• In the cloud, traditional perimeters dissolve fast. Knowing who has access to what serves as your first and most important layer.
• Visibility also needs to extend to endpoints, because if you can’t see it, you can’t really secure it.
• Speed in threat detection and response can make or break your DiD program, but resilience is what decides if your defenses hold. 

One dangerous assumption can take down even a behemoth of a business: A single security control is enough to defend assets and operations. For those who’d select “strongly disagree” on that statement (hopefully everyone reading this), Defense in Depth (DiD) is the framework for you. DiD goes beyond basic prevention tools like firewalls to create a stack of defenses—where if one layer fails, another stands ready. 

But this isn’t about checking off a list of products to bundle up like a Midwestern kid on his way to school in December. We’re talking about the right layers—not just more of them. Too many security teams pile on detection products and call it a day. But detection without response is a missed opportunity, or worse, a future headline. 

We’ve seen it across virtually every industry: Detective controls fire off alarms, but containment lags behind, giving attackers a chance to move laterally or switch tactics. Companies are left with disrupted operations, leaked data and painful financial losses. The problem isn’t even a missed alert: It’s the assumption that detection alone is enough. 

That’s why response can’t be some afterthought. In our last coverage on the SANS webinar episode, Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defense, we made it clear why detection and response controls are needed and what that strategy looks like. Now, find out what solutions separate a defense that holds from one that collapses under pressure.

The rough reality of the cloud

Let’s begin where many defense-only strategies buckle first. In the cloud, traditional perimeters vanish, leaving over-permissioned accounts, poor logging and misconfigurations to stir up risk, confusion and costly blind spots. Bad actors are more than eager to exploit any and every opportunity they can find, especially under the cover of a storm. 

When identity itself becomes your perimeter, securing your operations means asking:

• Who has access to what—and why?
• Are your logs reliable and centralized?
• Do you have visibility into SaaS and API risk?
• How much does your cloud provider cover vs. what you own? 

Layered controls like multi-factor authentication (MFA), CASB and ZTNA are key to locking down access to your cloud. But without clear visibility into your most critical assets—and who’s accessing them—you risk leaving gaps that attackers can exploit, especially through unsecured endpoints.

Endpoint protection is where DiD gets personal

Your users and their devices are often your riskiest assets. Back in the day, protecting endpoints was relatively simple. Most users had just one (ah, the good ol’ days). Now? Hybrid work has made visibility harder than ever with BYOD and mobile-first setups introducing new vulnerabilities every day. 

Before you start calling workers back to the office, ask yourself:

• Are your endpoints enrolled in Mobile Device Management (MDM)?
• Are your policies separating personal and professional data?
• Are you blocking risky apps and outdated software?

Visibility is a first crucial step to regaining and maintaining control, but without consistent policies that track and isolate threats in motion, you’re just a flaming eye in the sky with no legion to act on what it sees. 

To thwart risk and extend your hold on your endpoints: 

• Enforce Mobile Device Management (MDM) enrollment for all corporate access.
• Use application control tools to block untrusted software and reduce your attack surface.
• Require MFA for the extra assurance your SOC teams (and future self) will appreciate.

That said, detecting and understanding a threat is only half the battle. You’ll need to make sure you can stop them, fast. 

Speed marks the line between containment and collapse 

No environment is breach-proof. Once you’ve built deep visibility, ramp up detection and containment. In today’s cyberscape, speed is everything. 

Detective controls

Think of these controls as your alarm system. They might not stop the intruder, but they help you catch them before they can do irreparable damage. 

• Logging and SIEM (on-prem + cloud) - Centralize and correlate data across your environments to uncover attack patterns, failed authentications and suspicious lateral movements. It’s the context your risk teams need to act fast and confidently.
• IDSes -  Catch known attack patterns like a motion detector for your network. When paired with response systems, they can trigger automated blocking and containment before attackers can get their foot in.
• Data Loss Prevention (DLP) - Monitor the movement of any sensitive data—where it’s going, who’s sending it and how. DLP acts as both a detective and responsive control, keeping data protected and compliant.
• Secure Web Gateways (SWGs) - Scan traffic for malicious activity, keeping users safe and networks malware-free. Modern SWGs inspect encrypted traffic and downloads in real-time, log activity and send the data to SIEMs to close critical gaps.
• Penetration testing -  Proactively validate your defenses before attackers can even try. Ted Demopoulos, host of this webinar, recommends testing at least quarterly and mapping the findings to the Cyber Kill Chain to pinpoint your layer’s weak spots. 

Responsive Controls

Now, these are your containment tools—the ones that do the threat stopping. If they’re uncoordinated or slow, recovery gets messy and costly (just ask around). 

• Incident response playbooks - Predefine roles, escalation paths and communication flows before things go sideways. Tabletop testing these playbooks will make sure they’ll perform under pressure and keep teams from panicking.
• Endpoint detection and response (EDR) tools - Detect and isolate compromised devices, preventing lateral movement. EDR turns potential breaches into contained incidents (don’t you love the sound of that?).
• Security orchestration, automation, and response (SOAR) platforms - Automate the heavy lifting like disabling users, IP blocks and alert escalation. Without automation, your team will drown in alerts, but with it, they’ll act faster and smarter. 

DiD shouldn’t stop at detection. To hold the line, your strategy has to invest in responsive controls—because fast, effective containment is what turns a breach into naught but a blip.

Build for resilience, not perfection

Overlap and redundancy are intentional and beneficial when it comes to DiD—they’re what keeps your defenses standing when things go sideways. The strongest program balances prevention, detection and response around your business’ actual priorities, not just some ideal conditions.

At Symantec and Carbon Black, our combined portfolio delivers integrated protection across your entire DiD plan—including Symantec DLP, Symantec Endpoint Security and Carbon Black App Control. Our industry-leading solutions are built to layer seamlessly and reduce friction, with ample room to scale as your business grows.

Want more? Watch the webinar, Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defenses, and download the whitepaper for an eye-opening session with Ted Demopoulos and me that will leave you fired up (and fully equipped) to build a defense that holds.