We are living in unique times with companies of all sizes and industries shifting to a remote workforce to limit social interaction and help contain the COVID-19 outbreak. For many businesses, this has led executive leadership to put a spotlight on spending and explore ways to consolidate and cut back.
The resulting budget tightening has led some security teams to consider whether they can drop their cybersecurity detection technologies, which involve personnel costs in many cases to deal with the alerts, and just rely on prevention solutions. Even before the pandemic, this was a somewhat common question. However, CISOs and IT security managers need to assess the security posture as a whole -- and detection plays a crucial and integral role in any effective cybersecurity framework. The most damaging cyberattacks have occurred in environments that couldn't detect malicious activity to quickly take action to mitigate it. And when it comes to cloud and hybrid IT environments, you're often left with only detection for protection against attacks.
Prevention vs. detection
An interesting analogy for the limitations of a prevention-only approach is airport security. If a passenger going through airport security screening has a notable suspicious characteristic -- an oddly shaped backpack or a nervous demeanor, it would be an overkill to arrest that person. The TSA agent could lose their job or hurt the airport's reputation. What would be better for the business and yield a more effective outcome is to let the passenger through the checkpoint and watch for additional suspicious behaviors to decide if that passenger is a real security threat. In this analogy, the TSA would deploy a combination of technologies (X-rays, metal detectors) and humans (TSA agents) to ascertain the nature of the threat before acting.
Prevention tools, conversely, are built to recognize and respond to a specific set of scenarios, which means -- by design -- they stop the passenger from boarding every time the passenger matches a well-known signal indicating that the passenger is malicious. Unfortunately, the narrow focus of prevention allows for both occasional false positives and false negatives. The passenger with that odd-shaped backpack might skate on through, while another seemingly normal looking passenger is detained for further inspection. Both scenarios fail to accomplish the objective, and they can have very negative consequences for businesses.
You can't protect everything all the time
In an ideal world, detection would be unnecessary. Organizations could simply implement best-of-breed preventive measures such as firewalls, spam filters and antimalware, and none of the unauthorized access or malicious code would occur in the first place. Unfortunately, we don't live in that ideal world. In the real world, those preventive security measures do a reasonable job of blocking most threats and filtering out obvious low-hanging fruit, but there is no such thing as 100% protection.
New vulnerabilities are discovered on a regular basis. In 2019 alone, more than 12,000 common vulnerabilities and exposures (CVEs) were reported. That's nearly 33 new vulnerabilities per day on average. Combine that with security misconfiguration due to human error, such as users clicking on links or surrendering login credentials to social engineering and phishing attacks, and you can see why it's virtually impossible to stop every attack.
The pitfall of prevention
Prevention plays a role in effective cybersecurity -- it just can't be the whole strategy. Focusing on endpoint protection, firewalls, network segmentation, web applications security and other solutions designed to detect and block threats is a great start.
The question organizations are asking, though, is, "How much of my budget should be dedicated to prevention?" Most of it, right? There's no need to budget for detection or response if you can just prevent attacks.
There are three significant issues with betting too heavily on prevention. If it doesn't catch everything, attacks will slip through and without an appropriate investment in detection capabilities you might not know about it until it's too late. If it swings too far in the other direction, the prevention tools may result in false positives and block legitimate access and activities, resulting in lost productivity. Something may look suspicious at first glance, but if you take immediate action to block it you may disrupt crucial business functions and impact revenue.
You also have to consider the fact that the attackers are aware that prevention tools exist, and they assume that most organizations have these tools in place. Sophisticated attacks are designed every day to evade and circumvent those tools -- to fly under the radar and avoid being identified by prevention technologies.
As organizations migrate to the cloud and adopt SaaS applications, traditional prevention tools and technologies also become less effective. Cloud environments are more complex and dynamic, making it more challenging to effectively monitor and protect.
Detection is crucial
Attacks will inevitably get past your preventive measures. This is fairly evident right now where significant budget is applied to prevention and yet the attacker dwell time in environments remain high. One of the main reasons that attacks are able to inflict so much damage on victims is that the average dwell time -- the amount of time between an attacker infiltrating your network and you detecting the attack -- is often measured in months rather than weeks or days. The attacker has plenty of time to conduct reconnaissance on your network, seek out other vulnerable systems to infect and propagate, and identify the most valuable or sensitive systems.
The key to effective cybersecurity is your ability to detect those attacks as quickly as possible. That is why detection is an essential part of cybersecurity frameworks and compliance mandates. Various regulations and guidelines such as NIST, HIPAA, GDPR and others include requirements for effective detection.
You also need to have the right detection procedures. Effective cybersecurity requires a combination of tools and human experts. Tools alone often result in too many false positives or false negatives. Organizations should use tools and automation to cast a net as wide as possible to detect suspicious and malicious activity, and then escalate a fraction of the correlated suspicious activities as security incidents to human security professionals to analyze the threat and prioritize the actions to address it.
The bottom line is simple: CISOs and IT security managers need to assess the compliance mandates that apply to their organizations and the cybersecurity frameworks that are part of their strategy and determine the role that detection plays in effective cybersecurity. It may seem like an easy way to cut costs, but prevention alone is not an effective defense and exposes the organization to an increased risk of not being able to detect an attack resulting in more damages.
About the author
Rohit Dhamankar is vice president of threat intelligence at Alert Logic. Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded consulting firm Durvaankur security consulting. He holds two Master of Science degrees, one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.