Enterprises are increasingly aware of the growing need to invest in sound security measures capable of securing valuable company data in the ever-evolving threat landscape. But in the face of budget constraints, some companies find themselves weighing the pros and cons of investing in threat detection versus prevention. Is it possible to achieve a robust security posture by investing in either detection or prevention alone? What should today's enterprises prioritize in terms of security investments, and why? What's the appropriate ratio of security spend that should be dedicated to prevention efforts and detection measures?
There are various angles to consider and explore when it comes to this subject. However, it's one of the most pressing questions facing enterprises today as companies seek to cut wasteful spending and reduce IT costs while improving their security posture.
To gain some insight into the choice between detection and prevention and what today's top IT and security pros view as the top priority, or if it's possible to prioritize one over the other at all, we asked a panel of seasoned experts to answer this question:
"Should enterprises focus security investments on detection or prevention?"
Find out what some of today's IT leaders have to say about prioritizing security investments below.
Meet Our Panel of Security Pros and IT Experts:
Joseph Steinberg
Joseph Steinberg is a cybersecurity expert and entrepreneur who founded the information security companies, Green Armor Solutions and SecureMySocial. He invented several popular cybersecurity technologies in use today, writes a column on cybersecurity for Inc., and is the author of several books on information security.
“Enterprises need to invest in…”
Both detection and prevention capabilities - and, in fact, they already recognize that this is true when it comes to physical security. How many firms have guards, and utilize locks and alarms on their doors, yet have motion detectors and/or security cameras inside their buildings? The same is true in the information security world. It is necessary to have both preventative mechanisms as well as ways to detect and address breaches after they have already occurred.
Jason Straight
Jason Straight is Sr. VP of Cyber Risk Solutions and Chief Privacy Officer of UnitedLex Corp. Delivering incident response, network security monitoring, SOC-as-a-Service and strategic advisory services, Jason and his team help organizations of all sizes understand their unique cyber risk profile, and design an information security program that mitigates risk and minimizes costs.
“The short answer, of course, is…”
Both. The key is finding the right balance of the two given an organization’s risk profile. For most enterprises, security investments are substantially “overweighted” in favor of prevention. A rebalancing exercise that emphasizes detection and response capabilities will typically pay significant dividends. The information security industry has ballooned into a $75 billion behemoth largely by selling prevention tools and technology that have proven to be inadequate in the face of increasingly determined, sophisticated and abundant attackers. Abandoning prevention completely is not an option; the fact is that perimeter protection is still an essential part of a mature cyber risk program. It is just no longer sufficient.
Multiple factors such as the erosion of the enterprise perimeter, insider threats, as well as the rise of adversaries skilled in “low and slow” attacks or social engineering exploits designed to elude even more sophisticated prevention tools have rendered reliance on prevention tools and techniques a losing strategy. To be fair, the security industry has made big improvements in prevention by enhancing the effectiveness of threat indicator dissemination and by applying artificial intelligence and big data analytics to the task of recognizing and suppressing malicious code. Every organization should examine these new tools and determine which platforms will give their security posture the biggest boost. But the reality is that a determined attacker will eventually make their way onto your network – whether by using compromised credentials, exploiting a third party vulnerability to gain entry or finding a gap in external defenses. Every organization must assume that its perimeter protections have failed and will continue to fail. Accepting this reality will naturally lead to a focus on impact control and response.
Many security startups in recent years have accepted this new reality and have focused on detecting anomalous and suspicious activity occurring inside the network perimeter or on the endpoint. The objective of tools and techniques focused on detection and response is to identify and neutralize an active threat before it has a chance to do significant damage to an organization. The continued maturation of log and event correlation and analysis platforms such as SIEM, User and Entity Behavior Analytics, context-aware Data Loss Prevention as well as the emergence of Endpoint Detection and Response systems has created a powerful array of security solutions that can dramatically improve an organization’s ability to materially reduce the impact of a network intrusion or insider threat. But as any experienced security professional will tell you, technology alone cannot solve your problems.
Becoming proficient at detection and response requires more than an investment in the latest tools and technology. For many organizations, the more important component is the mindset shift that must accompany an increased emphasis on detection and response. Admitting and indeed planning for the failure of carefully designed prevention programs can be a difficult step. Part of this shift involves acknowledging that managing cybersecurity risk is not something that an IT department can do on its own. Input and ongoing involvement from other stakeholders such as Legal, HR, Compliance and other executives responsible for limiting enterprise risk is critical. Any organization that has lived through a significant data breach incident has undoubtedly experienced the convergence of IT, Legal, and Risk firsthand. These stakeholders need to work together proactively to address policy issues such as access controls, sensitive data classification and retention, user behavior monitoring, device usage restrictions, user awareness training, and vendor security.
Another challenge is ensuring your organization has staff with the right skillset to perform effective detection and response activities. Most do not. SOC analysts skilled in active threat hunting and continuous incident response are a scarce – and expensive – resource. Organizations that lack the necessary staff to design, implement and manage a detection and response program may find it easier to engage an outside resource such as a managed security service to augment internal capabilities or to manage detection and response activities. Every organization is different but maintaining a solid internal detection and response capability supported or augmented by external expert resources is often the ideal approach.
Alex Chaveriat
Alex Chaveriat is a senior Security Consultant with SystemExperts specializing in network and application security.
“When allocating budgets for security programs…”
Companies are often left with a simple yet difficult decision: how much of the security budget should be allocated for detection, and how much should be allocated for prevention?
The maturity of the security program is a good reflection of where the budget should be spent. In a security program’s infancy, prediction and prevention tend to produce results that drastically reduce risk quicker; however, as the program matures, detecting and responding to threats becomes more important.
Gartner predicts a major shift toward detecting and responding over the next few years. Sophisticated security testing programs and inclusive methodologies are creating maturity in established security programs. That maturity is allowing companies to deepen their understanding of what is going on within the company’s network, thus driving their security investment toward detection.
