There is a saying that there are two types of fool when it comes to new things. There is one type of fool that believes that everything old is best, and the other type of fool that believes everything new is better.
We tend to have both types of fool in our cyber security community – the old guard that believes that nothing is new at all, and mobile, IoT and cloud security problems can easily be solved using traditional methods and approaches that were designed in a time when computers and networks were far simpler - or the emerging technology people who claim everything that went before them is dead and has failed and only their approach can help remedy all of your security woes.
We have the holdouts who have invested so much in their outdated security knowhow and architecture that they cannot bring themselves to part with them, and the people who are always looking for a magical fix that will help them avoid having to follow best practices (also known as Shiny New Box Syndrome (SNBS)).
Of course reality is rarely so black and white. It has nuances, shades of grey and is oftentimes ambiguous – prompting the “It depends” attitude that good security professionals espouse but frustrates business decision makers and salespeople.
A good example of this is the discussion around Detect - Response, which has generated a number of different misunderstandings and false expectations.
The general idea behind this is that preventative security approaches and technologies, such as Vulnerability Management or Intrusion Prevention Systems, by themselves are not sufficient to mitigate many modern and current threats, and so these need to be augmented by improved incident and threat detection and response capabilities.
Some have interpreted this as stating “Don't waste your money on prevention” – which of course doesn't really reflect the thinking behind this approach. Some critics also point to the fact that old vulnerabilities still account for the majority of exploit traffic, 85% according to Verizon's 2016 DataBreach Report. This is not nescessarily untrue – but of course this also misinterprets the root causes, impact, disregards the distribution of exploitation, and looks at one metric in isolation.
Attackers focus on these because they are low hanging fruit – they get a lot of success with little effort – they are opportunistic when they can be.
But their chest of tricks doesn't end there. As a counterpoint, 63% of actually confirmed data breaches involved leveraging weak/default/stolen passwords. You can do something about weak and default passwords – enforcing minimum complexity standards or executing Policy Configuration Assessments for example, all of which would fall under preventative measures. But these same approaches will fail when it comes to stolen passwords – which makes them appear like legitimate users who can bypass access controls with the correct permissions. Monitoring of access and user activity in this case would provide a better control. You can be sure that if the attacker is not successful with the low hanging fruit, they will try and try again with more sophisticated methods until they succeed.
Attackers methods reflect the security maturity of their target. If you are great at prevention, that's when the Social Engineering or 0days come out. All you are doing is increasing the sophistication of the threat – and if you don't Detect and Respond, you will effectively be blind, having relied solely on prevention, and lured into a false sense of security.
Prevention and preventative technologies are still the foundation of a good security program – and are included in Gartner's Adaptive Security Architecture – they will make it harder for an attacker to escalate privileges and execute lateral transfer, forcing them to generate noise that allows a Detect and Response approach. We prevent what we can – we detect and respond to what remains.
This combines the old with the new – neither of them best or better – only in combination are they truly effective.