Security & 7 layers of the OSI Model

In the image below you will see each layer of the OSI model defined and mapped to user activity and security attack vectors. When you think of the “Security Onion” approach to security, think of how many layers an onion has and what it takes to peal back all the layers until you find the center. Sort of lie a tootsie pop, how many licks does it take to get to the center. The more security controls you have at each layer the more time it will take an attacker to get to what’s being protected. The higher value targets (HVTs), Crown Jewels and/or mission critical applications, services and sensitive data should have more controls in applied to the layers.

So when people ask me how do I protect my company, I ask them, have you performed a BIA? A BIA or business impact analysis is a process different than a risk, gap or compliance assessment and output is used for entirely different purposes. A BIA focuses on identifying, mapping and understanding your environment, technology, data and business operations both automated via technology and manually by a person. Understanding how you do business will help security practitioners wisely map out the needed security controls across the OSI model. Since not every technology used in business is the same or handles data in the same manner a strategic allocation of resources can be applied where needed to reduce the risk. Often the HVTs need more layers and controls and are more expensive to protect. Of note, and points to consider are controls can be automated via tooling or manual. Think of people, process and technology here. Often all 3 are needed to balance the equation. Also a BIA does not replace a risk, gap or compliance assessment. It does help identify risk and can be paired with a risk assessment to deliver the best of bread when it comes to risk reduction though.

So how do we apply controls to the OSI model? This is the last piece to the puzzle. The image below stops at the attack vectors so you can think of controls as “objectives” and technologies can be used to meet an objective or set of objectives. Adapt technologies to address the objective for each layer is the key. Appropriate technologies that meet the objective will minimize the risk at each layer. Often solutions are spread across many layers of the OSI model. Let me create a list of technologies that come into consideration for each layer. I’ll keep it at the technologies level in this discussion because solutions from vendors often blur the line of what they do and what they do best for you. Only control testing will provide you with answers to if the objective has truly been met.

  • Application Layer (7)
    • Web Application Firewall (WAF)
    • Multi-Factor Authentication (MFA)
    • Strong Authentication Mechanisms
    • IDS/IPS/IDPS – Intrusion Detection and Protection
    • Data Encryption
    • Secure Coding using OWASP Top 10
    • API Security
    • DDOS Protection
    • Software Updates/Patches – Vulnerability Mgmt.
    • Security Information and Event Mgmt (SIEM)
    • Identiy and Access Managment (IAM)
    • Runtime Application Self-Protection (RASP)
    • Threat Intelligence Platforms
    • Application Security Testing (SAST/DAST)
    • EDR/MDR/XDR
    • Threat Hunting Tooling
  • Presentation Layer (6)
    • Strong Encryption (AES)
    • Proper Key Mgmt.
    • Strong Ciphers
    • Certificate Pinning
    • Secure Protocols
    • Data Integrity Checks (Hashing)
    • Data Sanitaztion
    • MFA
  • Network Layer (3)
    • Firewalls
    • IDS/IPS/IDPS – Intrusion Detection and Protection
    • Secure Routing Protocols
    • VPNs
    • IPSec
    • Network Segmentation
    • Access Control Lists (ACLs)
    • Zero Trust Network Policies
  • Session Layer (5)
    • HTTPS
    • Secure Session Management
    • Cookie Security
    • Session Timeout
    • Token based Authentication
    • Encryption of Session Tokens
    • MFA
  • Data Link Layer (2)
    • 802.1X Authentication
    • Dynamic ARP Spoofing
    • DHCP Snooping
    • Mac Address Filtering
    • Port Security
    • VLan Segmentation
    • ARP Inspection
    • MACSec – Security
  • Transport Layer (4)
    • TLS – Transport Layer Security
    • SSL – Secure Socket Layer
    • Secure Ports – HTTPS(443), SSH/SCP/SFTP(22) Etc.
    • IDS/IPS/IDPS – Intrusion Detection and Protection
    • Port Scanning Prevention/Blocking
    • Session Management
  • Physical Layer (1)
    • CCTV/Cameras
    • Lock & Key
    • Electronic Badges
    • Fences
    • Barricades
    • Conduit for cables
    • Server Rooms – Racks
    • Network Closets
    • Environmental Controls