Paul Kubler, CISSP, EnCE, SEC+, CCNA, ACE
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
“Enterprises contemplating the best way to allocate security investments…”
Should focus on both. Otherwise you fall into the all eggs in one basket scenario. Putting all the resources in prevention will help significantly - except in cutting-edge attacks or insider threats, where prevention often fails. On the other hand, putting all of the effort into detection will make your IT team exhausted chasing the threats. A state of balance is ideal.
The problem that IT often faces is that many solutions claim to be a catch-all and remove the need for other layers of security. No tool can detect or prevent 100% of attacks. By combining the efforts, an organization can maximize their efficiency. In addition, by focusing on both, odds are you will meet the compliance standards requirements of following the defense-in-depth model, where protection is to be implemented at multiple layers to catch anything that falls through.
Andrew McDonnell
Andrew McDonnell is Vice President, Security Solutions, at AsTech Consulting. Andrew serves as the principal security consultant for AsTech Consulting, independent cyber security experts specializing in software and IT infrastructure security. Andrew has designed enterprise vulnerability management programs and developed robust security practices into software development life cycles (SDLCs) for Fortune 1000 clients.
“If we forego prevention and resolution…”
Detecting security issues will actually create problems as the organization will be aware of security issues with no facility to eliminate them. On the other hand, prevention efforts without corresponding detection can never be sure that the most critical issues have been addressed. These are extreme examples, but we often see environments where extensive security detection efforts have been made but prevention and remediation are not sufficiently organized or supported to keep up. This can easily erode the credibility of security groups who are providing mountainous reports of security issues that cannot be acted upon. Preemptive prevention is the most cost-effective security practice, but even the most robust preemptive security program requires the ability to detect issues that may not have been anticipated. The bottom line is that an effective program requires both detection and prevention, but prevention and remediation need enough resources and support to be able to consume the data generated by detection processes. Detection cannot improve security by itself, and prevention can't know enough to solve the whole problem.
Ron Winward
Ron Winward works for Radware.
“It can be a challenge for security executives to decide where to…”
Focus spending. The industry is continually innovating and refreshing solutions - for the better - but we're often left wondering where to focus our security investments. Three things come to mind; detection, prevention, and personnel.
As a network operator who has designed security solutions for many enterprise customers, my focus was on detection and prevention in the same solution. Using perimeter equipment like certain DDoS mitigation appliances allows for real-time inspection and processing of traffic coming into the network. With the right equipment, you can make algorithmic decision in real-time about the validity of the traffic entering and exiting your network. If it's good, let it pass. If it's bad, block it. If it's interesting, let your perimeter challenge it to determine its validity.
The benefit of a solution like this is you have a machine making many of these decisions in real-time for you. Without this, usually human staff is alerted to a potential threat, and then has to get acclimated to the situation and ultimately make a decision on the potential threat. How long does this take? Is it too late before we can take manual action? What if it happens outside of business hours?
If capex is a concern, many solutions are now available in an opex model where you can pay monthly for security services. Perhaps look to a cloud partner where you can protect against DDoS and web application attacks with an MRC and no equipment on site. MSSP partners are another option, and the benefit to these is that you'll be hiring security experts who focus on complex attacks 24/7.
Many organizations are in the position where they just don't have the security budget they'd like. My recommendation is to focus on detection because you can't fight what you can't see. This doesn't necessarily mean focus your spending on detection though! There are many things you might be able to do to increase your visibility at little to no cost. First, if you have switches that can be managed, monitor them with an SNMP platform.
That same managed switch might have the ability to do port mirroring. Consider using that to your advantage and mirror some traffic to a traffic analyzer probe. It might sound expensive, but it can be a machine that runs Linux and tcpdump, or Windows and Wireshark. Maybe you have the ability to run netflow, sflow, etc. on your infrastructure. Ship that data to a tool that can analyze flow and give you more insight to the data traversing your network. There are plenty of solutions for this, including free, monthly service, or dedicated appliance.
Finally, the human element is one of the things we have the most influence on. Train your employees to be vigilant about security in your network. Train them about good practice with websites, attachments, and other interactions. Perhaps most importantly, train them to freely communicate with your security team about things they're seeing. Sometimes people make mistakes, and they need to understand that they can report security issues without the risk of punishment or embarrassment.
Detection and mitigation in the same solution will give you the most bang for your buck. Mitigation will be faster and more accurate with a combined solution. If that exceeds your budget, look to an opex model and always leverage the tools you have available to you. You can't fight what you can't see. Finally, make sure your employees are doing their part in protecting your organization. Visibility and awareness are often the things you can perpetually influence without breaking the bank.
Joep Gommers
Joep Gommers is the Founder and CEO of EclecticIQ.
“There are two definitive trends in security investment related to the issue of detection vs. prevention…”
The first trend is that enterprises are increasingly looking towards cyber threat intelligence (CTI), being technical and strategic information about cyber threats, to inform – on concert – both preventive planning of security investment and tweaking of its configuration and the day-to-day detection capabilities of security operations. The single effort to improve an organization’s understanding of its own threat landscape allows for more aligned defenses through investments that match reality, ultimately preventing the enterprise from being an interesting target and eventually a victim. Additionally, it allows the verification of that through better instrumentation of detection tooling with predictive and known intelligence about cyber threats.
The second trend is that being on the mindset that prevention is impossible, that – given the widespread and multi-layer architectures of today’s enterprises – improvement of time until detection and remediation is a better use of investment. The focus then shifts from preventing considerably impactful events – rather than security incidents in general. Better to detect many different things quickly then prevent a small number of things. Adversaries really only need one crack to get in through, even if other things are well done.
Tim Francis
As a Vice President, Tim Francis leads Travelers Business Insurance Management and Professional Liability initiatives. He also serves as the Enterprise Lead for Cyber Insurance. In this latter role, Francis has oversight of all of the company’s cyber product management, including products for businesses of all sizes, public entities, and technology firms.
