Advanced Security #defence-in-depth #SIEM #cloud-security #controls

Defence in Depth

5 exercises — master defence-in-depth vocabulary: layered security architecture, preventive / detective / corrective control classification, WAF vs application-layer limits, complete logging pipeline requirements, and the cloud shared responsibility model.

0 / 5 completed

Defence in depth quick reference

Defence in depth — multiple, independent, overlapping controls; attacker must defeat every layer. No single control is sufficient.
Layers — Perimeter (firewall/WAF) → Host (OS hardening/EDR) → Application (auth/input validation) → Data (encryption/least privilege) → Detective (SIEM/logs) → Corrective (IR/backups).
Preventive — stops attacks: auth, rate limiting, parameterised queries, WAF.
Detective — identifies attacks: SIEM, audit logs, anomaly detection, IDS. Requires: structured logs + immutable storage + alert rules + response playbook.
Corrective — limits damage, restores service: account lockout, circuit breaker, backup restoration, IR plan.
WAF limitation — covers known signatures; cannot replace application-level input validation, CSRF protection, IDOR checks, or business logic validation.
Shared responsibility — CSP = infrastructure security; Customer = IAM, application, data encryption, configuration, logging, IR.

1 / 5

A CISO presents the company's security strategy and says: "Our primary architectural principle is defence in depth. This means we don't rely on any single control — we have multiple overlapping layers."

What does this mean in practice, and why is it necessary?

Defence in depth — the principle that security controls must overlap because any single control can fail or be bypassed. The attacker must defeat all layers, not just one.

Classic defence-in-depth layers for a web application:

Layer	Controls	What it stops
Perimeter / network	Firewall, WAF, DDoS mitigation, CDN	Port scans, volumetric DDoS, known exploit signatures
Host / endpoint	OS hardening, patch management, EDR, read-only filesystems	OS vulnerabilities, malware, privilege escalation
Application	Authentication, authorisation, input validation, CSRF protection	Injection, broken auth, privilege escalation
Data	Encryption at rest, encryption in transit, least privilege, backups	Data theft, ransomware, insider threats
Detective	SIEM, audit logging, anomaly detection, IDS	Catches attacks bypassing preventive controls; enables response
Response	IR plan, backups, runbooks, tabletop exercises	Limits damage when attacks succeed; provides recovery path

Why single controls fail:
• WAF: rules based on known attack signatures; novel zero-day techniques bypass rules
• Authentication: even strong auth can be bypassed by session fixation, account takeover, or social engineering
• Encryption: protects data at rest; useless if the attacker has valid credentials to the DB
• Input validation: application-layer logic can have edge cases; parameterised queries act as a second layer

Defence in depth vs security theatre:
Layers must be independent and genuinely add security. Adding a second signature-based WAF with identical rules is not defence in depth — one successful bypass defeats both. True depth: a WAF (signature-based) + application input validation (semantic-based) + parameterised queries (structural) — three independent mechanisms that an attacker must defeat differently.

Key vocabulary:
• Defence in depth — multiple, independent, overlapping security controls from different categories; attacker must bypass all layers
• Preventive control — a control that stops an attack from succeeding: firewall, authentication, input validation, WAF
• Detective control — a control that identifies when an attack has occurred or is occurring: SIEM, audit logs, anomaly detection, IDS
• Corrective / response control — a control that limits damage or restores service after an attack: IR plan, backups, isolation procedures

2 / 5

A security engineer classifies controls on a risk register as preventive, detective, or corrective. A colleague asks: "Can you give me examples of all three types for our API?"

All three control types are needed in a complete security design. Preventive controls have gaps, detective controls catch what slips through, and corrective controls limit damage and restore operation.

