Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security Thought for Thursday: Protection = Prevention + Detection

by Neil MacDonald  |  July 15, 2010  |  2 Comments

We are waaaaaay too focused on the prevention component and woefully inadequate on the detection component of this equation.

We overspend on increasingly ineffective prevention technologies — network and host based firewalls, intrusion prevention systems and antivirus technologies in a futile attempt to prevent all infections.

Zero infections is a fallacy. It is simply not possible, and getting harder.

We will be infected, we will be compromised. Targeted attacks will bypass our protection mechanisms.

Knowing this, do we give up on prevention? Of course not. But perhaps we need to revisit our budget priorities and allocations for 2011.

We absolutely must beef up our detection capabilities – activity monitoring, behavioral monitoring, configuration drift, file integrity monitoring and so on.

Ask yourself: “If I was compromised with a targeted attack where no signature was available, how would I know?”.

Complete protection requires both investments in both prevention and detection. We have been too lopsided in our investments for too long.

2 Comments »

Category: Beyond Anti-Virus Information Security     Tags: , , ,

2 responses so far ↓

  • 1 Mehul Doshi   July 19, 2010 at 7:46 am

    True, when i discuss with customers on IDS/IPS technologies among the four technologies, the least implemented is
    “Network Behaviour Anamoly Detection” ( NBAD ) and customers more obsessed with prevention rather than making monitoring significant to its IT Infrastructure and justification. Hopefully your blog gives than thinking in this direction.
    1) NIPS stands as most implemented base.
    2) HIPS stands as the second priority.
    3) WIPS on wireless depends on risk and customer maturity curve and
    4) NBAD is talked about but never taken seriously.

    Moreover Cisco has being making Netflow behavior logic work erractic with its own product and open source code works better with existing routers and switches just like other commercial tools. That could be also the reason of customer acceptance not towards NBAD. Do give your views.

  • 2 Neil MacDonald   July 19, 2010 at 9:19 am

    @Mehul –
    Excellent observation and one that goes much deeper than it first appears. The question gets to one of mindset. The first three approaches NIPS, HIPS and WIPS use the well known and understood “based on knowledge of something that is bad, look for similarities” – like a specific attack, or an attack on a known vulnerability. We subscribe to outside providers to supply these threat feeds. NBAD and many other detection technologies do the inverse – by baselining normal behavior as “good”, we then infer badness by looking for differences. In most cases, we can’t subscribe to outside third parties for this. We need to build these ourselves. These technologies almost by definition will be plagued with a higher amount of false positives unless a significant amount of time is spent in tuning the boxes and additional context (identity, time of day, application flows, etc) are used to reduce false positives. Many organizations aren’t ready for the effort required to do this right.

    For these reasons and others, traditional security teams haven’t widely embraced these approaches.

    On the positive side, some NIPS vendors (and some SIEM vendors) can process Netflow data and look for deviations from the baseline – which is exactly where I believe these needs to go longer term. We shouldn’t have to have yet another network box to do this – at least the processing of Netflow data.