed at the headquarters or at remote and branch sites. Protected server network
Instead of relying on more expensive legacy technologies such as
MPLS and T1, organizations using SD-WAN can choose lower-cost The workhorse of network security. Firewalls serve as the backbone to many security
deployments. In this example, an enterprise uses next-generation firewalls to protect a wide
public internet services while continuing to achieve a high level of range of assets, including endpoints, remote networks and locations, servers, IoT devices
application availability and predictable performance. and more.
15
�Know Your Business
for Optimal Security
Effectiveness
“It’s important organizations
Every business and organization is different. And many are at different
phases of their path toward a sound, layered cybersecurity posture. also implement consistent
The aforementioned layers serve as a strong bedrock and will processes to ensure policies
drastically reduce vulnerability gaps and mitigate even the most
advanced cyberattacks — protecting your business, customers
and brand.
are being adhered to,
While this overview has been focused on technology, it’s important compliance mandates are
organizations also implement consistent processes to ensure policies
are being adhered to, compliance mandates are followed, and the followed, and the outlined
outlined security protocols are being monitored and enforced. A
lapse in any drastically reduces the effectiveness of the preceding security protocols are being
core layers.
monitored and enforced.”
16
�Best Practice: Automated
As security technologies and the cyber threats evolve, a new cyber
arms race has emerged, which places cloud-forward organizations
Real-Time Breach
and their cybersecurity solutions in the crosshairs of a growing global
cybercriminal industry.
Detection & Protection To protect your business, it’s strongly suggested you avoid siloed
security technology. In those scenarios, you’ll spend more time
integrating, configuring and managing the technology than you will
actually stopping attacks and improving defenses. Instead, opt for a
The modern organization exists in an increasingly complex and globally cohesive, unified platform that meets the specific security needs of
connected world. Cybersecurity technology is both an enabler and your organization.
inhibitor as organizations adapt to this rapidly changing environment.
Unified and orchestrated cybersecurity. The SonicWall Capture Cloud Platform tightly integrates security,
management, analytics and real-time threat intelligence across network, email, mobile and cloud security offerings.
17
�SonicWall developed the Capture Cloud Platform to provide
automated breach prevention and enable organizations like
yours to stay ahead in the cyber arms race. The platform delivers
security, management, analytics and integrated threat intelligence
so you can:
Drive end-to-end visibility and share intelligence
across the unified security framework
Proactively protect against both known and
unknown threats
Get the contextual awareness needed to detect
and respond to security risks with greater speed
and accuracy
Make informed security policy decisions based
on real-time and consolidated threat information
The Capture Cloud Platform strategy and vision for the future is
continuous innovation and development of containerized as-a-
service security applications that are easily programmable and
provisioned on-demand to drive constant business value and
ensure the long-term success of your organization.
18
� Need A Security Consultation?
SonicWall has been fighting the cybercriminal industry for over 28 years, defending small-
and medium-sized businesses and enterprises worldwide. The combination of our products
and partners enables us to deliver a real-time cyber defense solution tuned to the specific
needs of your business. This means more business and less fear for our customers.
If you’d like an assessment of your security strategy, or have specific questions about
the SonicWall Capture Cloud Platform, call us at +1-888-557-6642 or contact one of our
cybersecurity experts. Or you can visit SonicWall.com to chat with a live representative.
CONTACT A SECURITY EXPERT
19
� FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT
© 2020 SonicWall Inc. ALL RIGHTS RESERVED.
SHALL SONICWALL AND/ OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT,
SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
in the U.S.A. and/or other countries. All other trademarks and registered trademarks (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS,
are property of their respective owners. The information in this document is provided BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE
in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS
implied, by estoppel or otherwise, to any intellectual property right is granted by this AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
document or in connection with the sale of SonicWall products.
SonicWall and/or its affiliates make no representations or warranties with respect
EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN to the accuracy or completeness of the contents of this document and reserves the
THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS right to make changes to specifications and product descriptions at any time without
AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the
IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, information contained in this document.
BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS
About SonicWall
SonicWall delivers Boundless Cybersecurity for the hyper-distributed era in
a work reality where everyone is remote, mobile and unsecure. SonicWall
safeguards organizations mobilizing for their new business normal with
seamless protection that stops the most evasive cyberattacks across
boundless exposure points and increasingly remote, mobile and cloud-
enabled workforces. By knowing the unknown, providing real-time visibility
and enabling breakthrough economics, SonicWall closes the cybersecurity
business gap for enterprises, governments and SMBs worldwide. For more
information, visit www.sonicwall.com or follow us on Twitter, LinkedIn,
Facebook and Instagram.
If you have any questions regarding your potential use of this material, contact:
SonicWall Inc.
1033 McCarthy Boulevard
Milpitas, CA 95035
Refer to our website for additional information.
www.sonicwall.com
20
Ebook-LayeredCyberSecurity-US-VG-3056