Francis has emerged in the insurance industry as one of the foremost cyber experts, having been quoted in The Wall Street Journal, USA Today, Reuters, Insurance Journal, Property Casualty 360, Business Insurance, CNBC.com, and other premier media outlets. Additionally, he served as co-chair of the NetDiligence Conference and has spoken at numerous other conferences on the evolution of cyber risk and how businesses can protect against them. Francis also is an active member of the Professional Liability Underwriting Society (PLUS) and has served as Chairman of the Hartford Chapter. He is a participant in the Department of Homeland Security’s Cyber Incident Data and Analysis Working Group (CIDAWG), an ongoing private-public engagement that is examining how a cyber incident data repository could help meet the information requirements of insurers, CISOs, and other cybersecurity professionals.
“In considering whether to prioritize detection or prevention in the enterprise…”
Business leaders rank cyber risks as their second biggest concern according to the second annual Business Risk Index from Travelers. While leaders cite cyber risk as among their biggest concerns, they also report cyber risks is an issue they are least prepared to address. Twenty nine percent of all businesses list cyber threats as one of the risks they are least prepared to face, and only 33 percent of companies have a cyber or data breach plan in place.
Thinking about how to respond to a cyber event after it happens is a poor strategy. Business owners need to consider cyberattacks just as they would any other risk - like fire, theft, or severe weather - and establish both strong security practices and detection and prevention systems. Some relatively simple steps can go a long way towards lowering the odds of one occurring and lessening the impact if an attack does happen.
- Know your data. A company cannot fully know how much is at risk until they understand the nature and the amount of data they have.
- Create file back-ups, data back-ups and back-up bandwidth capabilities. This will help a company to retain its information in the event that extortion occurs.
- Train employees to recognize spear phishing. All employees should learn the importance of protecting the information they regularly handle to help reduce exposure to the business.
- Do background checks on employees. Background checking employees can help identify whether they have criminal pasts.
- Limit administrative capabilities for systems and social footprint. The less employees with access to sensitive information, the better.
- Ensure systems have appropriate firewall and antivirus technology. After the appropriate software is in place, evaluate the security settings on software, browser and email programs. In doing so, select system options that will meet your business needs without increasing risk.
- Have data breach prevention tools, including intrusion detection. Ensure employees are actually monitoring the detection tools. It is important to not only try to prevent a breach, but to make sure that if a breach occurs, the company is aware as soon as possible. Time is of the essence.
- Update security software patches in a timely manner. Regularly maintaining security protections on your operating system is vital to them being effective over time.
- Include DDoS security capabilities. It is important to have the ability to avoid or absorb attacks meant to overwhelm or degrade your systems.
- Put a plan in place to manage a data breach. If a breach occurs, there should be a clear protocol outlining which employees are part of the incident response team and their roles and responsibilities.
- notifying customers;
- assessing the scope of the breach;
- handling legal policies and procedures to report the event; and
- contacting your insurance agent and carrier, and managing communications.
There also must be a clear protocol in place to identify which employees are managing each component of the plan.
If an event occurs and data is exposed, it is important to quickly ascertain how widespread the breach was and if systems are secure. Data should also be categorized to determine whether personal information was compromised, such as Social Security numbers, medical records, or financial information. This will enable the company to accurately and quickly notify customers about what took place.
Companies should identify and utilize external resources to assist in managing a cyber-event. A breach coach or attorney experienced in security and privacy compliance issues can assist with this. The breach coach can also help gather facts surrounding the incident, such as when and where the breach occurred, man-hours spent recovering, and estimates for the overall cost of remediation. These details are necessary to help re-secure a company's data network, refine the internal and external communications plan, and serve as evidence if the data breach results in a legal battle.
Responding to a breach and navigating the legal landscape in the aftermath of a cyber-attack can be complex and requires specific expertise in the field of cyber and privacy law. Your cyber insurance carrier or agent should be able to connect your business with an experienced breach coach to help it recover from an event.
Once a company determines how, when, and where the breach occurred, its IT staff should check to ensure that the data is secured with necessary patches or fixes. Systems should be tested and re-tested thoroughly to help identify process gaps and confirm that sensitive company and client data are secure.
Mike Meikle
Mike Meikle is a Partner at SecureHIM, a security consulting and education company. They provide cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. Mike has worked within the Information Technology and Security fields for over fifteen years. He speaks nationally on Risk Management, Governance and Security topics. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine , Los Angeles Times and Chicago Tribune. Mike holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.
“There are some basic components to an effective security program that…”
Do not involve large technology expenditures. One is to keep your infrastructure (servers, workstations, networking gear) up to date (software patches, hardware refreshes), physical security around critical components, endpoint protection (anti-virus/anti-malware) and user training. Most security breaches gain a toe-hold due to an error by the user or malicious user intent.
On the risk management process side, organizations should know what is riding on their network and accessing their applications. With appropriate asset, network, log and mobile device management controls this would be a relatively “easy” process. However certain industries, healthcare and government for example, lack a certain IT maturity level that other industries take for granted (see financial). Establishing proper asset management and data management processes and procedures should be a high priority for industries with sensitive information.
All of these basic tips contribute to a “Defense-in-Depth" approach for layered enterprise security.
However if I had to choose, it would be to invest more in detection technologies and processes. The reason behind this choice is manifold. One, the cybersecurity industry has promoted the concept that it is “when, not if” you experience a cyber breach. To combat this reality, industry experts have suggested that an organization invest more in incident response, monitoring and tools that aggregate logs and data to look for malicious patterns (SIEM). Basically detection-based tools and processes.
Second, cybersecurity threats are constantly evolving and quite a few of today’s leading threat prevention technologies can miss zero-day and malware attacks frequently. In order to mitigate this risk, an organization needs to devote significant resources to monitoring the corporate environment for suspicious activity, such as ransomware encryption processes, multiple invalid logins, rogue access points and phishing/whaling email activity. Once again detection-based tools.
