Breach Detection or Breach Prevention?

InfoSecurity MagazineAugust 21, 2016

The Flaws in “Prevent First” Thought leaders, like Gartner, now emphasize the need to balance detection and prevention for enterprise protection because it is basically impossible to stop an attack pattern that has never been seen before – therefore rendering “prevent first” an insufficient strategy. Organizations must also invest in detection capabilities to look for suspicious activity in their networks – where investment has so far been lacking. It makes sense. One of the most horrific stats in the cybersecurity world is “time to detect”. A recent FireEye study found that this measure dropped to 146 days in 2015 from 205 days in 2014. While this is a marked improvement, the overall picture remains bleak. With most security resources and budgets focused on prevention, the game is essentially over once a breach actually takes place. Should detection, then, be the primary focus moving forward? The answer is complex. On one hand, prevention is binary: either an attack was prevented or it wasn’t. On the other hand, prevention technologies are more automated, so the cost and skills for ongoing maintenance are reduced. Detection Challenges There are, however, unique challenges associated with detection. While detection uses various techniques to filter out real indicators of compromise from “noise,” there is still a tradeoff between generating a “security event” and the required ability to analyze it. Sifting through tons of false positive events requires human resources, skills and judgment, which are in short supply as a recent survey points out. In the early days of fraud detection in banking, customers could configure the risk engines to generate the number of daily alerts that correlated with the number of analysts they had on staff and their event handling capacity. Everything else was discarded. This isn’t good enough for breach detection. Herein lies the biggest challenge: getting skilled people to look at events that could indicate abnormal activity. This is a tough problem as networks and systems get increasingly more complex and intertwined. What is the Way Forward? ]]>

Read More