Expanded API control examples:

Control type	API examples	Threat it addresses
Preventive	OAuth 2.0 + PKCE for authentication	Unauthorised access
	Rate limiting + throttling (per IP, per user)	Brute force, credential stuffing, DoS
	Parameterised queries, input schema validation	SQL injection, XXE, null byte injection
	TLS 1.2+, HSTS, no sensitive data in URLs	Man-in-the-middle, credential interception
Detective	Alert on 100+ 401/403 responses in 60s from one IP	Credential stuffing in progress
	Alert on unusual data volume per user session	Data exfiltration
	SIEM correlation: new IP for known user + time-of-day anomaly	Account takeover
	Structured logging with immutable audit trail	Forensic evidence for post-incident investigation
Corrective	Auto-lock account after 5 failed auth attempts	Limits damage from ongoing brute force
	Circuit breaker on downstream auth service	Limits cascade failure from auth abuse
	Automated token revocation on anomaly detection	Stops a potentially compromised session
	Point-in-time database restore + data validation	Recovery from data corruption or deletion

Additional control types (extended taxonomy):
• Deterrent controls — make attacks less attractive (legal notices, visible security monitoring signs, bug bounty programmes)
• Compensating controls — alternative controls when the primary control cannot be implemented (MFA as a compensating control when a legacy system can't enforce strong passwords)
• Physical controls — access cards, CCTV, mantrap doors (relevant for on-premise and data centre environments)

Key vocabulary:
• Preventive control — blocks an attack before it can cause damage: authentication, authorisation, input validation, encryption in transit, WAF rules
• Detective control — identifies that an attack has occurred or is occurring: SIEM alerts, audit logs, anomaly detection, intrusion detection systems
• Corrective control — responds to and limits damage from a successful attack: automated account lockout, circuit breaker, backup restoration, IR playbook execution
• Compensating control — an alternative control deployed when the primary control is not feasible; documents why the primary control cannot be used

3 / 5

An architect asks during a security review: "We have a WAF, firewall, MFA, and audit logs. Is that sufficient defence in depth, or are we missing layers?"

A complete defence-in-depth analysis requires examining all layers systematically. Common gaps: application-layer input validation, data-layer encryption and least privilege, and corrective/recovery controls.

Gap analysis for the described controls:

Layer	Present?	Gap / question
Network perimeter	✓ Firewall, WAF	Are unused ports blocked? Are egress rules defined?
Authentication	✓ MFA	Is authorisation also defined? Are service accounts protected?
Application code	? WAF covers known patterns	Gap: Input validation, CSRF tokens, output encoding are code-level controls WAF cannot replace
Data protection	? Not mentioned	Gap: Encryption at rest, DB least privilege, tokenisation of PII/PAN, key management
Host / endpoint	? Not mentioned	Gap: OS patching cadence, container hardening, EDR, secrets management (no env var credentials)
Detective	✓ Audit logs	Are logs sent to immutable storage? Are alert rules defined? Is there a response process?
Corrective / recovery	? Not mentioned	Gap: IR plan, backup strategy, RTO/RPO definition, tabletop exercises

Why WAF does not replace application-layer controls:
• Business logic flaws (OWASP A04 Insecure Design) are semantic, not syntactic — WAF cannot understand your business rules
• IDOR bugs (access control failures) look like normal requests to a WAF
• Custom injection payloads that evade signature-based WAF rules remain a risk
• Application-layer controls are 10x cheaper to implement than post-breach remediation

Key vocabulary:
• WAF (Web Application Firewall) — a proxy that filters HTTP traffic against known attack signatures; effective for known patterns but cannot replace semantic application-layer validation
• Business logic flaw — a vulnerability in the workflow or rules of a system; cannot be detected by signature-based tools; requires application-aware security testing
• IDOR (Insecure Direct Object Reference) — a broken access control vulnerability where an attacker can access other users' resources by manipulating IDs in requests
• Tokenisation — replacing sensitive data (PAN, SSN, PII) with a non-sensitive token; the token map is stored separately in a high-security token vault

4 / 5

A developer says: "We've just enabled logging for all API endpoints. That covers the detective layer of defence in depth, right?"

A security engineer says: "Not quite." What is still missing?

A mature detective control is a complete pipeline: event → structured log → centralised immutable storage → alert rule → notification → response playbook. Any break in this pipeline leaves a gap.