Andrew Bycroft
Andrew Bycroft is a 21 year cybersecurity industry veteran, author of the book The Cyber Intelligent Executive, and CEO of The Security Artist, the go to security advisory firm in Asia Pacific for executives who are serious about emerging as heroes rather than villains when cybercriminals target their organization.
“Should you invest more in detection or prevention? That’s a common question that I hear at least once a week…”
When running workshops with executives, however, any vendor, integrator or service provider who answers that one is better than the other is either biased or misinformed. The answer is that both of these are required and, even then, that is not enough, but before we get into what exactly is required, let’s analyze the problem a little deeper. Cybercriminals are so successful because they rely on five different tactics which rarely fail. Firstly they require that assets have vulnerabilities. This is natural; if it was created by humans it is bound to have imperfections. Next, cybercriminals rely on those vulnerabilities being exposed to threats. As mobile devices and the cloud are prolific, this has increased the level of exposure. Cybercriminals also rely on threats not being predicted and prevented. Whilst there are a lot of technologies that can prevent known threats, zero day threats and advanced persistent threats (APTs) are difficult to predict and prevent and therefore manifest as an attack. When a threat has progressed to the attack stage, cybercriminals are relying on the failure to detect and respond to it. This is evident by research conducted by organizations such as Verizon in which the time from infiltration to detection averages more than 200 days. An attack which is not detected and responded to becomes a breach. Finally, cybercriminals also rely on a breach not being confirmed and recovered from rapidly, affording them extra time to gain a stronger foothold, leapfrog into other targets, or having ample time to complete their intended mission. Ultimately the failure to confirm and recover from a breach increases the overall impact to the targeted organization. Cybersecurity teams are tasked with minimizing impact, and the best way to achieve that is to have the people, process, technology and communication required to:
- Identify and classify critical assets
- Discover and remediate vulnerabilities in those assets
- Predict and prevent threats from targeting those vulnerabilities
- Detect and respond to attacks that were not prevented
- Confirm and recover from breaches that were not detected
Greg Edwards
Greg Edwards is the CEO of WatchPoint Data. As CEO, Greg is driven to build a superior, global cybersecurity firm to defend small and medium businesses from the cybercriminals lurking in the shadows of the Internet.
“Enterprises should focus security investments on…”
If you put a gun to my head, I'd choose detection. Choosing between detection and prevention isn't an either-or question anymore; you have to do both. One big problem we have is that IT departments and executive boards still don't understand the difference between prevention and detection.
Ebba Blitz
Ebba Blitz is the CEO of Alertsec - the only Laptop Encryption as a Service provider. Ebba has been on the board of Alertsec since the start in 2007, and specializes in sales and fast deployment of IT security. Ebba has also been covering the tech sector as a journalist for more than twenty years, and was the host of Sweden's version of Shark Tank. Ebba Blitz is also a much-appreciated moderator and keynote speaker on IT security and compliance.
“One challenge with the detection approach is that it…”
Tends to create too many false positives. Even the most agile IT security department can have a hard time distinguishing the severity of a threat when they come in very large numbers. I'd rather focus on prevention. It all begins with setting up Policies and Procedures as we know that a majority of security issues are caused by the human error. Make sure that you protect your information by setting up best practice security for Firewalls, Anti-malware, Full Disk Encryption and multi-factor authentication. The next level of high IT security is to also make sure that third-parties don't jeopardize your data. Require that any consultant, accounting firm, vendor etc. take IT security as seriously as you in order to do business with you.
Eric Yaillen
Eric Yaillen is the President/CEO of The Identity Defenders (a division of CogniLogic, LLC).The Identity Defenders provides whole identity management solutions for individuals, families and businesses.
CogniLogic provides consulting services to small businesses in the areas of strategic business planning, brand development and execution, strategic marketing communications, and social media.
“I believe enterprises need to invest in both prevention and detection…”
It really cannot be a question of whether a company should invest in detection OR prevention. Investments must be made in both. In the U.S., whether it’s the FTC’s Red Flags Rule, GLBA or HIPAA, prevention is often a regulatory requirement (most states, provinces and the European Union have regulations that businesses must follow in regard to privacy laws.). But just because one has a prevention program, that does not eliminate the possibility for data to be breached in some way or the other. It very well could be an employee that steals information that compromises a company. Therefore, detection needs to be an integral component of a company’s security investments.
Benjamin Caudill
Benjamin Caudill is the CEO and Founder of Rhino Security Labs, a cyber security firm in Seattle, WA specializing in penetration testing. Benjamin has been featured as a top security researcher in Wired, Forbes, CNN, New York Times, and elsewhere, having identified vulnerabilities in anonymity tools and other popular software.
“In a perfect world, your enterprise's security infrastructure would…”
Never allow anything past its firewalls. Prevention would be as easy as buying a security package and deploying it - securing your environment end-to-end. Although as history shows us, nothing is unhackable and total prevention is a mere illusion. Therefore, enterprises should not only concentrate investments on detecting threats but also appropriately responding to them once detected. While investments into detecting risks in your environment may let you know what risks are present on your network, in the case of ransomware it may be too late to respond to a threat; leaving you with a troubling ultimatum – pay or have your data locked forever. That is why a stout security program has all three pieces of the security model: prevention, detection, and response. Creating a depth-in-defense layered strategy across your network.
Emmanuel Ouanounou
Emmanuel Ouanounou is a Software Engineer at SaferVPN, a fast-growing cybersecurity SaaS company providing online security, privacy, and freedom to hundreds of thousands of netizens worldwide. SaferVPN is known for leading the industry in simplicity and ease-of-use with one-click applications for Mac, Windows, iOS, Android, and Chrome as well as customized business solutions.
“When it comes to investing in either prevention or detection, I would recommend focusing on…”
Prevention. I know that most companies building apps invest a great deal in this. They even send their products to hackers so that they can check if they are safe enough, and the hackers then tell them how to solve the potential vulnerabilities. I would say the efforts spent on prevention are more than worthwhile because if, at any time, someone enters the product and does something wrong, then the entire project is in danger. Prevention is key!
Arpit Joshipura
Arpit brings over 25 years of industry experience in enterprise IT and the security ecosystem to Prevoty. His past roles include VP of Product Management, Strategy & Marketing at Dell, through the Force10 acquisition where he was CMO. He has been instrumental in moving closed and proprietary IT and infrastructure to an open, secure and software-defined world. He has served in executive leadership positions in startups and enterprises throughout the Silicon Valley.
“Traditionally enterprises have had to make tough choices between…”
Detecting vulnerabilities or preventing attacks (Detection/Prevention- the two sides of the security coin). For enterprises it becomes a double challenge: 1) detect and prevent vulnerabilities in Development/QA and 2.) detect and prevent vulnerabilities/attacks in production.
The first challenge is achieved by SDLC process adoption and the use of Dynamic or Static Testing Tools (DAST/SAST). However, business pressures and movement to DevOps requires developers to bypass controls and push applications into production with known vulnerabilities. Detecting vulnerabilities is only effective if enterprises fix the vulnerabilities. A recent study done by Ponemon Institute stated that over 90% of enterprises have vulnerability backlogs of up to 5000. With that being said, enterprises need visibility into real product attacks (XSS, SQLi, etc.) to allow prioritization of engineering efforts. Along with that, Runtime Application Self-Protection is a new technique that will allow applications to protect themselves.
Cody Cornell
Cody Cornell is Founder and CEO of Swimlane, a developer of cyber security automation solutions. The company's Swimlane platform centralizes an organization's security operations activities, automates incident resolution, and integrates with threat intelligence. A respected authority on cyber security, Cody Cornell is responsible for the strategic direction of Swimlane and the development of its security operations management platform. Cody is a frequent presenter on information security at forums such as the Secret Service Electronic Crimes Task Force, the DHS Security Subcommittee on Privacy, and National Public Radio (NPR).
“Enterprises need to focus on…”
Both detection and prevention to protect themselves. While enterprises have spent a lot of resources and money on threat detection, not a lot of attention has been paid to improving the operational performance through automating security response. With automation, enterprises as well as managed security service providers can become more effective in their ability to significantly reduce process execution time; lower operating costs; improve incident response capabilities; and deliver more robust security operations services to the enterprise or customers. Automated incident response solutions can reduce manual effort by automatically responding to alerts, gathering related threat intelligence, and automating the implementation of security controls, all of which aides in protecting organizations from future attacks. While enterprises understand the value of detection and prevention, they are quickly realizing that a detection alarm with no response is about as valuable as no detection at all. To win the security battle, organizations must address the pain points and automate to make a difference.
Brian Greenberg
Brian Greenberg works for General System Dynamics. He has been in the IT industry for over 25 years and is an expert at data storage and data protection and pioneered the first eDiscovery product for backup data (data on tape, disk, and in the cloud).
“Enterprises should focus security investments on…”
It’s not one or the other. You must have both to some degree. First, you can never fully secure your systems. Put that notion right out of your head. It’s not a question of ‘If your security is breached.’ it’s a question of ‘When you get breached.’ Then the question is how will you respond. If you invest in detection measures, your response will be much more effective than if you didn’t invest in them. I was at a company a number of years ago and shortly after I joined the company, I discovered that they had been breached eight years prior and the hackers were in the systems the entire time. They didn’t have any detection for those systems. It caused systems to crash randomly over the years and they couldn’t figure out why. Revenue was lost due to the breaches. If they had detection in place, they would not have lost nearly as much revenue. Oh, and they did have prevention in place. Unfortunately, it wasn’t being used correctly so the detection was even more valuable to have.
Lewis Daniels
Lewis Daniels is the Innovator and Founder of Salvador Partners. Lewis has over 10 years of manufacturing experience, having created and managed a number of companies ranging from engineering to sub contracting electronics facilities. Lewis has worked in the Cyber Security industry for the last 6 years developing a global network of professionals along with a number of products – with just a small team, Lewis developed a secure Android tablet, plus various payment systems and military spec equipment.
“For enterprises trying to properly allocate security resources…”
It's a tough question about prevention or detection being the investment focus. You will always have a different answer. I think deep down it depends on the type of organization, depending on what IP they hold and how salvageable it would be if something goes missing. The main issue for any security expert is the human user above anything else. You can legislate and buy technology all day long, the weakest link - always human.
You can try and prevent and 9 times out of 10 you will be safe, but it's pretty much the same to detect. Attacks are becoming more sophisticated, people however are also becoming more complacent. You won't stop a user taking an enterprise owned piece of data out of a controlled environment - when they want to make their day easier. So a hybrid approach is best; invest in people, learning (by this I mean the risks), invest in tech to make the job easier for data sharing securely, but it's as important to have a budget for detection just the same.
Alejandro Salas
CSW Solutions is a Chicago-based custom software consulting and development firm. They excel at providing the right technology solutions and being a true technology partner. His experience includes every step in the software development cycle, from requirement analysis, time estimation, design, implementation and deployment. His programming expertise includes C#, JavaScript, and Java among others.
“This is definitely not a question of one or the other…”
Both measures are necessary.
It is no good to just know that your system is being breached (detection), that means someone already has access and could hurt your company by tampering with valuable information. If you are not doing anything to prevent it, or to have some security in place (prevention), you will always be wondering what day will be the day that you get attacked. You need to create a system that supports itself.
My recommendation would be to work on them in parallel. Maybe with somewhat of an inclination towards prevention in the beginning. Prevention is key when identifying threats because when the breach is made it is more costly (economically and manpower) to revert the damage done. Not even mentioning the risk of losing or compromising valuable information in the first place!
