Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Architecture Glossary

Defense in Depth - Tiefenverteidigung

Defense in Depth (DiD) is a security architecture principle that layers multiple independent layers of protection on top of one another so that the failure of one layer does not lead to a complete compromise of the system. The concept originates from military strategy and was adapted by the NSA for IT security. Each layer compensates for the weaknesses of the others.

Defense in Depth (DiD) is based on a simple premise: No single security system is perfect. Firewalls can be bypassed, antivirus software doesn’t detect all malware, and employees click on phishing links. The solution isn’t a single perfect system—it’s an architecture where the failure of one layer is mitigated by the next.

DiD Layer Model

Defense in Depth - Layers from the outside in:

Layer 1: Perimeter Security
  → Firewall (NGFW): Port/protocol filtering, IPS
  → DDoS protection: Cloudflare, AWS Shield, Akamai
  → Email gateway: Spam filtering, malware scanning, anti-phishing
  → Web Application Firewall (WAF): OWASP Top 10 protection
  → DNS filtering: Blocking malicious domains (Cisco Umbrella, Zscaler)

Layer 2: Network Security
  → Network Segmentation: VLANs, DMZ, Microsegmentation
  → Intrusion Detection/Prevention (IDS/IPS)
  → Network Access Control (NAC): Only known devices on the network
  → VPN for Remote Access (or ZTNA as an alternative)
  → Network Detection & Response (NDR): Anomaly Detection

Layer 3: Endpoint Security
  → EDR (Endpoint Detection & Response): CrowdStrike, Defender
  → Patch Management: up-to-date operating systems + applications
  → Disk Encryption: BitLocker, FileVault
  → Application Whitelisting: only permitted software can be executed
  → Host-based Firewall: local firewall rules

Layer 4: Application Security
  → Secure Development: SAST, DAST, SCA in CI/CD
  → Input Validation: Prevent SQL injection, XSS
  → Authentication: MFA for all systems
  → API Security: Rate limiting, authentication, input validation
  → Web Application Firewall: Application-specific rules

Layer 5: Data Security
  → Data Encryption (at rest + in transit)
  → Data Loss Prevention (DLP): Prevent data leakage
  → Backup (3-2-1 Rule): Ransomware resilience
  → Access Controls: Least privilege
  → Data Classification: Who needs which data?

Layer 6: Identity & Access
  → Zero Trust: "Verify Explicitly" – authenticate every request
  → Privileged Access Management (PAM): Protect admin access
  → IGA: Regular permission reviews
  → Single Sign-On + MFA: Centralized authentication

Layer 7: Monitoring & Response
  → SIEM: Centralized log aggregation and correlation
  → SOC: 24/7 monitoring and incident response
  → Threat Intelligence: Incorporate external threat information
  → Incident Response Plan: When all layers fail

Core Principle:
  An attacker MUST overcome all relevant layers
  → Increased effort + time → better chances of detection!
  → Each layer gives the defender time to react

Why DiD is indispensable

Real-world attack scenario without DiD:
  1. Phishing email → Employee clicks link
  2. Malware installed → No EDR (only antivirus, signature-based)
  3. Lateral movement → No network segmentation, flat network
  4. Ransomware encrypts domain controller + all shares
  5. Backup encrypted (was on the same network!)
  → Total failure, no chance of detection

The same scenario WITH DiD:
  1. Phishing email → Email gateway blocks 95% (Layer 1)
     → Email gets through → Employee clicks
  2. DNS filter blocks C2 domain (Layer 1) → Malware cannot communicate back to the command-and-control server
     → Malware uses a different technique (HTTPS to a legitimate service)
  3. EDR detects suspicious behavior (Layer 3) → Alert → SOC
     → SOC responds in < 1 hour
  4. Network segmentation prevents lateral movement (Layer 2)
     → Attacker remains in the marketing VLAN, cannot reach the DC
  5. PAM: DC is protected with Privileged Access (Layer 6)
  → Incident: 1 compromised endpoint → isolated → remediated
  → No production downtime, damage limited

DiD cost-benefit:
  → Single layer 100% secure: impossible + extremely expensive
  → Many layers 80% secure: realistic + significantly cheaper
  → Result: 0.8^7 = 21% chance for attackers (instead of 100%!)
  → More realistic: each layer slows down the attack + gives time for detection

DiD in Practice

Prioritization of layers (Basic → Advanced):

Minimum Viable Security (SME Start):
  Priority 1: Patch Management (prevents 85% of known exploits)
  Priority 2: MFA for all accounts (prevents credential attacks)
  Priority 3: EDR on all endpoints
  Priority 4: Backup (offline/immutable!) following the 3-2-1 rule

Intermediate Security:
  + Email Security (SPF/DKIM/DMARC + Anti-Phishing)
  + Network Segmentation (Server VLAN, Client VLAN, DMZ)
  + Firewall Rules (deny-by-default)
  + SIEM: Centralized Logs + Alerting

Advanced Security:
  + Zero Trust Network Access (ZTNA)
  + PAM + JIT access for admins
  + Threat intelligence integration
  + SOC or MSSP
  + Continuous vulnerability scanning (CTEM)

DiD Assessment Questions:
  □ If an employee clicks on a phishing link—what happens then?
  □ If an endpoint is compromised—can the attacker move laterally?
  □ If the DC goes down—what is our recovery plan?
  □ How long does it take for us to detect an attack (MTTD)?
  → Good DiD: Attack is detected in layers 2–3 before critical data is affected

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation