Prevention vs. Detection: It's Not Either Or

Reading time ~2 minutes

From No, Virginia, It Does NOT Mean That!:

Here are my top 5 reasons why DETECTION excellence does NOT automatically mean you can have PREVENTION: [Uncertainty, Timing, Vague Signals, False Positives, and Detecting From Exploration]

This article, written by a VP of Research at Gartner, completely misses the most obvious element of a prevention stance: the ability to actually block the malicious traffic. That, of course, requires segmentation and some security control that can actually block the traffic in question.

(By the way: anyone who truly believes detection is better than prevention should turn off their firewalls right now. Go ahead, turn them off. Oh wait, you actually want to block some traffic you know you don’t want? That’s not what a “detect only” mindset allows for.)

I’ve seen several organizations use various “threat intelligence” (either internally gathered or a combination of internal and external intel) and simply using basic firewall functionality to block access to known malicious sites. This might be automated or it might not, meaning there is a gap between something “bad” being discovered and that configuration being implemented on your firewalls.

A much better approach would be to use tools that are able to understand in realtime what traffic is good or bad, consulting external threat intelligence that is updated automatically and continually to the enforcement points, and actually have the traffic blocked. Sure, you may get the occasional false positive, but is a false negative actually better?

Sure, no solution is going to stop 100% of all threats, because even preventative controls that consult the best threat intelligence in the world isn’t going to know about everything. By definition, it can only block known bad traffic and, with an inline malware sandboxing solution, a good percentage of the zero-day malware can be blocked too. It’s still not going to get everything. The silver lining is that a lot of the breaches that occur actually use known bad traffic. Thus, a comprehensive in-line threat prevention solution located at strageic points in the environment will be a net-positive for just about every organization.

For those things we can’t block that are bad and truly unknown, we still need to detect those things, and just as importantly, respond in a timely manner.

Disclaimer: Check Point (where I work) has a great next generation threat prevention solution. That said, the above are my own thoughts.

How Long is Long Enough for a Password?

As much as we might want to see different authentication methods available, passwords aren't going anyway anytime soon. This means a sign...… Continue reading

Cloudflares with a Chance of Goatse

Published on February 24, 2017

Automation, Orchestration, and The Cloud

Published on January 04, 2017