K Royal
K Royal is the Vice President, Assistant General Counsel and serves as the Privacy Officer for CellTrust. An attorney and compliance professional with 20 years of experience, K is skilled in privacy law, breach management and compliance, and was recently honored as the AGC's 2015 Robert I. Townsend, Jr. Member of the Year.
“The best way for enterprises to allocate security spend is through…”
A combination of both. The biggest gap in privacy and data protection today is our tendency towards capturing data electronically without protecting it. We back it up, recover it, and never delete it - and we still do not encrypt in transmission and in storage.
Let's use enterprise mobility as an example. As more and more companies begin implementing a Bring Your Own Device (BYOD) policy, corporate privacy and security are put at risk. Employees are using their own mobile devices for both work and personal use, and engaging in behavior that could potentially put companies in jeopardy, if not properly monitored. While most companies use security applications for email, they are still lacking security for voice and text communication, two features used regularly by the younger generation. Without security, privacy cannot exist.
Emmett (Trey) Hawkins
Trey oversees the architecture, implementation, training and evolution of Leapfrog’s core technologies. Trey was a co-founder and CTO of Virtex Networks, Inc., one of the nation’s first IT infrastructure service providers. Virtex was acquired by Leapfrog in 2001. Trey is currently a member of InfraGard, a cooperative undertaking between the U.S. Government, businesses, academic institutions, and law enforcement agencies that are dedicated to increasing the security of United States’ critical infrastructures.
“When asked about prevention and detection…”
This cannot be an either-or proposition. Detection without prevention is unmanageable. Prevention without detection cannot be measured for effectiveness.
Idan Udi Edry
Idan Udi Edry is the CEO at Nation-E. Edry is a distinguished veteran in the fields of information technology and data security, as well as an experienced leader driving innovation and execution at scale. Edry has mastered multiple disciplines and has accumulated 13 formal certifications from the world's most renowned IT and telecommunications institutes.
“If a company is trying to determine whether to focus their investments…”
On detection or prevention of cyber-attacks against their organization, it's important to know that both detection and prevention are most successful together, rather than on their own. The dynamic growth of new threats attacking an organization's vulnerabilities requires timely adjustments to the methodologies in the prevention and detection cycles. A change in one phase affects the entire process in some form. A proactive strategy adjustment in the prevention phase will adjust the detection, and even response activities.
To successfully defend against a cyber-attack, an organization must be properly prepared. In many cases today, proper protection is too expensive - this is why 3rd party organizations are now offering both detection and prevention as a service to set a proper baseline security. That would be a good first step for smaller organizations. For the larger ones, it would require the establishment of a well-funded, strong security team that would establish a strategy for detection and prevention for organizations.
Luis Corrons
Luis Corrons has been working in the security industry for more than 17 years, specifically in the antivirus field. He is the Technical Director at PandaLabs, the malware research lab at Panda Security. Luis is a WildList reporter, and a top rated industry speaker at events like Virus Bulletin, HackInTheBox, APWG, Security BSides, etc. Luis also serves as liaison between Panda Security and law enforcement agencies, and has helped in a number of cyber-criminal investigations.
“I think that having to choose between detection or prevention is…”
Not a good strategy. Both are important and have to be addressed. With prevention, many attacks can be stopped, which is always a good approach. But we have to be realistic and know that there is no perfect system, and that at some point our systems will be compromised. That is where being able to detect a breach in real time is priceless.
Vadim Vladimirskiy
Vadim Vladimirskiy is the CEO of Nerdio, formerly Adar IT, a cloud based IT company in Chicago.
“That's a trick question…”
Ideally, an enterprise will have at least a minimal investment in both. With that said, I strongly recommend a prevention-based approach to security. Putting a lot of hardware, software, and expertise into maintaining security in our data centers is going to be key, but realistically, a determined hacker might still find a way to get into the system. To safeguard against this, a proper back up to your prevention strategy with a suite of system health monitors to keep an eye on the network traffic is key.
In our experience, prevention includes a lot more than just Windows firewall at its default setting. I strongly recommend hardware firewalls backed up with Intrusion Prevention Systems (IPS) to filter and block intrusion attempts, as well as a deep inspection of the firewall rules to make sure that a default setting isn't leaving a gaping hole in your defenses. Sometimes we find that small and medium businesses just aren't equipped to handle that sort of support - either their budget doesn't include a security specialist, or the configuration and monitoring is just too time consuming. In that case, we recommend using managed security services to prevent and monitor for intrusion.
Huey Huynh
Huey Huynh is the President/CEO of Business Data Services, a local and trusted IT company based in the Greater Kansas City Area. With over 25 years of experience in the IT industry and a passion for helping others, he provides enterprise level solutions tailored to small and midsized businesses at a lower cost. He has been an advocate for enterprise security for the last 25 years.
“Enterprises should invest in both security detection and prevention, because…”
They are both important and focus on different aspects of security. However if your security investment budget is limited and your company can only invest in one, I recommend focusing your security investment on prevention.
One might argue that security detection is more important, because if you can detect security threats, then you can stop them in their tracks. However, vulnerabilities come from many sources and are dynamically changing. What we know about vulnerabilities and threats today may not be applicable tomorrow (or even the next hour). If we don't know about the threats, we can't detect them. Therefore, focusing your security investments on prevention would be the better choice.
If enterprises proactively work on security prevention, they can identify and remedy their vulnerabilities before they become security threats. This approach also changes the paradigm from reactive to proactive. As enterprises become more proactive in security prevention, they reduce their vulnerabilities. Hence, they create a more secured environment.
In conclusion, when it comes to security investment, prevention and detection should be considered as one. Your environment is vulnerable if you neglect either one. However if you must pick one because of budget constraints, I recommend focusing your investment and energy on threat prevention.
