No single security control is perfect. Defense-in-Depth (DiD) layers multiple, diverse controls (physical, technical, administrative) so that if one fails, subsequent layers contain the threat and provide time for detection and response.
DiD operates like concentric rings: Physical security (badge access), Perimeter (Firewalls/WAF), Internal Network (Segmentation/IDS), Host (Endpoint AV/HIDS), and Data (Encryption). An attacker must bypass every ring to reach the crown jewels.
💡 Pro-tip: Ensure your layers are diverse. Using two firewalls from the same vendor with the same OS provides redundancy, but not true Defense-in-Depth against a vendor-specific zero-day exploit.
# DiD Policy Example
- layer: Perimeter
control: NGFW with IPS
- layer: Network
control: Microsegmentation + Zeek
- layer: Host
control: EDR + Host Firewall
- layer: Data
control: AES-256 at restThis YAML snippet illustrates a multi-layered approach where a breach at the perimeter still faces network microsegmentation and host-level EDR.
DiD also encompasses availability. If a security device fails, it should default to a 'fail-secure' state (blocking traffic) rather than 'fail-open', unless high availability is strictly required to maintain business operations.
⚠️ Over-layering can lead to 'security fatigue' and administrative complexity. If policies conflict across layers, troubleshooting becomes a nightmare. Centralized policy management is essential.
| Layer | Control | Failure Mode |
|---|---|---|
| Perimeter | Edge Firewall | Fail-Secure (Drop) |
| Network | IDS Sensor | Fail-Open (Monitor) |
| Host | EDR Agent | Quarantine Host |
Verify exercises to earn ★ 220 XP and unlock next lab level.