Not much protection in life is guaranteed 100% effective. Airports and airlines around the world have introduced a range of preventative protection measures, from the airport entrance to the perimeter, from passenger screening to baggage X-rays. But they do not rely on these alone, also employing extensive training and planning so that they can detect and respond quickly if something goes wrong.
In digital security, I have heard many times that companies need to move from detection to prevention, that they need to stop all threats rather than detect and respond. Unfortunately, the only way to prevent all threats is to completely isolate each of your systems from any type of interaction with another. If you need communications and data exchanges to operate your business, then you need a breach detection strategy.
Is prevention better than detection? Of course; if you can stop attackers before they get into your systems you should, and preventative devices are an important component of any security strategy. The debate is not prevention or detection; it is whether adding the latest prevention widget is sufficient.
Central to this debate is your security strategy: malware defense or breach defense? Defending against malware is necessary, but not sufficient. Since all security threats are not similar, and all breaches are not equal, no amount of next-generation defense widgets is going to stop every threat. And if something does get through, you need the ability to quickly detect and contain the attack.
On The Offensive
Let’s look at some examples. Many security defenses use anti-malware devices that leverage a variety of techniques, including signature detection, heuristics, reputation models, sandboxing, what everyone now calls math, and various proprietary algorithms. While these techniques are all generally effective, they will miss some threats such as attacks that leverage stolen credentials, misconfigurations, unpatched vulnerabilities, unknown attack types, and rogue insiders. Your cybersecurity strategy, just like a physical security strategy, cannot play only defense. You must also have the tools and plans to deal with a breach.
Detection plays a much larger role in reducing your exposure than just an additional malware scanner. A complete detection strategy looks at breaches as an end-to-end issue. With malware likely already in your organization, industry analysts agree that the lion share of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020. Detection is vital to reduce your time to detect and recover from a breach.
Instead of simply looking for malware signatures, detection tools monitor data access and movement, looking for unlikely activity and suspicious correlations. They also provide critical actionable and forensic information when something gets through, as well as information on who was affected by it, what data is at risk, and how to contain it. Without this detection capability, it is like having a car mechanic or doctor tell you that something is wrong, but leaving it to you to identify and implement a fix or cure.
The cybersecurity industry has spent a lot of energy arguing about best-of-breed, signature versus algorithmic malware defenses, and whose sandbox is the most difficult to evade. However, cyberattacks have reached the point where, like with castles and gunpowder, a sophisticated attack can win against a purely defensive position. So it is time to move the conversation beyond malware and point defenses and onto dealing with breaches in their entirety. This requires us to evolve as an industry. We need to focus on greater intelligence sharing, communicating and collaborating across multivendor systems, and focusing on the whole problem -- protecting data and digital assets, detecting vulnerable devices and abnormal behavior patterns, and rapidly containing breaches. Anything less leaves you too exposed.