“Defense in depth” (DiD) is a cyber security strategy that uses multiple security products and practices to safeguard an organization’s network, web properties, and resources. It is sometimes used interchangeably with the term “layered security” because it depends on security solutions at multiple control layers — physical, technical, and administrative — to prevent attackers from reaching a protected network or on-premise resource.
Originally, defense in depth described a military strategy in which one line of defense was sacrificed to stall opposing forces. Despite the similar name, that approach does not parallel this security strategy, in which multiple products work together to keep attackers and other threats at bay.
Why is defense in depth necessary?
The concept of a layered defense strategy is to implement multiple security measures to protect against potential threats. That a single security product cannot fully safeguard a network from every attack it might face. However, implementing multiple security products and practices can help detect and prevent attacks as they arise, enabling organizations to effectively mitigate a wide range of threats. This approach becomes increasingly important as organizations scale their networks, systems, and users.
Another advantage of layered security is redundancy. If an external attacker takes down one line of defense or an insider threat compromises part of an organization’s network, other security measures can help limit and mitigate the damage to the entire network. By contrast, using only one security product creates a single point of failure; if it becomes compromised, the entire network or system can be breached or damaged as a result.
What security products are used in defense in depth?
While defense-in-depth strategies vary according to an organization’s needs and available resources, they commonly include one or more products in the following categories:
Physical security controls defend IT systems, corporate buildings, data centers, and other physical assets against threats like tampering, theft, or unauthorized access. These may include different types of access control and surveillance methods, such as security cameras, alarm systems, ID card scanners, and biometric security (e.g. fingerprint readers, facial recognition systems, etc.).
Technical security controls encompass the hardware and software needed to prevent data breaches, DDoS attacks, and other threats that target networks and applications. Common security products at this layer include firewalls, secure web gateways (SWG), intrusion detection or prevention systems (IDS/IPS), browser isolation technologies, endpoint detection and response (EDR) software, data loss prevention software (DLP), web application firewalls (WAF), and anti-malware software, among others.
Administrative security controls refer to the policies set by system administrators and security teams that control access to internal systems, corporate resources, and other sensitive data and applications. It may also include security awareness training to ensure that users practice good security hygiene, keep data confidential, and avoid exposing systems, devices, and applications to unnecessary risks.
What security practices are used in defense in depth?
In addition to security products and policies, organizations need to implement strong security practices to limit the risk to their networks and resources. These may include one or more of the following:
Least-privilege access is the principle of permitting users to access only the systems and resources they need for their role. This helps minimize risk to the rest of the network if a user’s credentials are compromised and an unauthorized user attempts to carry out an attack or access sensitive data.
Multi-factor authentication (MFA), as its name suggests, requires multiple forms of authentication to verify the identity of a user or device before allowing access to a network or application. MFA typically includes practicing strong password hygiene (i.e. passwords that are complex, difficult to guess, and changed often), establishing strict controls for devices, and verifying identity via external devices and tools (e.g. entering a verification code from a mobile device).
Encryption protects sensitive data from being exposed to unauthorized or malicious parties. Information is concealed by converting plaintext (information that is readable by humans) to ciphertext (randomly generated combinations of letters, numbers, and symbols).
Network segmentation helps limit the exposure of internal systems and data to vendors, contractors, and other outside users. For instance, setting up separate wireless networks for internal users vs. external ones enables organizations to better protect sensitive information from unauthorized parties. Network segmentation can also help security teams contain insider threats, limit the spread of malware, and adhere to data regulations.
Behavioral analysis can help detect abnormal traffic patterns and attacks as they occur. It does this by comparing user behavior against a baseline of normal behavior that has been observed in the past. Any abnormalities can trigger security systems to redirect malicious traffic and prevent attacks from being carried out.
Zero Trust security is a security philosophy that bundles many of the above concepts, with the assumption that threats are already present inside a network, and no user, device, or connection should be trusted by default.
These are just a few of the practices that should be employed in a layered security approach. As attack types continue to evolve to exploit vulnerabilities in existing security products, new products and strategies must be developed to subvert them.
How does layered security differ from integrated security?
An effective defense-in-depth strategy requires not only layered security controls but integrated security practices as well. Although these terms sound similar, they carry slightly different meanings:
- Layered security, as described above, refers to using multiple security products and practices to protect an organization against a vast spectrum of physical and cyber threats.
- Integrated security ensures that multiple security products work with each other to improve their ability to detect and mitigate threats. A security strategy can be layered, but not integrated, whereas an integrated security strategy is layered by nature.
Think of layered security as a suit of armor that has been sourced from multiple sellers. Some pieces of armor might be newer or higher quality than others; although the wearer is protected from many types of physical harm, there may be gaps between different pieces of armor or weak spots where the wearer is more vulnerable to attack.
By contrast, integrated security is like a custom suit of armor. It may consist of different pieces (security controls), but they are each inherently designed to work together to protect the wearer — without leaving gaps or weak spots.
When configuring cyber security solutions, however, purchasing multiple security products from a single vendor does not always guarantee that an organization is receiving the benefits of an integrated approach
