The old adage, “an ounce of prevention is worth a pound of cure,” is well known and yet this sage advice is rarely turned into action either in healthcare or cybersecurity. This blog explores the trade-offs organizations face as they work to balance investments in the prevention of Cyber Attacks against Cyber Attack detection capabilities. We examine expenditures, the history of policies, and structural features that have affected organizations’ apparent priorities, the values that may explain and justify their investments, and the operational traditions that have shaped them.
Prevention v Detection
While attack prevention may be cost-effective, it is not clear that it is more so than detection. One can make the case that the benefit/risk thresholds for prevention ought to be higher than detection; however, the priority for prevention is driven by the vividness of perceived risks to the business of a breach rather than any economic argument. Most arguments for one approach over the other are based on personal biases that are informing leaders’ decisions about where to invest rather than basing decisions on a formal, rational model of the risks and how to best mitigate them.
Let’s begin the conversation with a definition of terms; what do we mean by ‘detection’ and ‘prevention’ in the context of cybersecurity? Detection is the ability to identify malicious activity, write a signature to find the malicious activity, and, once detected, to negate the activity. Detection is used in anti-virus products, Intrusion Detection Systems (IDS), and endpoint detection systems. These have been the bedrock of cybersecurity. The major faults with these methods are the time it takes to identify, write, and deploy the signatures. For an IDS, the time is usually set by the processes implemented within an organization. Anti-virus is dependent on the anti-virus company receiving the signatures, or organically detecting them, then implementing a patch and pushing to their software. This is usually a 2-4 week turn around, which, in today’s cybersecurity environment, is an eternity. The last detection method, endpoint detection, is a hybrid of the organization run signatures and company provided signatures.
Prevention is the ability to prevent malicious activity from occurring on your network, which is considered to be the Holy Grail in Cybersecurity. Ideally, an organization would secure the network by employing an algorithm or artificial intelligence capability to stop malicious activity before an intrusion can take hold. This approach is the cutting edge of cybersecurity, and as with any new technology, it has its drawbacks; mostly the uncertainty concerning the efficacy of the prevention systems available. Prevention systems are billed as understanding the network environment and acting on unusual activity perceived as malicious. Prevention systems rely on an algorithm to function, placing the onus on the product developers to bring to market a prevention system that is able to protect the network.
Where should organizations invest – prevention or detection?
The choice between prevention and detection will become more difficult as prevention systems mature and become more prevalent. In the near term, there are three main factors to consider to determine where to invest: Business requirements, cybersecurity program maturity, and the available resources.
1. Business Requirements
Cybersecurity professionals must understand key functions within their organization, whether they are customer data-centric, focused on protecting intellectual property, or transactional. Once the high-priority business requirements are understood, a foundation has been set from which to understand risks and build an effective cybersecurity program.
Business requirements also help the cybersecurity professionals in assessing the policies, procedures, and tools to build the cybersecurity program. In the prevention v detection discussion, understanding the environment enables these professionals to prioritize network segments, as well as how data is stored and transmitted on the network. Prevention specialists will argue that their system can be dropped in place, learn your network, and start to identify anomalies almost immediately. However, not all businesses will have the resources or the ability to properly deploy these systems. If you are a small or medium business with good cybersecurity practices already in place (e.g. password policies, firewall rules, cybersecurity training for employees) then a prevention system is more than likely too much to handle. Detection systems are more than capable of securing most networks, but the impetus is with the network and cybersecurity team to keep those systems up to date and efficient.
2. Cybersecurity Program Maturity
The maturity of an organization’s cybersecurity environment speaks directly to the skills and experience of their people, their security policies, and their understanding of the network as a whole. Today, most businesses are probably on the low end of the spectrum as far as their cybersecurity programs are concerned, as cyber is still a relatively new discipline. With a lower level of maturity, the most straightforward investments are in detection over prevention.[tweet]
There is the concept of the ’known known’ and the ‘known unknown’. The former speaks to what you already understand, and the latter to what is new and exciting, but not fully understood. Detection systems are the most mature cybersecurity capability and fall into the ‘known known’ category. They have been around for at least a decade and most cybersecurity professionals are comfortable in deploying and maintaining these systems. For newer cybersecurity programs, known knowns are good.
On the other hand, prevention systems are ‘known unknowns’, which does not make them bad technologies per se. The challenge is that they are not well understood and therefore increase the risk for organizations that may deploy the technology incorrectly or fail to provide secondary systems to properly manage the risks. In short, mature cybersecurity programs can employ newer technologies, because their baselines are well established from their current detection systems. While less mature cybersecurity programs need to establish a solid security foundation with reliable methods, which is where detection systems can best mitigate risk.
3. Financial and Personnel Resources
Personnel resources refer to having experienced manpower necessary to implement, maintain, and operate a system. This is key to the detection argument, as they are ‘known knowns’ and the manpower required to handle these systems is well-defined. On the other hand, a prevention system requires a level of skill and understanding that is not always present in the organization. Cybersecurity is useless if trained and experienced personnel are not available to maintain and operate the environments.[tweet] Organizations must first establish a center of cyber excellence before investing in more advanced prevention technologies.
On the financial side, organizations must recognize that most of their budget will be devoted to personnel as well as subscriptions to different cybersecurity products. This may leave little room to make investments beyond cybersecurity detection solutions, yet some consideration of prevention must be made. Detection may be more cost effective in the short run, but taking the long view will eventually pay off as technologies mature. This does not mean a prevention system is an immediate solution, but it should be part of the conversation.
The long-running debate over the relative importance of prevention or detection is a theme that at least a dozen security bloggers are exploring today. In many ways, the debate represents a false choice; a well-functioning cybersecurity system requires both prevention and detection. The open question is, how do you strike the right balance? Is the best measure simply one of operational economics? Good decisions in cybersecurity are about balance and looking for long-term systemic solutions instead of the quick fix. Until we have better prevention technologies available, organizations will have to strike the right balance between detection and prevention.
Follow @Idenhaus, connect on LinkedIn, and click here to subscribe to our blog.
Photo credit: Flickr
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us today!