Prevention Vs Detection: The Balancing Act!
COVID-19 – what’s the strategy to come out of the pandemic if I may ask?
In medical science, it’s said – “Prevention is better than cure”
- By Vaccines and boosters
- But does it mean we have developed adequate immunity to prevent reoccurrences? What about new mutations?
- Test (Detect)/Contain/Respond (Cure)
Which is better? And after years of pandemic, we now know – either is not sufficient, rather it’s both what is required – a balanced approach.
The same is true in the Cyberworld…
You Need Both
For most enterprises, Prevention has long been a favored method to stopping cybercriminals. But as effective as prevention may be – it is no longer adequate in the face of increasingly determined, sophisticated and abundant attackers. Targeted attacks such as spear phishing, email spoofing and social engineering are almost impossible to prevent with employee and social media accounts, and the business’ third-party vendors, there just are too many attack vectors to exploit. A determined attacker will find a way to breach even the most secure system whether by using compromised credentials, exploiting a third-party vulnerability to gain entry, or finding a gap in external defenses.
While a prevention layer is still essential in stopping most commoditized threats, a rebalancing exercise that emphasizes detection and response capabilities will typically pay significant dividends. Organizations need to recognize that at some point their systems will be compromised. The sophisticated security testing programs of detection and response technology allow companies to deepen their understanding of what’s happening inside their networks so they can catch threats before they take root and cause damage.
A more sophisticated approach to security is that - I am going to try my best to keep people out, but I am not going to constrict the flow of business. And to truly keep everyone out, do I kill the business? So, I will try my best, but I will be good at detection, and the reason for that is the inevitable break-in. Good prevention, great detection, improves the prevention, and it is a never-ending game…
The continued maturing of log and event correlation and analytics platforms such as SIEM, UEBA, context aware DLP as well as the emergence of EDR/XDRs have created a powerful array of security solutions that can dramatically improve an organization’s ability to materially reduce the impact of a breach.
But technology alone cannot solve your problems. For many enterprises, the more important component is the mindset shift - admitting and indeed planning for the failure.
- Put a plan in place to manage a data breach. If a breach occurs, there also must be a clear protocol in place to identify which employees are managing each component of the plan
- Input and ongoing involvement from other stakeholders such as Legal, HR, Compliance, and other executives responsible for limiting enterprise risk is critical
- A post-cyber incident response plan should consider several issues, including:
- Accurately and quickly notifying customers
- Ascertain how widespread the breach was
- Handling legal policies and procedures to report the event
- Contacting your insurance agent and carrier and managing communications
Another challenge is ensuring your organization has staff with the right skillset to perform effective detection and response activities. Most do not. SOC analysts skilled in active threat hunting and continuous incident response are scarce as well as expensive as a resource. Organizations that lack the necessary staff to design, implement and manage a detection and response program may find it easier to engage an outside resource such as a managed security service to augment internal capabilities or to manage detection and response activities.
The Defender's Dilemma!!!...Continues…
To keep the bad guy out, you as a defender have this big disadvantage - the bad guy gets to choose where, when, and how he attacks. So, you need to be always on top of your game and perfect at every place against every method. Let's look at some of the reasons why the attackers can have fun at the defender's expense.
- Principle #1: The defender must defend all points; the attacker can choose the weakest point
- Principle #2: The defender can defend only against known attacks; the attacker can exploit for unknown vulnerabilities
- Principle #3: The defender must be constantly vigilant; the attacker can strike at will.
- Principle #4: The defender must play by the rules; the attacker can play dirty.
To successfully defeat the attacker, whether internal or external, an organization must be properly prepared. As I have outlined, the information security process is a journey and not a destination. It is a dynamic process requiring skilled management and flexibility. Disciplined management of the prevention, detection and response cycle is required to ensure continuous improvement. Organization wide support and involvement is paramount in the maturing of the security strategy.