Layered Defense Implementation - Technologies and Tools
Overview
This guide provides specific technologies, vendors, and implementation approaches for the seven-layer defence architecture described in WAF Bypasses - Why Perimeter Defense Fails.
Technologies and vendors evolve rapidly. This guide reflects 2026 options. Evaluate current alternatives when implementing.
Layer 2: Runtime Application Self-Protection (RASP)
Available Solutions
Commercial RASP vendors (2026):
- Contrast Security – Agent-based RASP with application inventory and vulnerability management
- Sqreen (acquired by Datadog) – Integrated with Datadog observability platform
- Signal Sciences (acquired by Fastly) – Edge-integrated RASP with CDN integration
Open-source alternatives:
- ModSecurity with Core Rule Set – Can be deployed as RASP-like application firewall
- OpenRASP (Baidu) – Open-source RASP framework for Java, PHP, and Node.js
Implementation Considerations
Performance impact: RASP typically adds 2-5% latency. Test under production load before full deployment.
Language support: Verify RASP solution supports your application stack (Java, .NET, Node.js, Python, Go, Ruby).
Integration effort: Agent deployment requires application restarts. Plan deployment windows accordingly.
Layer 4: Detection and Response Technologies
Network Traffic Analysis
Enterprise solutions:
- Zeek (formerly Bro) – Network security monitoring, protocol analysis, extensive scripting
- Suricata – IDS/IPS with multi-threading, hardware acceleration support
- Malcolm – Network traffic analysis platform combining Zeek, Suricata, and Elasticsearch
Deployment architecture:
Internet → TAP/SPAN → Packet Capture → Zeek + Suricata → SIEM
Endpoint Detection and Response (EDR/XDR)
Commercial platforms:
- CrowdStrike Falcon
- Microsoft Defender for Endpoint
- SentinelOne
- Palo Alto Cortex XDR
Open-source alternatives:
- Wazuh – Host-based intrusion detection, log analysis, compliance monitoring
- Velociraptor – Endpoint visibility and forensics
Security Information and Event Management (SIEM)
Commercial SIEM:
- Splunk Enterprise Security
- Microsoft Sentinel
- Elastic Security
- Chronicle (Google Cloud)
Open-source SIEM:
- Wazuh (SIEM + EDR capabilities)
- Graylog
- OpenSearch Security Analytics
Layer 5: Patch Management and Vulnerability Scanning
Dependency Management Automation
For application dependencies:
- Renovate – Automated dependency updates with merge request creation
- Dependabot (GitHub) – Automated dependency updates and security alerts
- Snyk – Vulnerability scanning with automated remediation PRs
Implementation:
# Example: Renovate configuration
{
"extends": ["config:base"],
"schedule": ["before 6am on monday"],
"automerge": true,
"automergeType": "pr",
"major": {
"automerge": false
}
}Container Image Scanning
Available scanners:
- Trivy (Aqua Security) – Comprehensive vulnerability scanner for containers, filesystems, Git repositories
- Clair (CoreOS) – Static analysis of vulnerabilities in container images
- Grype (Anchore) – Vulnerability scanner for container images and filesystems
- Snyk Container – Commercial container scanning with priority scoring
CI/CD integration example:
# GitLab CI example
container_scanning:
stage: test
image: aquasec/trivy:latest
script:
- trivy image --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
only:
- merge_requests
- mainContinuous Vulnerability Scanning
Infrastructure scanning:
- Nessus (Tenable) – Comprehensive vulnerability assessment
- OpenVAS – Open-source vulnerability scanner
- Qualys VMDR – Cloud-based vulnerability management
Kubernetes-specific:
- Kubescape – Kubernetes security scanning against NSA/CISA hardening guidance
- Falco – Runtime security monitoring for Kubernetes
Layer 6: Zero Trust Implementation
Service Mesh Options
Available platforms:
- Istio – Feature-rich service mesh with extensive traffic management
- Linkerd – Lightweight, Kubernetes-native service mesh
- Consul Connect (HashiCorp) – Service mesh with service discovery integration
mTLS implementation with Istio:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICTIdentity and Access Management
Enterprise IAM solutions:
- Okta – Cloud-based identity platform
- Azure Active Directory – Microsoft identity platform
- Keycloak – Open-source identity and access management
Service-to-service authentication:
- SPIFFE/SPIRE – Secure production identity framework for workloads
- Vault (HashiCorp) – Secrets management with dynamic credentials
CrowdSec: Crowdsourced Threat Intelligence
What CrowdSec Provides
CrowdSec offers crowdsourced threat intelligence and log-based behavioural detection. Evaluate against your existing security stack.
