Gartner Blog Network

Security Thought for Thursday: Protection = Prevention + Detection

by Neil MacDonald  |  July 15, 2010  |  2 Comments

We are waaaaaay too focused on the prevention component and woefully inadequate on the detection component of this equation.

We overspend on increasingly ineffective prevention technologies — network and host based firewalls, intrusion prevention systems and antivirus technologies in a futile attempt to prevent all infections.

Zero infections is a fallacy. It is simply not possible, and getting harder.

We will be infected, we will be compromised. Targeted attacks will bypass our protection mechanisms.

Knowing this, do we give up on prevention? Of course not. But perhaps we need to revisit our budget priorities and allocations for 2011.

We absolutely must beef up our detection capabilities – activity monitoring, behavioral monitoring, configuration drift, file integrity monitoring and so on.

Ask yourself: “If I was compromised with a targeted attack where no signature was available, how would I know?”.

Complete protection requires both investments in both prevention and detection. We have been too lopsided in our investments for too long.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: beyond-anti-virus  security-of-applications-and-data  

Tags: adaptive-security-infrastucture  defense-in-depth  information-security  next-generation-security-infrastructure  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Security Thought for Thursday: Protection = Prevention + Detection

  1. Mehul Doshi says:

    True, when i discuss with customers on IDS/IPS technologies among the four technologies, the least implemented is
    “Network Behaviour Anamoly Detection” ( NBAD ) and customers more obsessed with prevention rather than making monitoring significant to its IT Infrastructure and justification. Hopefully your blog gives than thinking in this direction.
    1) NIPS stands as most implemented base.
    2) HIPS stands as the second priority.
    3) WIPS on wireless depends on risk and customer maturity curve and
    4) NBAD is talked about but never taken seriously.

    Moreover Cisco has being making Netflow behavior logic work erractic with its own product and open source code works better with existing routers and switches just like other commercial tools. That could be also the reason of customer acceptance not towards NBAD. Do give your views.

  2. Neil MacDonald says:

    @Mehul –
    Excellent observation and one that goes much deeper than it first appears. The question gets to one of mindset. The first three approaches NIPS, HIPS and WIPS use the well known and understood “based on knowledge of something that is bad, look for similarities” – like a specific attack, or an attack on a known vulnerability. We subscribe to outside providers to supply these threat feeds. NBAD and many other detection technologies do the inverse – by baselining normal behavior as “good”, we then infer badness by looking for differences. In most cases, we can’t subscribe to outside third parties for this. We need to build these ourselves. These technologies almost by definition will be plagued with a higher amount of false positives unless a significant amount of time is spent in tuning the boxes and additional context (identity, time of day, application flows, etc) are used to reduce false positives. Many organizations aren’t ready for the effort required to do this right.

    For these reasons and others, traditional security teams haven’t widely embraced these approaches.

    On the positive side, some NIPS vendors (and some SIEM vendors) can process Netflow data and look for deviations from the baseline – which is exactly where I believe these needs to go longer term. We shouldn’t have to have yet another network box to do this – at least the processing of Netflow data.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.