Is there a certainty to security?
The choice between Protection + Prevention vs Detection + Response is an illusion. As security practitioners, we all learnt that defence in depth was key. Yet we focused too much on defence as just a wall or line that would protect us. This type of thinking has been proven to be insufficient time and time again.
First, we put up firewalls and thought we were safe. Then we realized we need IDSes and eventually IPSes. SIEMs and other tools were next. These fulfil parts of the equation, but not all of them. Once your defences are static and do not evolve based on feedback of what is actually happening, then they can be worked around. Aligning to only one of Protection + Prevention or Detection + Response will leave gaps.
If modern threats have taught us anything it is that no one solution is going to solve all the problems. We need blended approaches that implement tools to protect our perimeters, but also other tools and systems that can detect anomalous traffic and tune networks on the fly to respond.
No significant Information Security standard – be it ISO 27001, the NIST Cyber Security Framework, Webtrust, or others – stops at simply doing one aspect of security. The key is to keep them balanced and all fed with tools, resources and funding to enhance capabilities across the board.
Many companies think that once they have a few tools deployed to control their perimeter they are done. But how effective are these tools that they have deployed? Just because the tools don’t detect anything doesn’t mean that there is nothing there. For each tool that is deployed, businesses should think of how they will measure its effectiveness.
- What did traffic look like before it was deployed?
- What does it look like after?
- What would it look like if it wasn’t working?
- What could it be missing?
Understanding the limitations of tools that are deployed is key to understanding what else you should be monitoring for and being able to feed this into your Risk Management processes to forecast the next tools that you should be deploying. Reacting after an attack is too late. The damage is done.
It’s not a question of Protection + Prevention or Detection + Response, it’s more of a question of Protection + Prevention + Detection + Response. The hope would be that if you are monitoring your current tools, then you will detect gaps before they are an issue and the Response will then be a planned upgrade or deployment as opposed to an incident investigation.
By David Broad, Information Security and Audit Lead, Echoworx