Detective control pipeline requirements:

Component	Why it matters	Common gap
Structured logging	Machine-parseable (JSON); enables automated alert correlation	Unstructured text logs that can't be queried reliably
Log content	Must include: timestamp, user_id, IP, action, resource, status code, request_id	Logging only HTTP status codes without context
Immutable storage	Logs in separate system (SIEM, S3 + WORM); attacker can't modify or delete	Logs stored on the same server as the application
Alert rules	Defined conditions that fire automatically: 50x errors/min, new geo, IDOR pattern	Logs exist but no one checks them unless manually reviewing
Alert routing	Alerts go to the right person/team via PagerDuty, Slack, email, ITSM ticket	Alerts firing to inbox that nobody monitors
Response playbook	Defined steps to take when specific alerts fire: triage, escalate, contain, document	Alert fires; team unsure what to do; slow response; alert fatigue
Retention policy	Retain logs for sufficient duration (90 days active, 1 year archive typical)	Logs deleted after 7 days; forensic evidence unavailable for incident investigation

PII considerations in logs:
Logs must NOT contain: passwords, credit card numbers, full social security numbers, session tokens, API keys. These should be masked, excluded, or tokenised. Logging PII may itself be a compliance violation (GDPR, PCI-DSS). Structured logging frameworks (e.g., using a log sanitiser) can automatically redact sensitive fields.

Key vocabulary:
• Structured logging — log output in a consistent machine-parseable format (JSON) with defined fields; enables automated querying and alerting
• SIEM (Security Information and Event Management) — centralised platform that aggregates logs from multiple sources, correlates events, and triggers alerts; examples: Splunk, Elastic SIEM, AWS Security Lake
• Alert fatigue — the condition where excessive or low-quality alerts cause security teams to stop responding to or trusting alerts; poor signal-to-noise ratio
• Immutable log storage — log storage where records cannot be modified or deleted after creation; WORM (Write Once, Read Many) policy; prevents attacker log tampering

5 / 5

A team debates: "We're moving to cloud-native. In the cloud, the CSP handles physical security, network security, and hypervisor security. Does that reduce the number of defence-in-depth layers WE need to implement?"

The AWS/Azure/GCP shared responsibility model explicitly divides security responsibilities. Understanding where the boundary lies is foundational for cloud security architecture.

AWS Shared Responsibility Model:

AWS Responsibility ("Security OF the cloud")	Customer Responsibility ("Security IN the cloud")
Physical data centre security	IAM user/role permissions and policies
Hardware maintenance and fault tolerance	S3 bucket policies and ACLs
Hypervisor isolation between tenants	Security group and NACL rules
Network backbone and IaaS network security	EC2 OS patching, anti-malware
Managed service patching (RDS engine, Lambda runtime)	Application code security
AWS CloudTrail infrastructure	Enabling and monitoring CloudTrail; defining alert rules
KMS infrastructure security	Enabling encryption on S3, RDS, EBS; key rotation policy

Shared responsibility model: the "varies by service" zone:
• IaaS (EC2): Customer patches OS, configures firewall, manages runtime
• PaaS (Elastic Beanstalk, Fargate): AWS manages platform; customer manages app and data
• SaaS (Salesforce-style): Provider manages almost everything; customer manages user access and data usage

Defence in depth in cloud = CSP layers + customer layers:
• Perimeter: VPC security groups (customer), AWS Shield (AWS), AWS WAF (customer configures)
• Identity: IAM (customer configures), AWS IAM Identity Centre (customer configures)
• Application: customer-owned code security
• Data: Customer enables encryption; AWS manages KMS infrastructure
• Detective: Customer enables CloudTrail, GuardDuty, Security Hub; sets up alerts
• Response: Customer owns IR plan; AWS provides incident support under Enterprise Support

Key vocabulary:
• Shared responsibility model — the division of security responsibilities between the cloud provider (infrastructure) and the customer (configuration, application, data); different boundary for IaaS vs PaaS vs SaaS
• Security OF the cloud — AWS/Azure terminology for CSP-owned responsibilities: physical infrastructure, hypervisor, managed service patching
• Security IN the cloud — customer-owned responsibilities: IAM, network configuration, application code, data encryption, logging, incident response
• Misconfiguration — the most common root cause of cloud breaches; overly permissive S3 buckets, wildcard IAM policies, publicly-exposed databases; entirely within customer responsibility