This is a post to finally put this idiocy to rest: “If you can DETECT, why can’t you PREVENT!?”
Here are my top 5 reasons why DETECTION excellence does NOT automatically mean you can have PREVENTION:
- Uncertainty – prevention [blocking] is black and white (switch open / closed), and requires 100.0% dead certainty of a decision to block. Detection is much more “shades of gray”, inherently and by design.
- Timing – some threats (like all sorts of stealthy malware) can be detected when you have been collecting data for days, how do you prevent based on day-old data? Detection a day late is still useful, but it does not translate to prevention.
- Vague signals – you can give a vague signal to a human analyst and he will use it to uncover a threat, but you can’t drop a vague signal down to that UTM appliance. Vague signals is exactly how some of the notable threats of the past have been detected, all the way down to 1986.
- False positives – some detection methods have very high “false positives” (for all sorts of good reasons) yet are very useful for threat detection, especially of those threats that are hard/impossible to detect otherwise. Will you accept 10% FP rate in your blocking tool? No, I guess not. Me neither. Will I accept a 90% FP rate GIVEN (and that matters!) small number of alerts if I can catch unique threats? Yes, I will, and so should you.
- Detecting from exploration – current interest in threat hunting (and deception) reminds us that there are threat detection / threat discovery approaches that rely on data exploration and interactive analysis by a human analyst and (in some cases of deception) even on interaction with an attacker. Can these be “extrapolated” to prevention? Not really.
So, PREVENTION – DETECTION – RESPONSE lives on!
Finally, let me addess a related idiocy: “prevention is better than cure – so we will only buy preventative tools, NOT detection or response.” So, OF COURSE “prevention is better than cure” – just like “teleportation is better than driving.” How do you get around? Ah, you drive…hmm … why, if you agree that teleporting would be better?! Exactly – we do NOT know how to PREVENT ALL THREATS. In fact, we KNOW that it is NOT POSSIBLE…..