Prevention has long been a favored method to stopping cybercriminals from harming organizations. For example, when the U.S. government started reviewing how it can enhance its cyber security stance, at least one industry expert espoused taking innovative measures that boost prevention.
But as effective as prevention may be – it is no longer enough. As cyberthreats rapidly proliferate and become more complex, the old ways of doing cybersecurity will no longer suffice. While a prevention layer is still essential in stopping most commoditized threats, organizations can no longer rely on a prevention layer alone - a determined attacker will find a way to breach even the most secure system.
The two approaches are complementary, not mutually exclusive. While prevention is still essential in stopping most of commoditized threats, detection and response technology is searching for the threats that have already snuck past your defenses and then formulating an appropriate response.
Detection Beyond the Perimeter
As companies venture into new business models and ways to reach their customers, they can’t ignore the importance of implementing detection technology to respond to the many threats that originate beyond the perimeter: in social media and digital channels.
Prevention technology works well but fails to address what happens beyond the perimeter of your defenses – where most cyberattacks originate. It also fails to detect the threats that have successfully penetrated your defenses and are moving laterally through your networks.
Organizations sometimes don’t realize they have been breached until months after the fact, when it is already too late and the damage has been done.
The Dark Web fuels even more sophisticated threats and attacks. With easily accessible and inexpensive tools at their disposal, attackers no longer need advanced technical knowhow to be a threat. New exploits are being continuously developed and sold to anyone who has enough bitcoin to pay. For example, the recent WannaCry’s vulnerability has been known for over two month, following the Shadow Bokers announcement of it. Yet, so many organizations across the world fell victim to the ransomware campaign.
Prevention technology can’t stop highly targeted, sophisticated and multi-staged attacks. Targeted attacks such as spear phishing, email spoofing and social engineering are almost impossible to prevent: with employee and social media accounts, and the business’ third party vendors, there are too many attack vectors to exploit.
The most recent Verizon Data Breaches Investigation Report found that a majority of attackers behind cyber incidents in 2016 were external actors motivated by money. With determined attackers like these out to make a profit, a cybersecurity event is a “when” – and not an “if” -- proposition, prompting a need for detection and response technology to coexist with prevention measures.
You Need Both Prevention and Detection to Respond to Cyber Incidents
Preventative security measures such as firewalls, secure web gateways and antivirus solutions can no longer defend against sophisticated cyberattacks. In 2016, U.K. businesses faced an average of 230,000 cyberattacks, according to a recent study. In November of that year, the number of attacks on individual companies breached 1,000 firewalls per day, on average, the study found.
Enterprises need to rebalance their approach to cybersecurity - a perfect prevention system doesn’t exist. Cybersecurity strategy should be formulated with the idea that the breach is inevitable in mind. Organizations need to recognize that at some point their systems will be compromised.
The sophisticated security testing programs of detection and response technology allow companies to deepen their understanding of what’s happening inside their networks so they can catch threats before they take root and cause damage.
Look no further than the National Institute of Standards and Technology (NIST), which offers full-throated support for prevention and detection. NIST’s Cybersecurity Framework recommends that organizations should address five areas: Identification, protection, detection, response and recovery.
Of course, prevention still has its place as the means to monitor and prevent commoditized and known threats. It is no longer a question of protection or detection - to be effective you need both.
To learn more about balancing prevention with detection and response, sign up to our blog.