Defence in Depth

From PiRho Knowledgebase
Jump to navigationJump to search

Summary:

Defence in Depth is a security strategy that uses multiple, independent layers of protection to reduce risk. Rather than relying on a single security control, organisations deploy overlapping preventative, detective, and corrective measures throughout their infrastructure.

The approach assumes that any individual security control can fail, be bypassed, misconfigured, or become obsolete. By introducing multiple protective layers, an attacker who defeats one control should encounter additional barriers before reaching valuable assets.

Context

Security is often incorrectly viewed as a single product or technology.

Organisations commonly ask questions such as:

  • "Do we have a firewall?"
  • "Do we have antivirus?"
  • "Do we have Multi-Factor Authentication?"

While these technologies are important, none of them alone provide comprehensive protection.

A firewall may be misconfigured.

An antivirus product may not recognise a new threat.

A user may inadvertently disclose credentials.

Defence in Depth recognises that security failures occur and designs systems accordingly.

The objective is not to create an impenetrable system. The objective is to increase the effort, time, complexity, and visibility required to compromise a system successfully.

Core Concepts

Multiple Security Layers

Security controls should exist at multiple points throughout an environment.

Examples include:

  • Physical security
  • Network security
  • Endpoint security
  • Identity security
  • Application security
  • Data security
  • Monitoring and detection
  • Incident response

Each layer provides protection independently of the others.

Assume Breach

A useful mindset is to assume that attackers will eventually bypass some form of protection.

Rather than asking:

"How do we stop attacks completely?"

Defence in Depth asks:

"What happens if this control fails?"

This approach naturally leads to resilient designs.

Prevention, Detection, and Response

Protection alone is insufficient.

An effective security architecture consists of:

  • Preventative controls
  • Detective controls
  • Corrective controls

For example:

Function Example
Prevent Firewall Rules
Detect SIEM Alert
Respond Incident Response Procedure

Together, these form a complete security lifecycle.

The Castle Analogy

A useful way to visualise Defence in Depth is a medieval castle.

An attacker must overcome:

  • The moat
  • The drawbridge
  • The outer wall
  • The gatehouse
  • The inner wall
  • The guards
  • The keep

No single defence is expected to stop every attack.

Instead, each layer slows progress and increases the likelihood of detection.

Modern IT systems follow the same principle.

Practical Application

Physical Security

The first security layer often exists before an attacker reaches a computer system.

Examples include:

  • Locked buildings
  • Access cards
  • Security guards
  • CCTV
  • Secure server rooms

Physical access frequently bypasses technical controls.

Network Security

Network controls limit exposure and restrict movement.

Examples include:

  • Firewalls
  • VLAN segmentation
  • Access control lists
  • VPN gateways
  • Intrusion Prevention Systems

Even if one network segment is compromised, segmentation should prevent unrestricted access to the remainder of the environment.

Identity and Access Management

Identity controls focus on users and services.

Examples include:

  • Active Directory
  • Role-Based Access Control
  • Multi-Factor Authentication
  • Conditional Access Policies
  • Privileged Access Management

Compromising a single account should not automatically grant unrestricted administrative access.

Endpoint Security

Endpoints remain one of the most common attack vectors.

Typical controls include:

  • Anti-malware solutions
  • Device encryption
  • Application control
  • Patch management
  • Device compliance policies

A compromised endpoint should still encounter additional security layers.

Application Security

Applications require security controls independent of the infrastructure hosting them.

Examples include:

  • Input validation
  • Authentication controls
  • Authorisation checks
  • Secure coding practices
  • API security controls

A secure network does not compensate for insecure application design.

Data Protection

Ultimately, most attacks target data.

Controls may include:

  • File permissions
  • Information classification
  • Encryption at rest
  • Encryption in transit
  • Data Loss Prevention (DLP)

Even if a system is compromised, protected data may remain inaccessible.

Monitoring and Detection

Many organisations invest heavily in prevention while neglecting detection.

Detection controls include:

  • Security Information and Event Management (SIEM)
  • Audit logging
  • Behavioural analytics
  • Endpoint Detection and Response (EDR)
  • Threat intelligence feeds

A security incident cannot be managed if nobody knows it is happening.

Reference Architecture

A simplified Defence in Depth model might appear as follows:

Internet
    │
    ▼
Firewall
    │
    ▼
DMZ Services
    │
    ▼
Internal Firewall
    │
    ▼
Corporate Network
    │
    ├── User Devices
    │
    ├── Application Servers
    │
    └── Management Network
           │
           ▼
      Critical Systems
           │
           ▼
        Protected Data

Additional security controls exist at every layer.

For example:

  • MFA protects identities
  • EDR protects endpoints
  • SIEM monitors activity
  • Encryption protects information

Common Pitfalls

Reliance on a Single Control

Many environments unknowingly rely on one technology as their primary defence.

Examples include:

  • "The firewall will stop it."
  • "The antivirus will catch it."
  • "The cloud provider secures everything."

This creates single points of failure.

Flat Networks

Flat networks allow attackers to move laterally after an initial compromise.

Network segmentation significantly reduces this risk.

Excessive Administrative Privileges

Users frequently possess more permissions than necessary.

This magnifies the impact of credential theft.

Lack of Monitoring

Attacks may remain undetected for weeks or months if monitoring is insufficient.

Without visibility, incident response becomes reactive rather than proactive.

Design & Architecture Considerations

Scalability

Security controls should scale alongside the environment.

A design suitable for ten users may become ineffective for a thousand.

Security vs Usability

Security mechanisms should support business operations rather than obstruct them unnecessarily.

Excessively restrictive controls often encourage users to develop unsafe workarounds.

Layer Independence

Where possible, security layers should fail independently.

For example:

  • Authentication systems should not rely entirely on network controls.
  • Encryption should not rely entirely on physical security.
  • Monitoring should function even when preventative controls fail.

Zero Trust Alignment

Modern Zero Trust architectures build upon Defence in Depth principles.

Both assume that trust should be continuously verified rather than assumed.

Troubleshooting & Diagnostics

When assessing security posture, ask:

  • What happens if the firewall fails?
  • What happens if a password is stolen?
  • What happens if a workstation becomes infected?
  • What happens if a privileged account is compromised?

If a single failure results in complete compromise, additional security layers are required.

A useful exercise is to follow a hypothetical attacker path through the environment and identify where detection or containment should occur.

Key Takeaways

  • No security control is perfect.
  • Security controls should overlap rather than operate in isolation.
  • Prevention, detection, and response are equally important.
  • Security architecture should assume that individual controls will fail.
  • The goal is to increase resistance, reduce impact, and improve visibility.

Related Topics

References

  • NIST Cybersecurity Framework
  • NIST SP 800-53 Security Controls
  • NIST Zero Trust Architecture (SP 800-207)
  • CIS Critical Security Controls
  • ISO/IEC 27001