Unique capabilities:
- Real-time IP reputation – Addresses actively attacking CrowdSec users globally
- Behavioural reputation scoring – Identifies addresses exploiting specific CVEs
- Application log behavioural analysis – SSH brute force, web server abuse, authentication failures
Implementation for Organisations with Existing NSM
If you’re running Malcolm NSM or Security Onion with Suricata and Zeek:
Disable redundant network-based scenarios:
# Suricata/Zeek already provide superior network detection
cscli scenarios remove crowdsecurity/iptables-scan-multi_ports
cscli scenarios remove crowdsecurity/http-probingEnable unique log-based scenarios:
# Application log behavioural detection
cscli scenarios install crowdsecurity/ssh-bf
cscli scenarios install crowdsecurity/http-bad-user-agent
cscli scenarios install crowdsecurity/http-crawl-non_statics
# Enable community blocklist (primary value)
cscli capi registerDeploy enforcement components:
# Firewall bouncer
cscli bouncers add firewall-bouncer
# Reverse proxy bouncer (Nginx/Caddy)
cscli bouncers add nginx-bouncerIntegration with Monitoring
# Prometheus metrics export
cscli metrics enable
# Configure Grafana dashboards for CrowdSec metricsCapability segregation:
- Malcolm/Suricata: Deep forensic investigation, attack technique analysis, incident reconstruction
- CrowdSec: Rapid automated blocking, crowdsourced intelligence, application log behavioural detection
Value Assessment
High value:
- Crowdsourced threat intelligence (unique)
- Application log behavioural analysis (complements network detection)
- Coordinated multi-layer enforcement (reduces operational complexity)
- Low resource overhead (lighter than full packet capture)
Low value when you have existing tools:
- Network attack detection (Suricata/Zeek deployed)
- Geographic blocking (firewall provides this)
- DDoS mitigation (requires upstream provider anyway)
Layer 7: Immutable Infrastructure
GitOps Tools
Available platforms:
- Flux – GitOps toolkit for Kubernetes
- ArgoCD – Declarative GitOps continuous delivery
- Rancher Fleet – Multi-cluster GitOps
Example ArgoCD application:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: production-app
spec:
source:
repoURL: https://github.com/org/repo
targetRevision: HEAD
path: k8s/production
destination:
server: https://kubernetes.default.svc
namespace: production
syncPolicy:
automated:
prune: true
selfHeal: trueContainer Orchestration Security
Kubernetes security tools:
- OPA Gatekeeper – Policy enforcement
- Kyverno – Kubernetes-native policy management
- Pod Security Admission – Built-in Kubernetes pod security
Example Kyverno policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-non-root
spec:
validationFailureAction: enforce
rules:
- name: check-runAsNonRoot
match:
resources:
kinds:
- Pod
validate:
message: "Running as root is not allowed"
pattern:
spec:
securityContext:
runAsNonRoot: trueIntegration Architecture Example
Complete Stack for Mid-sized Enterprise
┌─────────────────────────────────────────────────────────┐
│ Internet Traffic │
└─────────────────┬───────────────────────────────────────┘
│
┌───────▼────────┐
│ Cloudflare │ (DDoS, Geographic filtering)
│ WAF (Basic) │
└───────┬────────┘
│
┌───────▼────────┐
│ CrowdSec │ (Crowdsourced threat intel)
│ @ Gateway │
└───────┬────────┘
│
┌───────▼────────┐
│ Reverse Proxy │ (Nginx/Caddy with TLS)
│ + CrowdSec │
└───────┬────────┘
│
