This is a post to finally put this idiocy to rest: “If you can DETECT, why can’t you PREVENT!?”
Here are my top 5 reasons why DETECTION excellence does NOT automatically mean you can have PREVENTION:
- Uncertainty – prevention [blocking] is black and white (switch open / closed), and requires 100.0% dead certainty of a decision to block. Detection is much more “shades of gray”, inherently and by design.
- Timing – some threats (like all sorts of stealthy malware) can be detected when you have been collecting data for days, how do you prevent based on day-old data? Detection a day late is still useful, but it does not translate to prevention.
- Vague signals – you can give a vague signal to a human analyst and he will use it to uncover a threat, but you can’t drop a vague signal down to that UTM appliance. Vague signals is exactly how some of the notable threats of the past have been detected, all the way down to 1986.
- False positives – some detection methods have very high “false positives” (for all sorts of good reasons) yet are very useful for threat detection, especially of those threats that are hard/impossible to detect otherwise. Will you accept 10% FP rate in your blocking tool? No, I guess not. Me neither. Will I accept a 90% FP rate GIVEN (and that matters!) small number of alerts if I can catch unique threats? Yes, I will, and so should you.
- Detecting from exploration – current interest in threat hunting (and deception) reminds us that there are threat detection / threat discovery approaches that rely on data exploration and interactive analysis by a human analyst and (in some cases of deception) even on interaction with an attacker. Can these be “extrapolated” to prevention? Not really.
So, PREVENTION – DETECTION – RESPONSE lives on!
Finally, let me addess a related idiocy: “prevention is better than cure – so we will only buy preventative tools, NOT detection or response.” So, OF COURSE “prevention is better than cure” – just like “teleportation is better than driving.” How do you get around? Ah, you drive…hmm … why, if you agree that teleporting would be better?! Exactly – we do NOT know how to PREVENT ALL THREATS. In fact, we KNOW that it is NOT POSSIBLE…..
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
19 Comments
The misunderstanding I’ve observed is misusing the trend to instead avoid blocking because detection in place. They’re burning up their help desk, logs and SOC with stuff that should have been blocked.
Oh, very much so. Why report to a human what a machine can block nicely is very much an issue too, of course.
Anton, a timely call for mind shift keeping with the evolving threat landscape. You strike at the very heart of the issue, as even Identity Bytes highlights in its comments, that excellence in prevention is the key on top of excellence in detection and response. I do not mean to promote any vendor here but feel it befitting your call that Check Point has already leapfrogged to unleash its key strategy with its underpinnings as: “if you can block then block” alongside “detect and respond” for a complete, comprehensive solution.
Love your genius, Man:-)!
Thanks for the comment…
Anton,
I’d go even further and say
“prevention is over”.
if someone’s out to get you. he’ll eventually succeed as attackers have to succeed once while defenders have to succeed 100%.
Thus I am a strong believer in detection.
Most clients I witnessed are wasting human time by letting people do what machines can do easily and efficiently.
Human brainpower is unfortunately scarce and we must use it only wisely. i.e. detection by exploration is just a mean to an end (automation) and the solution.
forgot the *NOT* (leaked brainpower)
Human brainpower is unfortunately scarce and we must use it only wisely. i.e. detection by exploration is just a mean to an end (automation) and *NOT* the solution
WHile I love D&R with passion, PREVENTION IS OVER is a stupid message. Stupid — there I said it.
If you can prevent, you should prevent. Otherwise, your analysts will be overwhelmed
>Most clients I witnessed are wasting human time by letting people do what machines can do easily and efficiently.
Eh… you counter your argument here: MACHINE PREVENT well [within limits] but HUMAN DETECT better [as long as you shield them from noise by using prevention controls]
Unfortunately we will have to disagree on this one.
Having doors and windows does not stop professional thieves but only causual intruders – if you call doors and windows – prevention than i agree it’s not over.but I do not. Firewalls, AV, IPS are doors and windows IMAHO.
