5-Layer SMB Defense Framework

The five-layer defense framework models cybersecurity as concentric protective layers. Each layer catches threats that bypass the previous one. Attackers only need one gap; defenders must close all five. This page breaks down each layer in detail.

Email is the #1 attack vector. L1 stops malicious emails, phishing links, and dangerous attachments before they reach users. Web security blocks access to malicious sites.

📧

Spam & malware filter

Microsoft Defender / Google Workspace

🔗

URL sandboxing

Rewrites links; detonates before delivery

📎

Attachment detonation

Opens files in isolated sandbox

🛡

SPF / DKIM / DMARC

Prevents email spoofing from your domain

🏷

External email banners

Tags external emails visibly

🌐

DNS-based web filter

Blocks known malicious domains at DNS

Implementation Tiers

Tier	What You Get	Cost	Setup Time
Basic	Built-in email filter + SPF/DKIM/DMARC	Free (included)	1–2 hrs
Standard	+ URL sandboxing + attachment detonation	$2–5/user/mo	1 day
Advanced	+ Domain-based message quarantine, BEC detection	$5–10/user/mo	1 week

L2 protects the devices where users interact with data. When a malicious email gets through (which some will), L2 is the last chance to stop the malware before it executes.

🔍

EDR / Next-gen AV

Behavioral detection; zero-day protection

🩹

Patch management

Critical: 24–48hrs; High: 7 days

🔐

Full-disk encryption

BitLocker / FileVault on all devices

🚫

RDP restriction

Disable or VPN-only for RDP

💉

Application allowlisting

Only approved apps can run

📡

Network segmentation

Isolate critical systems

Patch window rules: Critical CVSS 9–10: patch in 24–48 hours. High CVSS 7–8.9: patch within 7 days. Automate where possible — manual patching has too much lag.

L3 assumes credentials will be compromised and limits the damage. MFA, least privilege, and SSO prevent attackers from moving laterally after they obtain a password.

🔐

MFA everywhere

TOTP (authenticator app) mandatory

🪪

SSO (Single Sign-On)

Okta / Azure AD / Google Workspace

🔑

Password manager

Unique passwords; no reuse

👤

Least privilege

Role-based; review quarterly

🏦

Privileged Access Mgmt

Just-in-time admin access

🔒

Account lockout policy

5–10 attempts → 30min lockout

Critical: Separate admin accounts from regular user accounts. Admin accounts should have no email access and no web browsing. Attackers phish admin credentials because they unlock everything.

L4 is about knowing when something bad is happening — fast enough to respond before damage spreads. Most SMBs lack in-house SOC capability; MDR (Managed Detection & Response) fills this gap.

📊

SIEM / log aggregation

Microsoft Sentinel, Splunk, Elastic

🚨

24/7 MDR

SOC monitoring; CrowdStrike/SentinelOne

📧

Email anomaly alerts

Failed logins, unusual rules, external forwards

🌐

Network traffic analysis

Darktrace, Vectra, Azure Sentinel

📋

Incident response plan

Documented; tested bi-annually

🔎

Threat hunting

Proactive IOC/IOA searches

MDR vs. In-House SOC

Factor	MDR	In-House SOC
Setup cost	$0–5K	$100K–500K
Ongoing cost	$6–15/user/mo	$200K–800K/yr (staff)
Time to value	Days	6–18 months
Coverage	24/7 always	Depends on headcount
Best for	SMBs, lean teams	Large orgs with security teams

L5 is the fail-safe. When attackers bypass L1–L4, L5 determines whether you recover in hours or lose everything. Immutable, tested backups are the only reliable defense against ransomware.

💾

3-2-1 backup

3 copies, 2 media, 1 offsite

🏔️

Immutable backup

Cannot be deleted by attackers

🧪

Restore testing

Quarterly; verifies RTO/RPO

📋

Disaster recovery plan

Documented; tested bi-annually

⏱

RTO / RPO defined

Per system; tested

🔑

Key management

Backup keys stored separately

Immutable backup options: AWS S3 Object Lock (WORM mode), Azure Immutable Blob Storage, Backblaze B2 with Immutability, or physical air-gap (offline tape/disk). Cost: ~$0.01–0.04/GB/mo.

Attack Path Matrix — How Layers Interact

Each row represents a real-world attack path. Each ✓ is a layer that catches it. Note: most attacks are caught by L1, but the sophisticated ones that matter get through — requiring all five layers.

Attack Scenario	L1 Email	L2 Endpoint	L3 Identity	L4 Detect	L5 Recovery
Phishing → credential theft → account takeover	✓ (blocks most)	—	✓ (MFA blocks)	✓ (anomaly alerts)	✓ (audit trail)
Phishing → malware download → ransomware	✓ (blocks most)	✓ (EDR catches)	—	✓ (behavioral alert)	✓ (backup restore)
Exposed RDP → brute force → lateral movement	—	✓ (lockout policy)	✓ (MFA)	✓ (failed login alerts)	✓ (snapshot)
Supply chain → compromised software update	—	✓ (allowlist)	—	✓ (network anomaly)	✓ (rollback)
Insider threat → data exfiltration	—	—	✓ (least privilege)	✓ (DLP alerts)	✓ (audit logs)