Story image

Prevention vs Detect & Response or Of Fools and Novelty

22 Aug 2016

There is a saying that there are two types of fool when it comes to new things. There is one type of fool that believes that everything old is best, and the other type of fool that believes everything new is better.

We tend to have both types of fool in our cyber security community – the old guard that believes that nothing is new at all, and mobile, IoT and cloud security problems can easily be solved using traditional methods and approaches that were designed in a time when computers and networks were far simpler - or the emerging technology people who claim everything that went before them is dead and has failed and only their approach can help remedy all of your security woes.

We have the holdouts who have invested so much in their outdated security knowhow and architecture that they cannot bring themselves to part with them, and the people who are always looking for a magical fix that will help them avoid having to follow best practices (also known as Shiny New Box Syndrome (SNBS)).

Of course reality is rarely so black and white. It has nuances, shades of grey and is oftentimes ambiguous – prompting the “It depends” attitude that good security professionals espouse but frustrates business decision makers and salespeople.

A good example of this is the discussion around Detect & Response, which has generated a number of different misunderstandings and false expectations.

The general idea behind this is that preventative security approaches and technologies, such as Vulnerability Management or Intrusion Prevention Systems, by themselves are not sufficient to mitigate many modern and current threats, and so these need to be augmented by improved incident and threat detection and response capabilities.

Some have interpreted this as stating “Don’t waste your money on prevention” – which of course doesn’t really reflect the thinking behind this approach. Some critics also point to the fact that old vulnerabilities still account for the majority of exploit traffic, 85% according to Verizon’s 2016 DataBreach Report. This is not nescessarily untrue – but of course this also misinterprets the root causes, impact, disregards the distribution of exploitation, and looks at one metric in isolation.

Attackers focus on these because they are low hanging fruit – they get a lot of success with little effort – they are opportunistic when they can be.

But their chest of tricks doesn’t end there. As a counterpoint, 63% of actually confirmed data breaches involved leveraging weak/default/stolen passwords. You can do something about weak and default passwords – enforcing minimum complexity standards or executing Policy Configuration Assessments for example, all of which would fall under preventative measures. But these same approaches will fail when it comes to stolen passwords – which makes them appear like legitimate users who can bypass access controls with the correct permissions. Monitoring of access and user activity in this case would provide a better control. You can be sure that if the attacker is not successful with the low hanging fruit, they will try and try again with more sophisticated methods until they succeed.

Attackers methods reflect the security maturity of their target. If you are great at prevention, that’s when the Social Engineering or 0days come out. All you are doing is increasing the sophistication of the threat – and if you don’t Detect and Respond, you will effectively be blind, having relied solely on prevention, and lured into a false sense of security.

Prevention and preventative technologies are still the foundation of a good security program – and are included in Gartner’s Adaptive Security Architecture – they will make it harder for an attacker to escalate privileges and execute lateral transfer, forcing them to generate noise that allows a Detect and Response approach. We prevent what we can – we detect and respond to what remains.

This combines the old with the new – neither of them best or better – only in combination are they truly effective.

Article by Oliver Rochford, Gartner research director

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
emt Distribution adds risk intelligence vendor
Flashpoint has signed emt Distribution to provide channel partners in Oceania and South East Asia a solution for illicit threat actor communities.
CrowdStrike: Improving network security with cloud computing solutions
Australian spending on public cloud services is expected to reach $6.5 billion this year according to Gartner
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.