Sheila Lindner
Sheila Lindner is the President of Octacom. As President of Canada’s foremost provider of high quality document management and business process outsourcing solutions, Sheila oversee a fantastic team of people. She strongly believes that their employees come first, and that their quality people will guarantee quality services for their clients.
“I always recommend that companies focus a larger portion of their online security investments on…”
Preventative measures rather than solely on detection. While detection is important in identifying that there is a problem, industry-leading companies will never rely solely on a reactive approach to security. It is much more efficient and pragmatic to set up a system to prevent problems before they develop into something bigger. In a digitally-driven society, large amounts of personal information are exchanged online, making preventative security measures of the utmost importance for businesses to provide safe and reliable customer and user services.
Yves Dorleans
Yves Dorleans is Director of Information Security at Continuum.
“Solving security issues requires a multi-faceted strategy, and care should be taken to…”
Allocate funds based on risk prioritization. Security requirements, as most people know, can be a roadblock to conduct business with the speed and efficiency that is needed, however when you look at the importance of conducting secure transactions, and the risk of losing customers from the impact of a security event, business and security processes should be aligned.
Detective and preventive security controls work very differently and serve different purposes in the organization. They usually work in tandem to provide several layers of safety for internal assets and users. As the name describes, preventive controls block intruders or prevent users from processing transactions that the firm deems dangerous, and could either violate current policies or standards or cause the firm to incur significant financial or reputational loss.
Detective controls are usually called compensating, or backend controls, as the name implies, they complement the preventive controls. Usually implemented in the form of report reviews, user access list, exception reports, and processed transactions to ensure that current policies and standards have been followed. Every security countermeasure implemented needs to be based on a thorough risk assessment of the key assets within the enterprise, to ensure funds are not spent on protecting low priority items. Controls are not implemented once, and then the key thrown away. Risk assessments need to be updated on a yearly basis or as needed as the computing environment changes.
Pete Kofod
Pete Kofod is the Founder of The Sixth Flag. Pete is a U.S. government security advisor in addition to his role at TSF.
“While enterprises should invest in both detection and prevention, one area that is rarely addressed is…”
The need for processes and toolsets to address containment and mitigation. The ability to determine extent of condition, establish containment boundaries and begin the remediation process is frequently a disorganized activity. As Advanced Persistent Threats and zero day exploits continue to plague enterprises, security teams should draw two sobering conclusions. First, for planning purposes, a breach should be considered inevitable. Second, based on the conclusion that it is inevitable, mitigation frameworks, policies and toolsets should be evaluated and adopted. At The Sixth Flag, we have developed the concept of Cell Structure Security to address mitigation, but there are several frameworks in the industry. Organizations should take the time to consider how organized the response to the next breach will be.
Olivier Leblanc
Business Development with BANG Industries, Olivier works with small to medium businesses to help find the best IT managed services solutions to suit their business needs - including security and cloud management solutions.
“Digital transformation is changing the way we do business by…”
Changing business models and value chains, of every kind, across the globe. Today, IT is ubiquitous and we interact with it every day from spending hours a day online, to managing our personal and professional mobile banking, to sharing and collaborating via cloud services and the ever increasing number of mobile devices we use day in and day out. As a consequence, the size of the “Attack Surface” and the opportunities for Malicious Entry have grown exponentially. Malware attacks are no longer generated by just rebellious teenagers laying out from a basement somewhere, cyber attacks are serious, organized and sophisticated. There are many cyber actors; from insider threats, to nation states, to hacktivist, to cyber terrorist, to industrialized hackers and they are all emerging on the attack surfaces, threatening IT security. Their playground can be social media, enterprises, cloud computing, BYOD-IT, conned IoT devices and more.
This is why both detection and prevention are vital in helping organizations safeguard against the various, powerful threats from across the internet. Should enterprises focus security investments on detection or prevention? The correct answer is both. Prevention can protect enterprises by preventing attacks, often by reducing exposure and blocking intrusions via countermeasures like encryption, anti-viruses and firewalls. Detection is an iterative process that helps identify and flag compromises, usually with cycle hunting, assessing, and prioritizing secure information accesses, event management and utilizing sandboxing. It is important to know that no matter what you do, something is going to happen but the important thing is what you do next. We have to respond by remediating any attack, restoring normal operations, reporting impact, adapting for future breaches, restore systems and refine incident responses. The key is to be careful, but also ready, for any eventuality to minimize the impact of an attack on your business.
Adam Bennett
Adam Bennett, founder and vice president of Cloudburst Security has over 16 years of progressive cybersecurity and leadership experience. He is a frequent speaker at national conferences, as a cyber thought leader and subject-matter expert. He has extensive operational knowledge of attacker tactics, techniques and procedures (TTPs), and tradecraft. Bennett has focused on securing both government and commercial networks. He has broad experience across security disciplines, including over ten years managing Advanced Persistent Threat (APT) activity within both DoD and civilian government agencies. Bennett holds a degree in Computer Information Systems from Eastern Kentucky University.
“Let's compare dental care and cybersecurity care for a moment…”
When you think about going to the dentist, would you rather practice prevention or detection? Do you want to prevent cavities or have to literally drill down when problems arise?
Organizations concerned about cybersecurity should practice both prevention and detection because they are both part of a well-designed, in-depth cybersecurity strategy. Just like going to the dentist - we must brush and floss, but we still need to fix issues that arise. However, organizations concerned about cybersecurity threats should focus on prevention first, for these three reasons:
- Organizations must have preventative measures in place: You always want to stop an attack or data breach before it happens. There are less effort and funds spent in prevention versus detection, including the incalculable losses following an attack or data breach.
- Prevention supports detection: All major security products, with prevention capabilities, provide logging/alerting for blocked attacks and integration with SIEM (security information and event management) solutions. Through this logging/alerting, correlation, and reporting; organizations gain both prevention and detection capabilities.