Also almost anything a human can detect, a machine can learn to do it better so again we disagree and here is an example:
One of our best practices in SIEM detection improvement was bringing in the best hackers and attacking the client’s most important asset. We will try and detect the hacker’s action in our SIEM tool and build a detection scenrio for that hack. Once it was built, the machine could get it every time and the SOC operators couldn’t have a clue without the machine pre built scenario. So here is an example of moving human brain power to a machine once and saving a manual exploration process that can miss 50% of the time.
BTW,
“prevention is over” – does not mean we should stop trying or dump our firewalls, just that we are going to fail if someone really wants to get us, and so detection has to improve.
Oh, I agree with all that, nothing to argue about here 🙂 We should move as much of human intel to systems, and eventually build systems that are smarter than humans in both detection and prevention.
So, yes, I was a bit harsh in saying ‘humans- better for detection, machines for blocking’ 🙁
What I don’t understand is the ability of most to think that you must choose one or the other, “detection” or “prevention”. In most solutions that I know of it is “Prevention with detection”, meaning that if it doesn’t prevent the attack, it will still detect a piece of it. There are many IPS, that still cannot prevent some pieces of the attack. Whether it be a performance cost to do the prevention, or whatever else. “Prevention” doesn’t mean, the absence of DETECTION.
Ben, thanks a lot or the comment. Indeed, NIPS in NIDS mode or even detecting a threat using firewall logs are all examples of prevention/detection nicely blended. Still, we hear from sadly too many people who just want to try and prevent all threats. This post is a reminder that detection [even if using “preventative controls” would be useful]
Anton, I agree with your original premise, and let me state it the way I talk to others: Prevent as much as you can — using the best techniques possible — but accept the fact that NOTHING is 100% effective in our modern world of targeted attacks. EVERY prevention model should be backed up by the best detection-and-response you can implement. Neither prevention or detection-and-response by itself is sufficient. Said another way: Prevent as much as you can, detect and respond to the rest.
Let’s not paint this with a broad brush, I appreciate the provocative approach…but!
Detection is information.
Prevention is action.
I would not prevent anything on a critical segment without reliable information.
I personally see tremendous value in using deception to gain information(detection) and offset attack cycles on production assets from the threat actor!
Thanks — this is actually a great comment. Prevention = action, detection = information. So treat and judge them separately. Love it!
When you do not have 100% assurance that something happened you cannot prevent.
The real issue starts when you have a budget and you need to decide if you buy a product that prevents 50% or one that detects 80%, or one that prevents 40% and detects 60% (idp ?).or you bought everything but do not have the staff to operate it or respond efficiently.
Thanks for a super-insightful comment. Indeed – this IS a domain of very painful decision. Cost + effectiveness + required manpower (IMHO) are 3 dimensions.
So, expensive + prevents some + NO analysts needed to run it ends up being bought a lot 🙁
Interesting thread… Anton, you seem to have a knack for getting the debate flowing!
Interesting points (Eric) – “accept the fact that NOTHING is 100% effective in our modern world of targeted attacks. EVERY prevention model should be backed up by the best detection-and-response you can implement.”
Nothing is perfect (they miss stolen credentials and phishing attacks, amongst others.) and even if it does catch the attacker, you have to question at what time and resource expense. We see more and more companies that have accepted the security approach of an “assumed compromised” posture. Prevention is critical, but is also now complimented with real-time detection technology (deception).
Well put KnowSecurity, “Detection is information. Prevention is action.”.
Deception technology is the “motion sensor” to provide visibility to when things have bypassed prevention systems. Where it gets really interesting, is in the forensic attack data and in the platform’s ability to not only detect the attack, but to also provide the substantiated alert to immediately quarantine the infected end-point. Attivo Networks (not sure about others) also provides the integrations with major SIEM, Firewall, and other prevention systems, which automates the quarantining and signature updates of prevention systems.
Eric said it well…. Prevent as much as you can, detect and respond to the rest. With my added 2 cents… integrate and automate together for the best security posture and protection available.
Carolyn, regarding:
“Deception technology is the “motion sensor” to provide visibility to when things have bypassed prevention systems. ”
IMHO, “Deception” is just one more information source for detection and like in the real world, sometime innocent people walk into traps. The new thing about “deception” VS what we’ve done so far, is the packaging, and don’t get me wrong, packaging sometimes = usability = success.