Posted by Tyler Chancey, GCFA on

Tyler Chancey is a cybersecurity professional currently serving as the Director of Cyber Security at Scarlett Cybersecurity Services. With a solid foundation in Computer Software Engineering from the University of Florida, Tyler holds a repertoire of certifications that underscore his expertise. These include the prestigious Microsoft 365 Certified: Enterprise Administrator Expert and Microsoft 365 Certified: Security Administrator Associate, showcasing his mastery in Microsoft's enterprise solutions. Tyler's commitment to comprehensive security is further evidenced by his CompTIA Security+ certification, demonstrating proficiency in core cybersecurity principles. Additionally, his GIAC Certified Forensic Analyst (GCFA) credential attests to his advanced skills in forensic analysis—an invaluable asset in today's complex cybersecurity landscape. Tyler's dedication to staying at the forefront of industry standards is evident in the active pursuit and maintenance of these certifications, making him a trusted authority in the field.

Tyler C., GCFA 

Job title: Director of Cyber Security
Expertise: Information Security, Cybersecurity Incident Response, Cybersecurity Compliance, Cyber Policy
Education: University of Florida, Computer Software Engineering

Highlights:

  • Director of Cyber Security at Scarlett Group since 2022 
  • Holds GCFA and Microsoft 365 Enterprise Administrator certifications
  • Expertise in compliance, incident response and cyber policy

Experience: 

Tyler C. currently serves as the Director of Cyber Security at Scarlett Group in Jacksonville, Florida. He first joined Scarlett Group in 2019 as a Cyber Security Consultant, before being promoted to his current director role in 2022. Tyler has over 4 years of experience providing cybersecurity services to American private and public organizations.

Education:

Tyler earned his degree in Computer Software Engineering from the University of Florida in 2016. While at UF, he developed expertise in programming and software development.

Licenses & Certifications:

  • Microsoft 365 Certified: Enterprise Administrator Expert (Issued May 2023)
  • GIAC Certified Forensic Analyst (GCFA) (Issued Jan 2019, Expires Jan 2027)  
  • Microsoft 365 Certified: Security Administrator Associate (Issued Jul 2022, Expired Jul 2023)
  • CompTIA Security+ (Issued Jun 2020, Expired Jun 2023)

Additional Skills: 

  • Customer Service, Leadership, Public Speaking, Network Security, Forensic Analysis, Disaster Recovery, Cloud Applications

The western front of World War I was initially highly mobile and dynamic. It wasn’t until the armies began to utilize basic entrenchments that the famous stalemate began. These basic defenses eventually grew to become a massive array of communications lines, barbed wires, and bunkers. Worse yet, this first layer of defenses was always backed up by redundant trenches from which a separate defense could halt a breakthrough. This concept of overlapping, redundant defenses that contain multiple layers is known as defense in depth.

Cybersecurity approaches mirror these military defensive networks in more ways than one. A firewall can be the cybersecurity equivalent to a basic trench. Bunkers and barbed-wire would be our perimeter network security appliances. Even the communications lines, with the critical role of reporting a breakthrough, have a modern equivalent in the SIEM/SOC 24/7 alerting.

Infiltration Tactics

One of the core factors of the stalemate of trench warfare being broken was the development of “infiltration tactics.” This new doctrine focused on exploiting every small breakthrough. The parallels to modern cyberattack tactics are uncanny. Security was previously all about the perimeter, but in the past few decades things have changed.

Small breakthroughs and “living off the land” are the bread and butter of advanced attackers. While our analogy might not extend to modern security perfectly, it does help to get the overall picture across. Modern security relies on an absolutely daunting array of tools, procedures, and policies in order to maintain the frontline and ensure that infiltrations are dealt with quickly and effectively.

This post will be the first part of a series that helps define some of the securities available to companies looking to enact a more robust security stack.

What is Defense in Depth?

Defense in Depth is simply defined as having security controls in more than one of the three areas of security. Generally, the three areas are regarded as Administrative Controls, Physical Controls, and Technical Controls. This definition almost universally includes all businesses to some degree.

For example, if a company has a basic firewall and locks on their doors, they technically have a “defense in depth” approach. However, designating such a company as a secure would be a gross misrepresentation of the term. In order to adhere to the conventional defense in depth doctrine, a company must make every effort to cover as much as possible while maintaining current controls.

Defense in depth generally assumes that the controls are used to block or delay a threat until it is eradicated. Infiltrations will happen; it’s up to the controls to help remediate these issues before they get more serious. Generally, when it comes to security threats, it will be a question of “when,” not “if.” A breakthrough will occur at some point but theoretically, the array of defenses should at least delay any critical event. With the proper controls, even the most threatening breakthroughs can be dealt with via human intervention.

Controls and Vendor Diversity

Administrative, physical, and technical controls all play their part in creating a defensive grid for a company. Furthermore, vendor diversity within these controls can help ensure that there is no uniform risk within your security assets. Below we will define these concepts and provide some basic examples. Note that none of these categories are rigid, and they are definitely not mutually exclusive. It is entirely possible for something to fall into every category. Look for future posts that go into greater detail regarding the options provided within each control category.

Administrative Controls

The least intuitive of the three areas, administrative controls nevertheless provide a vital backbone for the company’s security plan. These controls can define the methods used by the business to hold up certain standards. A good rule of thumb for determining if a control is an administrative control is to analyze whether a person implemented the control. A security audit would be a prime example of an administrative control. This audit is not automatic and requires business support in order to occur. Training is another good example of an administrative control. Administrative controls usually require extensive documentation and planning.

Physical Controls

Sometimes physically keeping the bad guys out can be the most important part of securing an environment. It doesn’t matter what kind of impregnable security stack a company has if an attacker can simply walk into the office and destroy the servers. Physical security controls are things that you can physically touch that provide enhanced security. The most common examples would include locks on doors, security guards, badge readers, and other physical assets. Note that even an HVAC system can be considered a physical control if it helps keep systems cool and mitigates risk.

Technical Controls

Simply put, these controls are the use of technology to mitigate threats or reduce vulnerability. Technical controls are usually the flashiest and newest controls in our ever-advancing technology sector. While every control category has its place, technical controls are vital to actually performing the work. Without a firewall or other basic technical controls, no amount of administrative finesse will protect your network from the maelstrom that is the internet.

Vendor Diversity

While this isn’t strictly a control type, it is still an important concept in the Defense in Depth doctrine. Utilizing a single vendor can leave a company overly vulnerable to price changes, end-of-life, and unpatched vulnerabilities within software. Diversity is good and maintaining a strict policy of vendor diversity can help prevent security holes generated from vendor error.

Extended Definitions and Examples

This overview just scratches the surface of Defense in Depth. Now that we have these basic terms and concepts defined, look for next month’s article covering in-depth examples of administrative controls and some of the current solutions used by today’s top enterprises.

For more details on current security controls, be sure to check out the NIST documentation on security controls: https://nvd.nist.gov/800-53.

Share This

Related Posts

More and more, ransomware has emerged as a major threat to individuals and businesses alike. Ransomware, a type of malware that encrypts data on infected systems, has become a lucrative option for cyber extortionists. When the malware is run, it…
Running a business involves juggling many tasks. One area that can get overwhelming is managing IT needs. This can divert your attention from core business activities.
Critical Ransomware and Compliance Tips for the Construction IndustryConstruction is one of the top industries targeted by cyber-criminals. High revenue and low security create appealing targets for attack.