- More rapid detection and remediation: Prevention data helps organizations to better fine tune detection mechanisms. The data that is gathered during the prevention process helps to provide organizations with more informed detection tactics. You receive immediate detection benefits from your prevention countermeasures, allowing you to create the most robust IT network defense.
Lohit Mehta
Lohit Mehta is a Security Researcher for InfoSec Institute, an IT Security training company.
“Organizations should understand that if they need to have protection, they must go with…”
A combination of both.
Detection + Prevention = Protection.
This will allow organizations to balance their investments and not exhaust them in one direction over the other. Prevention technologies looked great before new age malware came into play, which can no longer be detected by signatures or simple heuristics. Since attacks have become sophisticated, it's almost impossible for organizations to prevent all incidents occurring from both a trusted network (internal) or from an untrusted network (internet). Thus they can't simply rely on the incidents they managed/responded to which alerted through prevention technologies. To better understand the attack, detection technologies are better suited as they build up an attack profile which can be provided as an input to prevention technologies. According to Gartner’s predictions, by 2020 organizations will increase their investments in detection technologies by up to 75%.
Evin Callahan
Evin Callahan is a Cloud Architect at Napsty, LLC. Evin has been an infrastructure engineer for the past 10+ years with 5+ years cloud experience, with focus on scalability, security, and functionality to allow businesses to think less about technology, and more about bottom line.
“Security should be a combination of…”
Strategies, not just the binary and mutually exclusive “detection” vs “prevention”. It should also consist of “awareness” and “education of employees” (i.e., noticing phishing attacks, designing technologies to be secure), for example, or creating “reactive” tooling to catch anomalies or hackers.
There should be multiple layers to security, like the layers of an onion. A single prevention or detection mechanism is not enough to the evolving and sophisticated attackers in the wild.
That being said, if a decision needs to be made on one of the two, I’d say security and technology experts need to push back to management and dedicate the resources to the two of them. I believe prevention is more important, but it’s still useless if an attacker has enough persistence to get through the layers of prevention that’s set up, and so a method to detect and react is needed.
Lina Danilchik
Lina Danilchik is the head of the PR department in Falcongaze Company, which is the vendor of information security, operational risks management and work processes optimization solutions. Lina has been working in the sphere of information security for almost four years.
“Enterprises that place detection at the forefront definitely benefit from…”
This measure. They monitor data at rest as well as all communications and data transfers - so that they can detect all threats in time, which in fact allows to take action and prevent data leaks. So in a certain way detection actually involves prevention. On the other hand, if speaking about detection after an incident took place, of course prevention would save time, money and in some cases reputation.
Summing up, the best scenario is to detect and then to prevent. However, one should not also underestimate incidents investigation in hot pursuit, which after incident detection allows.
Dave Ginsburg
Dave Ginsburg is Chief Marketing Officer, bringing to Teridion 25+ years of experience spanning corporate and product marketing, product management, digital marketing, and technology partnerships.
“Prevention is almost always superior to detection…”
We can first draw parallels to the cost of bugs, where it is much more cost effective to detect during requirements gathering than in production. It is a hundred-fold difference, from $100 to $10,000. The same holds true with security, where avoiding a breach in the first place is more cost effective than waiting for it to be detected. In fact, the typical attack takes 3-6 months to detect and by that time, the damage is already done. Witness attacks in retail and media that resulted in compromise of tens of millions of customer records. And, as more enterprises move critical businesses to the cloud with a greatly expanded threat surface and employees accessing critical data from any device in any location, their approaches must evolve as well. Now, with all of the above, if for some reason prevention fails, enterprises must still have in place means of detection.
Alex Pezold
Alex Pezold is the CEO and Co-Founder of TokenEx. A former Qualified Security Assessor (QSA) with the PCI Security Standards Council, Alex has developed a mindshare in the compliance and risk reduction arena. Alex has held his CISSP (Certified Information Systems Security Professional), holds CNSS Certifications, and holds a Masters of Science in Computer Science with emphasis in Information Security.
“Enterprises should focus on both detection and prevention, however…”
They should actually focus on a 'fail safe' as well. This means actually protecting sensitive data within their environment directly, so should a breach occur, data is not compromised. Ultimately a company has a checklist of steps they should take, starting with assessing government standards.
Achieving compliance with regulations such as HIPAA, HITECH, PCI and other requirements means developing a complete understanding of an organizations full environment. The first step is to establish an overall outline of risks and controls. This is commonly known as Enterprise Governance, Risk and Compliance (eGRC). In eGRC, we would develop a Risk Framework to measure the maturity of Risk Control Items. This would include addressing items such as compiling a Sensitive Data Inventory, performing a Vulnerability Assessment, reviewing Entitlements Management processes, implementing a Data Loss Detection / Prevention scheme and ensuring that Data Governance is being performed.
A plan needs to be implemented to address both Internal and external breach risks and should include the following areas:
- Physical Security
- Encryption
- Data Loss Prevention (DLP )
- Cyber Attack Prevention
- Reducing Instances of Sensitive Data
- Restricting Access to Sensitive Data
- Entitlements Management
Internal staff are also demanding more and more while stretching the knowhow, capabilities and compliance to regulations in ways as never before. This is evidenced by the impact of Bring Your Own Device (BYOD). To address BYOD privacy issues we need to understand where sensitive data exists in our environment, develop plans to manage the sensitive data that is in our inventory and plan for getting to the appropriate level of maturity to safe-guard data.
Sensitive data that exists on a mobile device must be protected. There should be secure channels of communication to and from these devices. The amount of sensitive data being sent to mobile devices should be minimized.
The environments that our data lives in are growing increasingly complex. The growth of data is accelerating, there are new ways to access data and the legislative environment is getting more stringent. Without proper planning, implementation of robust controls and taking actions to prevent data loss from both internal and external sources, enterprises will struggle to function. They will be under attack from regulators, shareholders, business partners, customers and business associates.
