Breach Detection or Breach Prevention?
- August 21, 2016
In the past few years, multiple organizations have experienced high-profile breaches. Target, Sony and the Office of Personnel Management are a few prime examples, but numerous others make headline news on a daily basis. It has become clear that no matter what prevention technologies are being used, it is increasingly difficult to stop determined attackers.
Prevention is a high stakes game. Multiple technologies and configurations must be deployed in perfect sync to reduce the attack surface available to hackers and slow them down. The list is long: from best practices like network segmentation and vulnerability patching, to systems that prevent malware infection and stopping data exfiltration. It is sufficient for just one of these elements to be mismanaged in order for hackers to be able to get in and get out with valuable data. How can IT teams balance the need to prevent with the need to detect?
The Flaws in “Prevent First”
Thought leaders, like Gartner, now emphasize the need to balance detection and prevention for enterprise protection because it is basically impossible to stop an attack pattern that has never been seen before – therefore rendering “prevent first” an insufficient strategy. Organizations must also invest in detection capabilities to look for suspicious activity in their networks – where investment has so far been lacking.
It makes sense. One of the most horrific stats in the cybersecurity world is “time to detect”. A recent FireEye study found that this measure dropped to 146 days in 2015 from 205 days in 2014. While this is a marked improvement, the overall picture remains bleak. With most security resources and budgets focused on prevention, the game is essentially over once a breach actually takes place.
Should detection, then, be the primary focus moving forward? The answer is complex. On one hand, prevention is binary: either an attack was prevented or it wasn’t. On the other hand, prevention technologies are more automated, so the cost and skills for ongoing maintenance are reduced.
There are, however, unique challenges associated with detection. While detection uses various techniques to filter out real indicators of compromise from “noise,” there is still a tradeoff between generating a “security event” and the required ability to analyze it. Sifting through tons of false positive events requires human resources, skills and judgment, which are in short supply as a recent survey points out. In the early days of fraud detection in banking, customers could configure the risk engines to generate the number of daily alerts that correlated with the number of analysts they had on staff and their event handling capacity. Everything else was discarded. This isn’t good enough for breach detection.
Herein lies the biggest challenge: getting skilled people to look at events that could indicate abnormal activity. This is a tough problem as networks and systems get increasingly more complex and intertwined.
What is the Way Forward?