Prevention, or detection & response? Why they go hand-in-hand
Which is more important, threat prevention – or detection and response? We often hear that the prevention ship has sailed when it comes to cyber criminals. The bad guys will get in, so we must now focus our energies on detection and response.
There’s truth to that, but it’s not necessarily the whole truth. While we can’t place all of our eggs in the prevention basket, we certainly can’t get rid of the basket. In fact, a strong pre-compromise prevention program can actually help make your detection and response system more effective. Or put another way, strengthening your organization’s preventive measures and vulnerability management capabilities helps streamline the post-compromise process.
Detect targeted attacks more quickly
Strong preventive measures keep your networks clean from commodity malware, so you can focus on the threats that matter most. For example, a good endpoint security solution protects you from the majority of threats out there – the bulk, commoditized threats like ransomware and other malware that cost your organization time and productivity. Protecting yourself from these threats helps maintain a healthy level of “security hygiene” within your organization. So when you do get an advanced attacker playing around in your systems, as this blog post puts it, “It’s a lot like medicine. It’s much easier to focus on identifying, isolating and treating a serious point of infection when the whole organism isn’t inflamed with a bunch of other nasty stuff.”
Here’s how a system administrator at one of our customer organizations experienced the benefit of combining prevention and detection technologies: “With F-Secure Business Suite Premium and Rapid Detection & Response Service, our systems are now fully protected against all forms of malware and cyber attacks. The two cases that F-Secure has uncovered since our introduction in such a short time (6 and 9 minutes) have more than convinced us we have chosen the right solution.”
Close up security holes
Vulnerability management is an important piece of early prevention. Vulnerability management tools with asset discovery and vulnerability scanning help minimize your attack surface by identifying critical exploitable flaws. Knowledge is power. When you know the assets you need to protect and the vulnerabilities you need to patch, you can do something about them.
Keeping your systems up to date stops opportunistic attacks from littering your network. It also raises the bar for more advanced ones. It also reduces attackers’ options in instances where an attacker already inside the network might otherwise leverage a vulnerability during a stage of lateral movement.
Make the attackers work for it
Prevention also makes the attackers’ lives harder. Those advanced attackers with the skills to get into your network no matter what? No need to roll out the red carpet. By putting effort into prevention, you’re making it a little harder for these attackers to breach your network. When they’re forced to put in more effort, their cost structures increase, which also helps work as a deterrent.
Get more bang for your buck
Early prevention helps smooth your detection and response processes. But not only that, it’s actually the most cost-effective way to protect the network. As the below diagram shows, the longer an attack persists, the more costs build up. Prevention from the early stage – and if that fails, detection as quickly as possible – keeps costs low and efficient.
Just ask Equifax, where the attackers maintained over 30 separate entry points into Equifax’s systems. And ask the more than 1500 other companies who, according to the National Federation for Credit Counseling (NFCC) in the US, experience a data breach every year. Each of those breaches is a painful mess for the company – and for the customers who have had data exposed.
Here’s an example of prevention at work in the case of WannaCry. Many layers working in tandem together offer a protective barrier. If one layer fails there are others to back it up.
Practice ongoing and integrated activities
When combining pre- and post- compromise measures, we can’t forget that these activities need to be ongoing processes. We must also integrate them with other company processes. Vulnerability management, for example, must be a frequent and repeated practice to stay on top of security flaws. And it should be tied with a company’s risk management process. Process inventory management, patch management, application security and risk management all should be integrated on some level in order to achieve a truly effective vulnerability management program.
Companies usually don’t realize the importance of prevention until it’s too late. But vulnerability management with preventive measures in place, combined with strong detection and response capabilities, are best when working in tandem to prevent and detect breaches. Together, they prevent costs from skyrocketing and keep the business doing what it should be doing, which is business.
To find out more about improving your cyber resilience strategy, download our ebook, Guide to Detection & Response.
Categories