[BreachExchange] Prevention Isn’t Enough. Why All Companies Need Detection Too

[Audrey McNeil]

http://www.business2community.com/cybersecurity/prevention-
isnt-enough-companies-need-detection-01899421

How would you know if your prevention methods failed to catch a critical
threat? One of two ways: Either a customer, an auditor, or another third
party would find out about it (an embarrassing situation for you) or you
could get lucky and find it yourself — which is rare without detection.

Prevention techniques and technologies (e.g., security controls, firewalls,
encryption, antivirus), are designed to block an attacker from getting in,
and can be critical to your security strategy. However, they can’t be the
only defense you have in place. If history is any indicator (and we believe
it is), attackers will find a way in. So, as a defender, you also need the
ability to detect threats once they are inside your modern cloud
infrastructure. That’s why companies are shifting their focus to detection
techniques and technologies (e.g., monitoring, alerting).

In this post, we’ll explain what detection does that prevention cannot,
what to watch out for if you’re relying on prevention alone, and how you
can use them in parallel.

Detection Keeps Prevention Honest

You’ve probably heard the phrase “Trust, but verify.” You want to trust
that your prevention techniques are working, but how would you know if they
were not? That’s where detection tools come into play.

Detection tools (such as an IDS or continuous monitoring solution) give you
continuous visibility into activity within your modern environment. They
not only alert you about known issues (e.g., CVEs and previously disclosed
threats), but also about new and unknown ones that may be trying to slip
past defenses. With this information, you can quickly make decisions, such
as whether to patch a server, shut down access to an application, or write
a new script to detect similar events in the future. This is something
prevention tools are not built to do, because that’s not their purpose.

While tools like firewalls or antivirus can mitigate common and known
security events, they weren’t designed to detect new threats, and on top of
that, many prevention tools don’t have built-in alerting to notify you in
real-time about new issues. It’s important to note here that some security
solutions may offer both prevention and detection, just be sure you
understand what it is and understand its purpose.

A good rule of thumb is to have a detection control for every prevention
control you have in place. Especially if you’re running in the cloud, you
know that new threats are always cropping up, so it’s inevitable that some
undiscovered attack will slip past your prevention solutions, which is
where detection comes in.

When Prevention Fails

Statistically speaking, prevention will fail at some point. And one of the
biggest reasons companies are rushing to adopt detection solutions is that
workload payloads are moving to the cloud.

In the cloud, companies are able to operate at scale. As they scale,
detection becomes more and more critical because changes happen rapidly and
there are a greater number of endpoints to watch.

Gartner put it best: “Treat the cloud as an opportunity to apply fresh
thinking and to adopt new methods for defending information from attack.”
While prevention was popular back in the days when static, on-premise
environments were less prone to today’s invasive and tricky attacks, we’re
operating on a whole new battlefield in today’s cloud.

With hundreds or thousands of hosts running at any given moment, having the
ability to see into all of them, understand when new threats and
vulnerabilities try to make their way in, and shut down hosts and apps to
stop threats in their tracks is key to being effective in the cloud.
Consider now your best opportunity to rethink security with cloud-based
detection.

How Detection and Prevention Go Hand-in-Hand

This is not to say you should throw your prevention tools and techniques
out the window. Detection tools collect the data you need to have (the who,
what, where, and when) about a security event as it’s happening, so your
security team can respond at the speed and scale of the cloud. Prevention
doesn’t offer this intel because it’s only designed to block, not aid in an
investigation. In practice, you should look to use prevention techniques
and tools in order to keep known threats out, and layer on detection
capabilities so you can find and remove new and unknown threats.

This way, if there is ever a point of failure or a gap in coverage (and
there inevitably will be), your second-layer defense (detection) will kick
in, keeping you in the know. Even more, detection will help you see where
your gaps are anywhere in your security infrastructure so you can
continuously develop more robust defenses.

Final Words . . .

It’s never been more important to have the ability to simultaneously
identify intrusions, vulnerabilities, insider threats, and data loss. And
not only should you have the ability to detect when anomalous activity
happens, but also know exactly where it is and how to respond to it.
Automated monitoring is an intelligent form of detection that not only
alerts you about potential threats, but also gives you contextual and
historical data to inform your response so you can get right to work.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170821/d296aeac/attachment.html>