How well does “defense in depth” really work?

“Defense in depth,” or the layering of multiple security products is a commonly employed security strategy and best practice.

Central to the concept of layered security is the idea that attacks that are able to bypass one layer of security will eventually be caught by a subsequent layer of security.

In a first order approximation, the effectiveness of this approach is typically calculated as the product of the individual layer’s failure rate. For example, if layer 1 is assumed to miss 10% of the attacks and layer 2 is assumed to miss 10% of the attacks, then the combined failure rate of these two layers is estimated to be 10% x 10% = 1%.

So much for the theory, how effective is this approach in practice?