May 28 2015

Prevention Trumps Detection

Some of you may see that headline and consider me Captain Obvious, but it’s worth saying regardless. For as many IT staffers out there prefer to take the approach of threat prevention and avoidance, there are still plenty  that are content to detect and remedy. And that method has a major flaw-detection time.

While some security appliances do provide real time, or near-real time threat detection and reporting, deployment of such tools is not as common as, say, a wireless access point. So, for those firms that do employ real time detection and response, this blog isn’t going to be of much value, unless you like being reassured you spent wisely on security hardware. For those more inclined to rely on more passive scanning, I need to just point out that intrusions and other compromising events-discovery of malware and virii on your corporate network, for example, may eventually happen. But if you only scan once a day, who knows how much damage was done from the time the breach happened, and it’s discovery? And on malware and virus threats? It’s not only imperative to scan regularly, but also to update the scanning engine. If your engine is out of date, it’s possible you will miss an piece of nefarious code, and by the time you’ve updated, it could have been on your network for days or weeks  (One study showed the time between intrusion and discovery could be 229 days). There’s no telling how much damage could be done in that span.

To put a finer point on this example, recall last year’s Sony hack. Sony lacked a number of safety measures that could have alerted their admin teams of the breach, and given the wealth of data that was siphoned off, they had been breached long before anyone ever discovered they had a problem.

What does this mean for your company? If nothing else, it serves as a reminder to keep critical pieces of software as up to date as you can afford to do (things like antivirus and malware scanning engines, and OS patches when a critical fix is released). It means that, if you had been thinking about an IDS/IPS, that it may become more easily justified by you to your CFO-no one wants to endure their own Sony hell.

In the end, I would advise that you not put all eggs in any one basket. Detection is needed, because it’s impossible to prevent 100 percent of all incursions. But prevention is also a must, because studies have show detection times are nowhere near quick enough to be the single point of defense. Diversify your strategies and keep yourself-and your firm-safe. On top of detecting and preventing, having an ethical penetration test performed, with some regularity, is likely not a bad idea. After all, you’d rather know your network could be breached but wasn’t (and here’s how to fix it), as opposed to engaging a security team to clean up from the breach you didn’t think was possible.