┌─────────────▼──────────────┐
│ Kubernetes Cluster │
│ ┌──────────────────────┐ │
│ │ Istio Service Mesh │ │ (mTLS, policy enforcement)
│ └──────────────────────┘ │
│ ┌──────────────────────┐ │
│ │ Applications │ │
│ │ + RASP Agents │ │ (Runtime protection)
│ └──────────────────────┘ │
└─────────────┬───────────────┘
│
┌─────────────▼───────────────┐
│ Detection & Response │
├──────────────────────────────┤
│ Zeek + Suricata (Malcolm) │
│ Wazuh EDR │
│ Elastic SIEM │
│ Falco (K8s runtime) │
└──────────────────────────────┘
Implementation Priorities
Phase 1: Foundation (Weeks 1-4)
- Application-level input validation – Framework protections, CSP
- Comprehensive logging – Application, authentication, authorisation
- Vulnerability scanning – Trivy in CI/CD pipeline
Phase 2: Detection (Weeks 5-8)
- SIEM deployment – Centralised log aggregation and correlation
- EDR deployment – Endpoint visibility and response
- Network traffic analysis – Malcolm or Zeek/Suricata deployment
Phase 3: Advanced Controls (Weeks 9-16)
- RASP evaluation and pilot – Select vendor, pilot on non-critical application
- Service mesh deployment – Istio or Linkerd for mTLS
- GitOps implementation – ArgoCD or Flux for immutable infrastructure
Phase 4: Integration and Automation (Weeks 17-24)
- Automated response playbooks – SOAR integration
- CrowdSec integration – If gap identified in threat intelligence
- Continuous improvement – Metrics, detection tuning, tabletop exercises
Cost Considerations
Open-Source Stack (Low Budget)
- RASP: OpenRASP
- Network analysis: Zeek + Suricata
- SIEM: Wazuh or Graylog
- EDR: Wazuh
- Service mesh: Linkerd
- Container scanning: Trivy
- Dependency management: Renovate + Dependabot (free for public repos)
Approximate annual cost: £20,000-50,000 (primarily infrastructure and staff time)
Commercial Stack (Enterprise)
- RASP: Contrast Security or Signal Sciences
- Network analysis: Malcolm or commercial NDR
- SIEM: Splunk or Microsoft Sentinel
- EDR/XDR: CrowdStrike or SentinelOne
- Service mesh: Istio (free) with enterprise support
- Container scanning: Snyk or Aqua
- Secrets management: HashiCorp Vault Enterprise
Approximate annual cost: £200,000-500,000 (depending on organisation size)
Hybrid Approach (Pragmatic)
- RASP: Commercial for critical apps, OpenRASP for internal tools
- Network analysis: Zeek + Suricata (open-source)
- SIEM: Elastic Security (commercial license)
- EDR: Microsoft Defender (included with M365 E5)
- Service mesh: Linkerd (open-source)
- Container scanning: Trivy (free) + Snyk (commercial for prioritisation)
Approximate annual cost: £80,000-150,000
Conclusion
Technology choices depend on organisation size, budget, technical capability, and existing investments.
Principles remain constant:
- Multiple independent defensive layers
- Assume perimeter controls will fail
- Detection and response over perfect prevention
- Continuous patching faster than signature updates
Technologies change rapidly. Evaluate current options against these principles when implementing.
Further Reading
- CNCF Cloud Native Security Whitepaper
- NIST Zero Trust Architecture (SP 800-207)
- NSA/CISA Kubernetes Hardening Guidance
- OWASP Application Security Verification Standard
About This Guide: Practical implementation guidance based on 2026 technology landscape. Evaluate current alternatives when implementing. Technologies evolve; principles remain constant.