Beginner Fundamentals
Defense in Depth
Defense in depth is the principle of never relying on a single security control. If one layer fails, the next one still protects.
The Castle Analogy
Medieval castle:
1. Moat → makes approach difficult
2. Wall → primary barrier
3. Watchtowers → detect intruders
4. Guarded gate → access control
5. Keep → last refuge
If the moat dries up, the wall still stands.
If the wall falls, the watchtowers are still there.The same reasoning applies to digital systems.
Layers in a Typical Web System
[Internet]
│
▼
[Edge Firewall / WAF] ← layer 1: filters malicious traffic
│
▼
[CDN / DDoS mitigation] ← layer 2: absorbs volume attacks
│
▼
[Load Balancer + TLS termination] ← layer 3: encryption in transit
│
▼
[API Gateway + authentication] ← layer 4: validates identity
│
▼
[Application service] ← layer 5: role-based authorization
│
▼
[Encrypted database] ← layer 6: data protected at restPractical Example: Compromised Credential Attack
Attacker has an employee's username and password.
Layer 1 — MFA blocks: password alone is not enough
Layer 2 — Unusual IP triggers alert (UEBA)
Layer 3 — RBAC limits: user can only access their own data
Layer 4 — Logs audit every action
Layer 5 — Anomaly detected → session automatically revokedEven with a valid credential, the attacker encounters barriers at every step.
Controls by Category
Preventive → firewall, MFA, encryption, RBAC
Detective → SIEM, IDS, audit logs, UEBA
Responsive → automatic blocking, quarantine, SOC alert
Recovery → backup, DRP, incident runbookThe Common Mistake
Investing heavily in the perimeter (firewall) while neglecting internal controls. When an attacker crosses the firewall (via phishing, compromised VPN), they find a clear path inside.
Conclusion
Defense in depth does not eliminate attacks — it reduces the probability of success and limits impact when they occur. Each additional layer increases the cost and time the attacker needs to advance.