“Detection and response” is the new approach to information security being championed by some of the leading analyst firms today. The theory is that, since we have failed to keep attackers from getting inside our networks, we’re better served getting tools that detect them once they are in, and help chase them back out again before they can do real harm.
Nice idea, but completely wrong-headed. While detection-and-response capabilities can be valuable as part of an overall approach to cybersecurity, they cannot be the foundation of one –-and, in fact, will fail if thought of that way. There are lots of reasons for that reality, including the built-in advantage the attacks have in initiative and agility, and the massive surface area response teams must try and defend. But before we talk about those, let’s actually just use a bit of common sense from the rest of our lives. Imagine if the fire chief in your town came to you and said, “we’re getting rid of building codes around fire safety, because we just bought a rockin’ new fire truck, and we figure that once you let us know the house is on fire, we can get there quickly enough to keep too much damage from occurring.” You’d call him naive and a bit daft.
The reality is that fire departments, while essential and life-saving at times, generally show up to make sure that the fire in your house doesn’t spread to your neighbor’s house, and that everyone gets out alive. The surface area they have to cover (your whole town or precinct) and the time from detection to action (communications, roads, marshalling the fire team) are just too great for them to really do much more in most cases. That’s why fire codes and fire prevention approaches are the best friends of the fire department. They reduce the surface area of risk (number of ways a fire can start and, therefore, number of fires they’ll have to fight) to something close to manageable. And they help slow the spread of fires and toxic gases so that the people involved have a much better chance of actually getting out alive. Sure, faster detection is helpful, but the complexity of the response task still means the fire department’s ability to prevent meaningful damage is limited.
The same holds true in cybersecurity, but at a far more pronounced level, because here the risk is not from accidental fires, but from the digital equivalent of a skilled and determined arsonist who knows the tools and tactics of the fire department, and can easily overwhelm or evade its efforts. Prevention of attacks is still the best, lowest-cost foundation of information security, because the breach that never happens is the easiest one to defend against. And despite a lot of today’s hyperbole, prevention is, in fact, very effective. No, it won’t stop all attacks from being successful, but its other advantage is that it reduces the number of fronts that your response teams must defend at any one time, so that response actually has a chance of success, the few times you actually need it.
Prevention, for enterprise security teams, is also a more effective and achievable approach as more and more of their IT infrastructure is outsourced to cloud providers in one form or another. Because in that scenario, what’s left for the enterprise to really worry about are not servers, storage and networks, it’s users and applications – the two elements of the equation that cloud provider security programs generally disavow responsibility for. The good news: Prevention technologies for users (multifactor authentication, risk-based authentication) and applications (static and dynamic testing) are actually robust today, and very achievable for enterprises to implement and manage.
So before we start thinking that playing cops and robbers inside our networks is the right approach to information security, let’s put some thought into what it is we’re trying to achieve and the lowest-cost way to do it.
I’m glad my town has a good fire department and those shiny trucks in the station – but that doesn’t mean I’m going to start grilling in the family room anytime soon …