The Writing King Your Ethical Ghostwriter. Your Story, Done Right.

Defense in Layers: Why One Scanner Is Zero Scanners

TL;DR

Every layer of your defense will eventually miss something. That is not a flaw in the layer, it is the reason you have more than one. The retailer ran perimeter, segmentation, host firewalls, and disciplined patching. My home network runs a segmented LAN with IoT quarantined, plus three scanning layers. The day a pixel-perfect fake UPS email arrived five minutes after my real eBay order, the layers earned their keep in a cascade of red alerts.

At the retailer, our network manager was a firm believer in layered defense, and the architecture reflected it. Routers and firewalls formed the perimeter, and we made that shell as solid as we could get it. Behind the perimeter, segmentation divided the interior, so getting in did not mean getting everywhere. Behind segmentation, every machine carried its own software firewall, kept patched. Under all of it, the discipline: patch schedules, vulnerability lists, knowing what was coming before it arrived.

The philosophy was never that any layer was impenetrable. It was that every layer would eventually miss, usually on the zero-day nobody had a signature for yet, and the layer behind it had to be standing when that happened. One defense is a single point of failure. Layers are an admission that failure is normal, engineered into the design.

The same architecture, scaled to a house

My home network runs the identical philosophy at a smaller scale. Traffic comes through the modem into a router, and the LAN behind it is segmented. IoT devices live on their own segment, walled off from my working systems, because my smart light bulb does not get a vote on the security of my business.

I recommend that IoT segmentation to everyone, and if you want to go further, use two IoT segments: one for the semi-critical devices like TVs, one for the disposable ones like bulbs and plugs. If something on the disposable segment is compromised, you factory-reset it and lose nothing.

On the endpoint side I run three layers: Bitdefender as the primary real-time scanner, HitmanPro as a second-opinion scanner on a nightly schedule, and HitmanPro.Alert building a behavioral shield around individual applications. Different engines, different detection philosophies, deliberately overlapping. Add patching discipline and subscription to vulnerability announcements, and that is due diligence. I go further, hardening the network and individual systems by hand, but I am a geek. The layers alone put you ahead of almost everyone.

What each layer is actually for

The layers are not redundancy for its own sake; each one answers a different failure. The perimeter handles the untargeted mass of internet hostility, the scans and probes that hit every address on earth. Segmentation answers the perimeter’s inevitable failure: something got in, so what can it reach? Host firewalls answer segmentation’s blind spot: something is inside my segment, so what will my machine accept? Patching answers the oldest question in the field, because the majority of successful attacks exploit vulnerabilities that had fixes available. And the scanner stack answers the residue, the thing that made it through everything else and is now trying to execute.

Three scanners sounds paranoid until you understand they answer three different questions. The primary real-time engine asks “is this known bad?” as files arrive. The nightly second-opinion scanner asks “did the primary miss anything?” with a different engine and different signatures, which matters because every vendor’s coverage has holes and no two vendors have the same holes. The behavioral shield does not ask about signatures at all; it watches what running programs do and intervenes on the behavior, which is the only layer that works against something too new to have a name. Signature, second opinion, behavior. Different questions, different catches.

One scanner is zero scanners, because the day it misses is the day you had nothing.
Share on X

The UPS email

Here is the day the layers earned their keep. I had just completed an eBay order, so I was expecting a UPS shipping notification. Five minutes later, a UPS email arrived. It looked exactly right: layout, logos, everything. I clicked it.

The screen turned red. One alert, then another, then another: infection stopped, infection stopped, more infections stopped. The email was a phish that happened to land five minutes after a real order, so perfectly timed that it sailed through the one filter no software provides, my own expectation. The layers behind my judgment caught what my judgment let through, and the attack died in a stack of blocked-event notifications instead of on my machine.

Email is the gap

That story contains the honest hierarchy of risk. If your router is solid, your firewalls are engaged, your systems are patched, and your scanners are layered, the network side of your life is largely handled. Email is where things get through, because email attacks target the person, and the person sometimes has a package coming. You do not solve that with vigilance. Vigilance fails on schedule. You solve it by making sure that when vigilance fails, something mechanical is standing behind it.

One scanner is zero scanners, because the day it misses is the day you had nothing.

For a small business, the same architecture translates almost directly, and the budget version is honest: a business-grade router with the firewall actually configured, a separate network segment (or at minimum the guest network) for every device that is not a working computer, endpoint protection with a scheduled second-opinion scan, patching turned on and verified monthly, and backups that live somewhere ransomware on a workstation cannot reach. None of that requires an enterprise budget. It requires deciding once that any single failure should not be interesting, and then arranging the pieces so it is not.

For more from this series, see the The Cybersecurity Hub: breaches, audits, and hard-won security lessons from four decades in the trenches.

The Guides That Get Your Book Written, Published, and Sold

Four short, practical guides on writing, publishing, and selling your book, plus the occasional note when there's something worth your time. No fluff, no daily inbox clutter. Drop your email and they're yours.

We use MailerLite to manage our list and send these emails. Your address is used only to send you what you signed up for. We will not sell it, share it, or use it for anything else, and you can unsubscribe anytime.

Frequently Asked Questions

What does a layered security approach look like in practice?
Perimeter defenses (router, firewall), network segmentation behind the perimeter, host firewalls and patching on each machine, and multiple overlapping scanners with different detection engines. Each layer exists because the one in front of it will eventually miss.
Why should IoT devices be on a separate network segment?
IoT devices are weakly secured and rarely patched. Segmenting them means a compromised smart bulb or TV cannot reach your computers. For stronger isolation, use two IoT segments: one for semi-critical devices, one for disposable ones.
Is one antivirus program enough?
No single engine catches everything. A primary real-time scanner, a second-opinion scanner on a nightly schedule, and a behavioral shield around applications cover each other’s blind spots, which matters most on well-timed phishing and zero-day payloads.

📁︎ Cybersecurity

🏷︎ Security Awareness🏷︎ Phishing🏷︎ Network Segmentation🏷︎ Defense in Depth

📝 Disclaimer

The views and opinions expressed in this blog post are solely those of Richard Lowe and are based on personal experience and research. This content is for informational purposes only and should not be construed as professional legal, financial, accounting, or business advice. Always consult with qualified professionals before making important business or legal decisions. Richard Lowe is not a lawyer, accountant, or licensed professional advisor, and this content does not establish any professional relationship.