Defense in Depth
Daniel Berman
February 29, 2024
0 mins readDefense in depth is a cybersecurity approach that asks companies to build and combine many different layers of security measures. Rather than rely on one measure of security, defense in depth tells us to build a series of security layers so that if one fails, another takes its place. The goal of the approach is prevention – to make it as difficult as possible for an attacker to succeed.
Home security takes a similar approach. To protect a home, you don’t merely lock the door and call it a day. Instead, you might add a deadbolt to the door, lock the windows, wire up an alarm system, and install home security cameras.
To gain access to your home, an invader would have to break through every layer of security, with each requiring different skills and tactics. Adding layers of security doesn’t just make it cumulatively harder to break into the home; the layers make it exponentially more difficult.
Defense in depth is the same approach but applied to IT and application security. The difference, of course, is that while a home is a single object around which you can build a perimeter, a company and its array of applications and services can be vulnerable to many more types of attacks.
The same principle still applies, but the defense has to be deeper, so in this article, we’ll explain defense in depth, explore how it works, and take a look at some examples of defense in depth in action.
What is defense in depth, and why is it important?
Defense in depth is a cybersecurity methodology that uses multiple mitigation techniques to prevent the same vulnerability.
The term originates from a 2012 paper by the National Security Agency (NSA). The paper describes defense in depth as a “practical strategy for achieving Information Assurance in today’s highly networked environments.” The strategy is even more relevant a decade later because modern environments have become more highly networked.
Defense in depth frames security as a series of layers rather than one perimeter. Adopting this approach forces security teams to balance pessimism against optimism. Instead of adopting a new tool or practice and assuming you’re not safe from whichever attack it purports to protect you from, defense in depth asks you to assume that the measure you adopted fails. What then?
Companies that think from a defense in depth perspective still adopt the best tools and practices, but they also prepare for when they fail. They ensure that even if an attacker manages to defeat one security measure, they’ll have to beat numerous other ones to actually succeed.
Defense in depth is important because attackers and their forms of attack are only getting more sophisticated and more scalable. If companies want to avoid breaking headlines as the next big data breach, then they need to build defenses that are deep and not shallow.
How does defense in depth work?
Defense in depth works through three layers: physical, administrative, and technical (the last of which is most relevant to security professionals). Each layer can be broken down into numerous methods, meaning an effective defense in depth strategy uses these three layers and knits together many more methods within each layer.
Physical
Physical security controls protect material, in-person access to company systems. Physical security systems can include locked gates and doors as well as cameras and guards.
Administrative
Administrative controls are policies and procedures that supply employees and users with security guidance and encourage them to follow it. Administrative controls might be codified in an employee handbook and include things such as cyber hygiene, delivered during the hiring process, taught during security courses, and re-taught in company phishing tests.
Technical
Technical controls, where defense in depth gets really deep, include all the hardware and software companies might use to protect their systems and resources.
Examples of technical controls abound, including:
Antivirus software installed on employee machines
Encryption for data at rest and in motion
Multi-factor authentication that manages who can use company systems and approval-based access that controls who can use especially important resources
Vulnerability scanners, such as Snyk, that look for vulnerabilities in open source software, code, and containers
Firewalls and other network security measures
In reality, an uncoordinated combination of security measures is only technically defense in depth. A true defense in depth strategy maps out the attack path that an attacker might take, erects numerous defenses along that path, and then multiples that effort across every possible attack path.
Examples of defense in depth
Defense in depth is best understood by example because it’s the kind of methodology intuitive in theory but hard to implement in practice – not least because it’s always possible to go deeper and include further layers.
Defense in depth via multiple tactics
As described above, a good defense in depth strategy doesn’t merely bucket together various tactics; instead, a good defense in depth strategy evaluates an attack path and builds layers of defense along that path.
Let’s walk through one example.
Consider cross-site scripting attacks. A cross-site scripting attack is when an attacker uses a web application to send malicious code to a user via browser-side script. Research from Unit42 shows that across 6,443 vulnerabilities published between November 2021 and January 2022, cross-site scripting stood out as one of the most common attack vectors.
Data like this should be galling because successful cross-site scripting can result in account impersonation, spying on users, the ability for attackers to load external content on user machines, and the stealing of sensitive data.
The typical, and largely effective, strategy for protecting against such attacks is to use input validation, which OWASP describes as “Ensuring that all variables go through validation and are then escaped or sanitized.” Using popular frameworks like React and Angular can make it easier to validate variables, but even then, security gaps persist, and cross-site scripting remains possible.
With defense in depth in mind, companies should assume attackers can defeat these common measures, meaning that they should add more layers of protection, such as output encoding, HTML sanitization, safe sinks, and content security policies. With these methods and more weaved together, companies can feel more confident about being safe from cross-site scripting attacks.
Defense in depth via multiple products
Alongside adopting and implementing multiple security techniques, companies will also want to consider implementing extensible security products that offer multiple layers of protection.
An excellent tool-based defense in depth strategy also relies on companies not bucketing together an overwhelming amount of tools and calling it defense in depth. According to 451 Research, 39% of companies use between 11 and 30 monitoring tools at one time, and almost 10% use between 21 and 30. Commonly called “tool sprawl,” companies can burden their employees with too many alerts and interfaces to track.
It’s often more practical to adopt feature-rich products that offer many different integrations, ensuring you can use them as part of a coordinated defense in depth strategy.
Snyk, for example, comes with numerous products, such as:
Snyk Open Source, which scans for vulnerabilities introduced through dependencies
Snyk Container, which scans for vulnerabilities introduced through container images
Snyk Code, which scans code for vulnerabilities introduced by people not using secure coding practices.
Snyk IaC which scans infrastructure as code to find misconfigurations and ensures compliance with security policies.…
Extensible products like these can form an effective layer of protection in a larger defense in depth strategy.
Secure your applications with Snyk
Get started with Snyk to enable your developers to build securely from the start.
Make it as hard as possible for attackers to succeed
Defense in depth proceeds from the assumption that attackers are out there and will eventually attack your company. Once you adopt this assumption, you can shift away from thinking of security as a single layer of defense and toward thinking of security as a multi-layered process of prevention.
The uncomfortable reality of security is that no best practice is perfect, no tool is invulnerable, and no company can implement and maintain perfect security policies, especially at scale. Given enough time and enough resources, attackers can breach almost any defense.
It’s with this understanding in mind that defense in depth shines. The end goal is to make it as difficult as possible for an attacker to succeed, to ensure that every time an attacker defeats a defense, they have another one to confront. Attackers ultimately don’t have infinite time and resources, so the harder you make it for them to succeed, the less likely you’ll suffer an attack.