Defence in depth. It's not a buzzword anymore, but the principals hold up.
Basically, each component in your threat model should have no less than two controls to protect it. Assume that 'active' systems (antivirus etc) can and will fail. Passive measures are predictable and cost effective, but have limitations - a mixture of both is ideal.
Think of it like a well fortified house. You don't just stick a robotic machine gun on the roof and command it to shoot people it doesn't recognize - everybody knows from intuition that's a bad idea.
Instead, you layer up your defences. Passive measures are a great start: a steel door, bars in the windows, bollards to keep vehicles away, etc. Then you layer active measures: lights and cameras, sensors in windows and doors, keycard access to different areas, etc. Anything more than that you need to develop your threat model; are you defending against bears or against a helicopter gunship? A moat won't protect you from a chopper, and radar guided anti-aircraft missiles won't be very effective against bears.
Basically, each component in your threat model should have no less than two controls to protect it. Assume that 'active' systems (antivirus etc) can and will fail. Passive measures are predictable and cost effective, but have limitations - a mixture of both is ideal.
Think of it like a well fortified house. You don't just stick a robotic machine gun on the roof and command it to shoot people it doesn't recognize - everybody knows from intuition that's a bad idea. Instead, you layer up your defences. Passive measures are a great start: a steel door, bars in the windows, bollards to keep vehicles away, etc. Then you layer active measures: lights and cameras, sensors in windows and doors, keycard access to different areas, etc. Anything more than that you need to develop your threat model; are you defending against bears or against a helicopter gunship? A moat won't protect you from a chopper, and radar guided anti-aircraft missiles won't be very effective against bears.