Prevention and detection are both used in information security as part of a defense in depth strategy (but by no means all of such a strategy!)

What I’ve found in dealing with some clients is that they don’t understand the subtle differences between them and where they should use each. Most clients want prevention technologies, forgetting about the detection technologies.

Let’s start with defining what I mean by prevention and detection technologies. Prevention technologies and techniques are those that prevent, or try to prevent, an attack or unauthorized use from happening: these would be things like access controls and firewalls. Detection technologies and techniques are use to notify or record an attack in progress. Detection technologies are things like audit trails and intrusion detection systems (IDS). Detection technologies are sometimes used in conjunction with prevention technologies in order to stop or mitigate an attack in progress, like with intrusion prevention systems (IPS). The key difference is that with detection technologies alone, you are still compromised, but you know that it happened (and maybe how). Many security standards (HIPAA, PCI) require that auditing be enabled in order to determine what has been compromised and to what extent.

Most enterprises (and ads) I’ve seen focus on prevention, not detection. Granted, this makes sense, most companies don’t want to be compromised in the first place. Unfortunately, this leaves few resources for detection. I would argue that detection is just as important as prevention. In fact, I would go as far as to say that detection is almost more important than prevention. And I say ‘almost’, because everyone’s risk profiles are different.

But, would you rather be compromised and know about it or be compromised and not know about it? Granted, ideally, you would never be compromised, in the first place, but prevention technologies aren’t guaranteed – they may let an an attack through. At that point, you want to know that you’ve been compromised so that you can deal with it – clean up, notify customers, etc. There will probably be a small subset of people that would rather not know they’ve been compromised, but that’s a dangerous game to be playing if you’re subject to any security standards.

Another area where detection is often superior to prevention is in internal compromises – a rogue employee, or worse, a rogue administrator. Many prevention technologies focus on external attacks, which employees and other internal users can bypass because they have the right credentials. Yet, if they access a file and they shouldn’t (such as the recent access of passport data on the presidential candidates), detection technologies – logs in this case – can let administrators know something is wrong.

I think everyone should use detection technologies and techniques, but I think prevention technologies and techniques should be analyzed for the risk/reward of using them. Some data – social security numbers, personally identifiable information – should be protected with prevention technologies, because the cost of any disclosure is very high. Other data – blog entries, perhaps e-mail – are not as sensitive and while it’s still not preferable to be compromised, the loss of this data does not have the same financial impact.

Of course, you should always evaluate the cost/benefit or risk/reward of any security technologies, but don’t forget about the detection of compromises!

This entry was posted on Thursday, May 1st, 2008 at 4:47 pm by Laura Raderman and is filed under data protection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.