Why a layered defense is not adequate for protecting networks
Every day we witness breaches and hacked devices at some of the largest corporations. We know from our experience that many of these firms are using a layered defense to protect their networks. What ends up happening however is that these same organizations forget about embedded systems (IoT devices as an example) that get installed on the network and never get patched (basically they are forgotten because they are not a PC or Server asset). Many times these systems are in manufacturing (PLC's as an example) or smart thermostats, SmartTV's or other systems such as VOIP phone systems. These other platforms in many cases have minimal installations of Linux based operating systems or Windows based systems (ATM's for example) that continually have security issues identified by security professionals over time.
In many cases companies are focused heavily on IT assets but fail to protect their smart thermostats, security camera's or embedded VPN concentrators as some examples. These systems are typically not managed by systems that patch and upgrade them as new threats are discovered.
As you can see in the diagram above systems are protected in silo's with many walls. All it takes is a single mistake to provide a back door into these networks. A better approach is to have a network wide system of disrupting the cyber kill chain at some point in the infection process. By denying the threat actor access to systems hosting malicious content, systems cannot be infected even if they are vulnerable.
Don't believe us? Read about SANS take on defense in depth strategies. These layered approaches are flawed by their design.
There are many examples of defense in depth failing. Here are a few more references to information mentioned.
Defense in Depth has Failed Us. Now What? - SecurityWeek
US-CERT's take on Defense in Depth
In short we know that the concept of Defense in Depth (layered defense) is good IF and only IF it can be implemented fully. We can tell you from experience that we have never seen it implemented fully and completely. Because of this, we do not recommend this approach. Check back with us tomorrow to review the Jigsaw protection methodology to find out how you should be protecting your networks by denying threat actors the ability to infect you even on unpatched and IoT systems that have been forgotten.