There is a saying that there are two types of fool when it comes to new things. There is one type of fool that believes that everything old is best, and the other type of fool that believes everything new is better.
We tend to have both types of fool in our cyber security community – the old guard that believes that nothing is new at all, and mobile, IoT and cloud security problems can easily be solved using traditional methods and approaches that were designed in a time when computers and networks were far simpler- or the emerging technology people who claim everything that went before them is dead and has failed and only their approach can help remedy all of your security woes.
We have the holdouts who have invested so much in their outdated security knowhow and architecture that they cannot bring themselves to part with them, and the people who are always looking for a magical fix that will help them avoid having to follow best practices (also known as Shiny New Box Syndrome (SNBS)).
Of course reality is rarely so black and white. It has nuances, shades of gray and is oftentimes ambiguous – prompting the “It depends” attitude that good security professionals espouse but frustrates business decision makers and salespeople.
A good example of this is the discussion around Detect & Response, which has generated a number of different misunderstandings and false expectations ( see Gartner’s “Shift Cybersecurity Investment to Detection and Response” for details around this).
The general idea behind this is that preventative security approaches and technologies, such as Vulnerability Management or Intrusion Prevention Systems, by themselves are not sufficient to mitigate many modern and current threats, and so these need to be augmented by improved incident and threat detection and response capabilities.
Some have interpreted this as stating “Don’t waste your money on prevention” – which of course doesn’t really reflect the thinking behind this approach. Some critics also point to the fact that old vulnerabilities still account for the majority of exploit traffic, 85% according to Verizon’s 2016 DataBreach Report 1. This is not nescessarily untrue – but of course this also misinterprets the root causes, impact, disregards the distribution of exploitation, and looks at one metric in isolation.
Attackers focus on these because they are low hanging fruit – they get a lot of success with little effort – they are opportunistic when they can be.
But their chest of tricks doesn’t end there. As a counterpoint, 63% of actually confirmed data breaches involved leveraging weak/default/stolen passwords 2. You can do something about weak and default passwords – enforcing minimum complexity standards or executing Policy Configuration Assessments for example, all of which would fall under preventative measures. But these same approaches will fail when it comes to stolen passwords – which makes them appear like legitimate users who can bypass access controls with the correct permissions. Monitoring of access and user activity in this case would provide a better control. You can be sure that if the attacker is not successful with the low hanging fruit, they will try and try again with more sophisticated methods until they succeed.
Attackers methods reflect the security maturity of their target. If you are great at prevention, that’s when the Social Engineering or 0days come out. All you are doing is increasing the sophistication of the threat – and if you don’t Detect and Respond, you will effectively be blind, having relied solely on prevention, and lured into a false sense of security.
Prevention and preventative technologies are still the foundation of a good security program – and are included in Gartner’s Adaptive Security Architecture – they will make it harder for an attacker to escalate privileges and execute lateral transfer, forcing them to generate noise that allows a Detect and Response approach. We prevent what we can – we detect and respond to what remains.
This combines the old with the new – neither of them best or better – only in combination are they truly effective.
Gartner 2016, Gartner subscription required
“Shift Cybersecurity Investment to Detection and Response“, Ayal Tirosh & Paul E. Proctor
“Designing an Adaptive Security Architecture for Protection From Advanced Attacks” Neil MacDonald & Peter Firstbrook
“The Five Characteristics of an Intelligence-Driven Security Operations Center” Oliver Rochford & Neil MacDonald
“Market Guide for Managed Detection and Response Services” Toby Bussa & Craig Lawson & Kelly M. Kavanagh
Read Complimentary Relevant Research
Top Strategic Predictions for 2019 and Beyond: Practicality Exists Within Instability
Technology-based change is happening continuously, and most organizations struggle to see the change in advance. Continuous change can...
View Relevant Webinars
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.