• Modern security is no longer about keeping threats out—it’s about being ready when they get in.
• Prevention is critical, but it’s not enough to keep your organization protected. That’s where Defense in Depth (DiD) comes in.
• DiD and Zero Trust may seem like rivals, but instead they work together and are stronger for it, too.
• To build a resilient DiD strategy, balance prevention, detection and response across every layer of your environment. 

“It’s not if, but when,” is the mindset cybersecurity experts are calling for today. Today’s environments—spanning from the cloud and endpoints to hybrid networks—are too distributed and complex to rely solely on perimeter-based security. Sooner or later, those perimeters will be breached. 

In our partnered webinar with SANS, Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defense, SANS expert Ted Demopoulos puts it bluntly: “You’re going to be hacked.”  As strong as your firewall may be, a single layer of security can’t withstand the barrage of advanced threats and the complexities of the current threat landscape. 

In 2024, the cost of a data breach rose 10% to a staggering average of USD $4.88 million. And to make matters worse, breaches aren’t being detected and contained quickly enough. Every day makes a costly difference; on average, breaches contained in more than 200 days to contain cost $1.39 million more ($5.46M) than those under 200 days ($4.07M). 

Unfortunately, it’s not always a matter of days before a breach is contained. Ted noted organizations who were infiltrated so deeply that breaches weren’t detected for four and eight years, respectively, which may have contributed to one company’s collapse. These examples make the landscape clear: Prevention alone isn’t enough. To stop lateral movement and minimize damage when attackers inevitably get in, organizations must shift strategies—and it can literally pay off. 

Defense in Depth (DiD) is a strategic response to this reality, where prevention is ideal, but detection is a must and response is essential. Experts like Christopher Mixter and Akif Kahn agree that organizations must move past the “zero tolerance for failure” mindset (2024 Gartner Risk and Security Summit). 

What if they get in?

Ask the defenders of Constantinople. (How’s that for a throwback?) The Theodosian Walls were more than one barrier, but three: a deep moat, a fortified outer wall and a towering inner wall bristling with archers and relentless Greek fire. For over 1,000 years, that layered defense held back invaders who made it through the first line. That’s the essence of DiD: multiple overlapping layers, each reducing risk and slowing attackers to lessen the chance of full compromise.

More than just strategy, this mindset assumes a breach is impending and prepares accordingly—because no tool is 100% certain to prevent all attacks. That’s what makes DiD so important. The goal isn’t to eliminate all risks, but to reduce them to an acceptable, manageable level.

Every layer in DiD addresses one of the core areas of risk, also known as the CIA Triad: 

• Confidentiality - Limits access to sensitive data
• Integrity - Ensures systems and data remain unaltered
• Availability - Guarantees authorized access when needed

To support these, DiD relies on three types of security controls: 

• Preventative - Blocks attacks outside the walls (e.g., firewalls, access controls and encryption)
• Detective - Identifies suspicious activity and raises alarms (e.g., logging, intrusion detection systems and security information event management systems)
• Corrective/Response - Contains and remediates incidents (e.g. endpoint isolation, password resets and incident response plans) 

Without an adequate response, even timely detection can fail—leading to costly damages and prolonged downtime. A layered approach makes it harder for bad actors to reach their prize, and helps organizations remain resilient even in the face of complex and advanced persistent threats (APTs).

Four strategies for building DiD

A resilient DiD strategy isn’t one-size-fits-all. It’s flexible and tailored to your organization’s risk profile, infrastructure and cloud maturity. In practice, your organization may need a combination of these strategies:

1. Uniform protection: Apply consistent controls to everything behind your security perimeter. This means setting the same inspection and filtering rules across all systems—like a perimeter firewall or SWG enforcing web policies across users to block malicious sites and unsanctioned apps.
2. Protected enclaves: Segment networks or high-value assets so they have stronger protection. As Ted shared, a military base disabled USB ports in software then blocked them with epoxy—after testing which kind worked best. Now that’s DiD from the DoD (Department of Defense) taken seriously.
3. Information-centric security: Protect the data itself—not just the walls around it. Since data moves, your protections should move with it. You’ll want host-level hardening, Data Loss Prevention (DLP), encryption and application controls to guard its every move.
4. Threat vector analysis: Analyze how attacks are likely to happen and reinforce those weak spots—like vulnerable USB ports or external emails. The main goal is to fortify where you’re most likely to be targeted rather than just applying the same defenses everywhere. 

How DiD works together with Zero Trust 

In Zero Trust, by default nothing is trusted—every user device and connection is treated as suspicious, whether it’s inside or outside the perimeter. It emphasizes continuous verification with detailed logging and strict access controls. 

DiD extends that architecture by adding depth beyond the login, picking up where Zero Trust leaves off with detection, containment and response. It’s Zero Trust principals taken to their logical extreme—continuously allowing access only after executables (like apps and files) prove trustworthy. 

While Zero Trust builds the walls, DiD adds layers of them, filled with defenders ready to fight from within.

From philosophy to practice 

DiD is an active, evolving strategy that takes a village. When no single security measure is foolproof, you need overlapping layers that work together seamlessly. Where one fails, another rises to slow down and contain the threat. 

Every organization faces a critical choice—whether to piece together best-of-breed tools or adopt integrated suites. Choosing the right DiD program depends on your team, tools and tolerance for complexity. 

This blog is just the beginning. In our next installment, we’ll walk through what a modern, cloud-aware, endpoint-resilient DiD strategy really looks like—and how smart organizations are getting it right.

To hear directly from Ted and myself, watch the full webinar, Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defenses, and download the exclusive whitepaper on modern DiD strategies.