'Detect and react' won't win games when you can't stop the run

Don't ignore breach prevention in favor of a strategy of detection and reaction just because everyone thinks a breach is inevitable.

stiff arm football tackle game athlete
KeithJJ (CC0)

For most security vendors, a pound of detection and reaction is worth more than an ounce of prevention. Similarly, defense in-depth means additional layers of revenue, as well as excuses for why breaches occur… because at least one was missing. These vendors are not alone. For each, there are analysts, reporters and experts of all kinds also feeding off the enterprise. Each year, for over a decade, one or more somethings have latched on to each enterprise. Today’s enterprise is bloated and slowed by cybersecurity parasites. They do little to nothing to prevent data breaches but they do all manner of things to characterize them.

Few enterprises are without the same symptoms of pallor that have become the new normal. Astonishingly, the path to recovery begins with semantics, followed by an exorcism of false paradigms, and then finally through a steady diet of completely different approaches that treat the roots rather than only the symptoms of enterprise cybersecurity risks.

The hottest cybersecurity products and services use words such as DETECTION and to a lesser extent PROTECTION, because they can in fact deliver some of each. But PREVENTION is very different. In football, you can say you PREVENTED the opposing team from scoring a touchdown. You didn’t PROTECT them from scoring a touchdown, and you certainly didn’t DETECT them from scoring one. PREVENTION is a strong word, whatever was about to occur simply didn’t. You PREVENTED it from occurring. DETECTION is not so strong. Your alarms could have DETECTED someone entering your home, but by the time the police came, the burglars and your valuables are long gone.

It’s time to look your security vendors in the eye and let them know that enough is enough, that you want PREVENTION solutions. And when they equivocate, directly ask them: “do you have them or not?” Nothing prevents everything, yet most things can prevent something. Get clarity on what is and isn’t prevented. Next, get insights on cost drivers, not the price, the total cost of ownership (TCO) of their offering, as well as the costs elsewhere that are impacted by the offering.

If I didn’t know better, I’d say most of the “detection and reaction” offerings were mandated by the government to create jobs. If those same people were made to dig ditches instead, we’d have fewer breach detections but no fewer breaches. Seriously, following the theft of your intellectual property or trade secrets, how are your losses lowered by knowing you were breached? To be fair, there is value if one learns from a breach such that what has not yet been stolen cannot be stolen in the future. Nonetheless, the greater value to be had comes from PREVENTION.

“The loveliest trick of the Devil is to persuade you that he does not exist,” Charles Baudelaire, “The Generous Gambler.”

A 150 years later, who benefits from the belief that PREVENTION solutions are a myth? The vendors and pundits will say nothing is 100 percent secure and that prevention is not practical. Yet, your IT/Sec-Ops team leaders say they need more people and that the ones they have lack essential skills and experience to operate these “detect and react” approaches. These “detect and react” offerings are nothing but labor intensive. They make your overall cyber program costs even more staggering.

In summary, if prevention solutions work, you pay for it, you implement it, and you have peace of mind.

But if you go with the status quo, you pay for it, you implement it, you wind up hiring professional services to help, you pay for that, then you wait for the next breach, and when that occurs you pay for it again. And that includes a forensics investigation, remediation, etc., which usually involves outsiders too.

For those fed up with cyber-flation, here are some questions to ask and answer that may assist you in your next big decision.

  • Rank the available choices by incident volume impact on your overall cyber operations. A PREVENTION option should lower incident and alerts volume across multiple areas of your program.
  • Characterize each choice for expected level of effort as well as skills gap impact, penalizing requirements for scarce resources
  • Reward or penalize each choice for its reliance on a human in the loop for the choice to be successful (some tools have automation features that customers refuse to trust)
  • Look for sporadic or regular tuning requirements that would drive up costs due to expected lifecycle or environment changes (e.g., software updates/patches)
  • Compare the footprints of the choices, penalizing those that require more constrained resources than the others
  • Evaluate the inertia of the choices; do they lock you in such that you might not upgrade to newer things because of dependencies on older things

One last point for executives, how do you know that your team is actually seeking out and trying new and different things? If you don’t know, then you don’t know, and if they don’t know they should be experimenting for breakthroughs, then they probably aren’t.

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
NEW! Download the Winter 2018 issue of Security Smart