Explain defense in depth and give an example.
Short answer
Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. It assumes no single control is perfect — for example combining a firewall, network segmentation, endpoint protection, MFA, least privilege, and encryption rather than relying on a perimeter alone.
Defense in depth is the recognition that every single control will eventually fail or be bypassed, so you should never bet everything on one. Instead you stack independent layers, forcing an attacker to defeat several different obstacles to reach the goal.
The layers
A practical deployment might combine controls across several domains:
- Perimeter: firewalls, intrusion prevention, email and web filtering.
- Network: segmentation and VLANs so a foothold in one zone can't reach everything.
- Endpoint: EDR/antivirus, hardening, patch management.
- Identity: strong authentication, MFA, least privilege.
- Data: encryption at rest and in transit, backups, DLP.
- People and process: awareness training, logging, and monitoring that catch what the technical controls miss.
The key is independence. Two controls that fail for the same reason (e.g. both rely on the same admin password) don't add real depth. Good layers cover different attack stages and fail in different ways.
A concrete example
An attacker phishes an employee's password. MFA blocks the login. If they bypass MFA, least privilege limits what the account can touch. If they reach a server, segmentation stops lateral movement. If they exfiltrate data, encryption and DLP reduce the damage, and monitoring raises an alert. No single layer is perfect, but the chain is hard to break end to end.
Why this matters
Interviewers want to see that you don't believe in a silver bullet. A strong answer names layers across multiple domains, stresses that they must be independent, and connects the idea to "assume breach" thinking — the modern mindset that an attacker will get past the outer wall, so the inner ones matter just as much.
Likely follow-ups
- How does defense in depth relate to assuming breach?
- What's the difference between layered controls and redundant controls?
- Where does zero trust fit relative to defense in depth?