This is a post to finally put this idiocy to rest: “If you can DETECT, why can’t you PREVENT!?”
Here are my top 5 reasons why DETECTION excellence does NOT automatically mean you can have PREVENTION:
- Uncertainty – prevention [blocking] is black and white (switch open / closed), and requires 100.0% dead certainty of a decision to block. Detection is much more “shades of gray”, inherently and by design.
- Timing – some threats (like all sorts of stealthy malware) can be detected when you have been collecting data for days, how do you prevent based on day-old data? Detection a day late is still useful, but it does not translate to prevention.
- Vague signals – you can give a vague signal to a human analyst and he will use it to uncover a threat, but you can’t drop a vague signal down to that UTM appliance. Vague signals is exactly how some of the notable threats of the past have been detected, all the way down to 1986.
- False positives – some detection methods have very high “false positives” (for all sorts of good reasons) yet are very useful for threat detection, especially of those threats that are hard/impossible to detect otherwise. Will you accept 10% FP rate in your blocking tool? No, I guess not. Me neither. Will I accept a 90% FP rate GIVEN (and that matters!) small number of alerts if I can catch unique threats? Yes, I will, and so should you.
- Detecting from exploration – current interest in threat hunting (and deception) reminds us that there are threat detection / threat discovery approaches that rely on data exploration and interactive analysis by a human analyst and (in some cases of deception) even on interaction with an attacker. Can these be “extrapolated” to prevention? Not really.
So, PREVENTION – DETECTION – RESPONSE lives on!
Finally, let me addess a related idiocy: “prevention is better than cure – so we will only buy preventative tools, NOT detection or response.” So, OF COURSE “prevention is better than cure” – just like “teleportation is better than driving.” How do you get around? Ah, you drive…hmm … why, if you agree that teleporting would be better?! Exactly – we do NOT know how to PREVENT ALL THREATS. In fact, we KNOW that it is NOT POSSIBLE…..
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.