Prevention Vs Detection - Getting the Infosec Balance Right

It’s a very easy trap to fall into: You’ve been looking at the technical risks and controls for your next IT project; You’ve implemented Web Application Firewalls, have the latest Intrusion Detection System, created a rigid patching policy, had your code audited, and your 12 trillion bit digital certificate is on order. Then, just as you tick the final control on your list, you realise that all of your security controls are preventative.

But if the last twenty years of Internet security fire-fighting has taught us anything, it’s that preventative strategies alone cannot win the infosec arms race. Perfect prevention simply doesn’t exist. To be truly effective, we need to couple our preventative controls with the ability to detect attacks, both successful or otherwise. Detection can give us that vital heads-up that something is amiss, from a strange SQL statement to an increase in failed login attempts.

Ask yourself some simple questions:

1. Do you centralise your system logs? Can you mine your logs to obtain useful information in a reasonable amount of time?

2. Do your web applications provide adequate auditing of malicious activity?

3. Do your databases have useful and adequate auditing configured?

4. If 15 GB of data was exfiltrated across your corporate WAN, would you know?

We still exist in a world where we concentrate solely on preventing successful attacks, meaning that all too often it is the customer that is the first to realise a data theft has occurred, often weeks or months after the data has been stolen. By combining prevention and detection efforts, we can maximise the effectiveness of our limited security resource, and that has to be a good thing.