What is Defense in Depth (DiD)?
Defense in depth is the use of multiple cybersecurity strategies so that if one security control fails, the entire system is not immediately compromised. It uses multiple layers of security mechanisms and is also known as “layering”.
The assumption is with some effort any single security measure can be bypassed, and designing with that in mind.
In a way, it’s an example of “don’t put all your eggs in one basket”.
Common Security Layering Designs
One starting point is combining network security (such as network intrusion detection), with endpoint security (such as anti-virus).
Anti-virus likely won’t detect unusual device-to-device communication, while network intrusion detection won’t see anything that doesn’t leave the device.
Email Security Model
A more involved security layering or Defense in Depth design is the email security model – how can we protect our business from malicious email?
Using an example of an email with a malicious link, successive layers can be:
Steps taken |
Protective measure used |
Check email authenticity | sender’s published policy |
Check sender reputation | Public reputation lists |
Check message text content for patterns | Spam filtering |
Check message for malware | Gateway Antivirus |
User decides if message is genuine and whether to click | Security Awareness |
Check link | Safelinks |
Check site with web policy | Firewall |
To sum up, we prevent the delivery of a malicious message into the user’s inbox in the first place if possible.
If the message gets into the users’ inbox, we rely on their Security Awareness Training.
If that fails, then web browsing controls are the next line of defense, and so on.
Other examples can be physical access controls: combining access cards (so only authorized users can get in) with turnstiles (to dissuade tailgating) and security guards (to monitor for violations of the previous controls).
How to Diversify For Stronger Security
Using multiple security layers results in a stronger security posture. The various security controls complement the others’ failures and decrease the likelihood of a compromise.
If you are in a position to diversify your security controls yourself then you should have a look at the options available for your security requirements.
Calibre One offers a wide range of managed security services, including MS365 security enhancements, security awareness training, and network and endpoint security monitoring and protection.