Preventative Security or Detection?
You have many tools for protecting your infrastructure, many of these tools come in two forms, preventative and detective. These tools, while typically utilizing the same types of technology, differ when protecting your organization. This article will go over the difference between the two, and why you would use one over the other. Out of my 11+ years in Information Technology, I’ve seen senior professionals fail to understand the two.
Many people mistake the two, and when doing this, expose their organization to increased risk. One category of tooling provides the ability to capture what an attacker did, while the other prevents the attack from happening. You should understand both and when to use them, or you could end up worst off.
Detection
Detection security tools are very common. These tools provide the visibility into the infrastructure, typically with log data. When someone accesses a website, file, database, IP address, etc.; the detection tools log this attempt. In any case, these tools document that something happened; however, they take no direct action on the traffic.
Some advanced detection tools can look for patterns, utilize heuristics, or AI; then provide the ability to kick off automation. That functionality could be setup by a security personnel or built into the software. This automation can then perform actions like locking an account if accessed by a known malicious IP address. Again, the tool itself is simply documenting, even though it might have the ability to kickoff automation, it is still a detection tool — the traffic already happened. Any security measure you take now, are after the incident.
These tools are good for alerting a team, kicking off automation, or archiving anything that is deemed suspicious. These tools are mostly used to go back and look at what an attacker did, not prevent an attacker from doing anything. If you need to determine the extent of an attack, for example what the attacker accessed, detection tools are great for that.
Prevention
These categories of tools have the functionality of detection but can act. You can configure these tools to prevent an attack — not just watch someone break your window and steal your TV. A prevention tool can match on heuristics, as an example, and if traffic is matching malicious behavior, it can be stopped. You can also configure the prevention tool to alert that it found malicious behavior and prevented it from happening. This is because the prevention tool is sitting in the path of the traffic.
With detection, the malicious traffic was sent, and we had an option to start some automation after the fact. With prevention, the tool is monitoring and acting on the traffic as it happens; it’s real-time protection. You can also pull in threat feeds to find indicators of comprise, for example IP addresses and URLs used by known attacks, that could then prevent someone from sending remote code execution in the URL or communicating with a Command and Control.
Your Goal
If your goal is to protect your infrastructure from active attacks, prevention is what you need. If you want to be able to go back and look at what an attacker did, detection is what you want. If you want to protect your infrastructure from active attacks and go back and look at what an attacker did because they were able to get past your defenses, then you need prevention and detection tools. The combination of both is what an infrastructure should be designed with. You need to ensure that your infrastructure has active defenses against attackers, but to also ensure that if someone were able to get into the infrastructure, you can review what happened and what they did.