Prevention vs Detection-based Security Approach

By Ron Samson Jr

Prevention vs Detection-Based Security Approach

Why You Should Add Detection To Your Security Strategy

A number of different approaches to cyber defense exist.  However, they can generally be classified into prevention-based and detection-based strategies.  In a prevention-based strategy, an organization does their best to harden their systems against attack.  In a detection-based strategy, a company’s security team proactively works to identify and remediate threats that have breached the organization’s defenses.

Prevention-based security is the more common approach, and, in the past, it was very effective.  However, while prevention is the ideal way to manage a potential security incident, it isn’t always effective.  Adding detection to an organization’s security strategy is becoming increasingly necessary to protect against modern cyber threats.

The Benefits of Prevention-Based Security

Most organizations use a prevention-focused security strategy.  This approach to security is older than detection-based security and is effective in many different contexts.  By deploying security solutions like firewalls and antiviruses and applying patches for identified vulnerabilities, an organization can dramatically decrease the probability of being the victim of a successful attack.

Prevention-based security is also easier.  With prevention-based security, an organization can focus solely on improving their existing defenses.  This type of security doesn’t require the cybersecurity knowledge and expertise that is necessary for identifying an intrusion into a system and investigating it.  With a global talent shortage of 4 million unfilled cybersecurity roles, finding and retaining this type of talent can be difficult.  As a result, many organizations focus on prevention to avoid needing to retain this type of talent.

Finally, preventing a cyberattack is always better than responding to it.  If an attacker can be stopped before they ever gain access to an organization’s systems, then they have limited or no opportunity to cause damage or steal sensitive data.  If an organization can prevent all attacks against its systems from succeeding, it never has to deal with the cost of investigating and remediating a cybersecurity incident or data breach.

The Limits of Prevention-Based Security

The main issue with prevention-based security is that it is not always effective.  In the past, organizations were able to protect against the vast majority of attacks against their systems.  Cyber threat actors were less sophisticated, and the number and complexity of the malware variants in use were lower.  Organizations also had a less complex attack surface to defend, making it easier to keep vulnerabilities patched and to identify potential attacks against these systems.

In the modern threat landscape, prevention-based security strategies need to contend with a number of different challenges.  Two of these are the rapid growth of malware and the explosion of software vulnerabilities.

Keeping Up With Malware Growth

Prevention-based security often makes heavy use of signature detection.  In signature detection, unique features are extracted from each identified malware variant after it has been identified “in the wild” and new content entering the network is compared to these signatures.  While this approach is effective, it isn’t scalable.  In 2018, 246,002,762 new malware variants were discovered.  Prevention-based security requires security appliances to be familiar with every malware variant that is currently in operation, a number that is constantly growing.

This assumes that signature-based threat detection is effective in all cases.  Modern cyber threat actors are familiar with how traditional detection systems operate and design their attacks to fly under the radar.  Something as simple as making small modifications to a malware sample  to invalidate past signatures can make the sample “invisible” to signature-based security.  Modern threat actors use these and other tactics to render prevention-based defenses ineffective and slip into an organization’s network.

The Software Vulnerability Explosion

A core component of a prevention-based security strategy is patching any vulnerabilities in an organization’s software and cyber defenses.  If a new vulnerability has been identified and publicly disclosed, an organization is vulnerable to attack until they apply the appropriate patch.

If everything goes well, an organization patches a vulnerability shortly after the patch is released.  In reality, patch-based security isn’t scalable.  In 2018, more than 22,000 new vulnerabilities were discovered, and not all of these even had patches available.  The rate at which new vulnerabilities are discovered and disclosed leaves most organization’s patch management processes far behind.  On average, it takes 38 days to patch a vulnerability after it is disclosed, leaving hackers plenty of opportunity to take advantage of it.

A prevention-based security strategy is only effective if an organization can identify and fix all holes in their defenses.  With a rapidly accelerating threat landscape, accomplishing this is difficult or impossible, meaning that attackers will get in.

The Case for Detection-Based Security

In the modern cyber threat landscape, the question is not so much if an organization will be breached but when they will be breached.  A lack of available cybersecurity talent and the increasing sophistication of threat actors means that a sufficiently determined adversary will be able to identify and exploit one of the many vulnerabilities in an organization’s systems.  As a result, 80% of enterprises suffered a cybersecurity incident in the last year.

A detection-based cybersecurity strategy accepts this fact and takes action to limit the impact and damage caused by the inevitable breach.  By searching for the signs that indicate that a breach has occurred, an organization can start its incident response and remediation processes much more quickly.

And responding to a breach quickly can save organizations a lot of money.  For many organizations, this can be the difference between a survivable incident and a business-ending breach.

Why To Add Detection to Your Security Strategy

Taking a prevention-based approach to security is a good idea.  Every attack that can be blocked before it enters the network incurs little or no damage to the company.  Prevention is always the best way to handle a cybersecurity incident.

However, the reality of the modern cyber threat landscape is that prevention simply isn’t enough.  Cyber threat actors have become increasingly sophisticated and know ways to bypass traditional cybersecurity defenses.  As the use of software explodes and the number of vulnerabilities grow with it, organizations can’t patch all of the holes in their security defenses.

By accepting the fact that attacks will make it through an organization’s defenses and adding detection to their security strategy, organizations can make themselves much more resilient against attack.  If the organization doesn’t have the skills in house to perform threat hunting and other proactive cyberdefense activities, partnering with a managed detection and response (MDR) provider can provide access to the skill sets needed to rapidly identify and remediate threats before they do damage to the organization.