A few years ago, the cybersecurity industry adopted a new mindset that went something like this:\u00a0Cybersecurity controls are not very effective.Therefore, sophisticated cyber adversaries can easily circumvent them, compromise networks, and execute data breaches.Hence, trying to prevent attacks is essentially a fool\u2019s errand, so organizations should concentrate on incident detection and response.This line of reasoning was supported by an overly simplistic axiom that spread like wildfire in the industry: "There are two types of organizations. Those that have been breached and those that have been breached and don\u2019t know it."Now, I admit there was, and still is, some truth to these assumptions. Lots of security technology staples were porous in the past, as they were designed to address known rather than zero-day threats. Furthermore, networks tended to be relatively flat and wide open for attack.With these shortcomings, many organizations shifted spending and focus to new technologies designed for threat detection \u2014 malware sandboxes, UEBA, EDR, network security analytics, etc. So, what happened? Firms were soon overwhelmed by disconnected technologies, mountains of new security data, and a cacophony of security alerts. Alas, many organizations realized then that they had neither the staff nor the skills to fully utilize this threat detection technology. Oh, and the pervasive cybersecurity skills shortage probably means this situation won\u2019t change anytime soon.To me, there are two problems here: 1) Security controls are ineffective, so an inordinate amount of bad stuff gets into the network, and 2) Threat detection is too noisy and complex.New advanced threat prevention technologiesFortunately, there may be a change in the air. Cybersecurity technology vendors are introducing a wave of technologies for what I call advanced threat prevention. These tools do a much better job of blocking exploits, attack vectors, and malware while greatly reducing the attack surface. This, in turn, has the derivative effect of decreasing threat detection noise and complexity.\u00a0As these technologies arrive and mature, leading organizations will make 2018 a year of advanced threat prevention by deploying technologies such as:Next-generation endpoint security software.\u00a0The big technology advances here were the addition of real-time analytics and machine learning algorithms for malware detection\/blocking. These innovations translate into much higher efficacy for detecting\/blocking all types of threats. Cylance really disrupted the endpoint security market with machine learning a few years ago. Since then, others such as CrowdStrike, McAfee, Sophos (Invincea), Symantec, and Trend Micro have introduced similar functionality. CISOs will move rapidly in this direction next year.\u00a0Threat intelligence gateways. I\u2019ve seen a consistent effort to operationalize threat intelligence over the past few years, but this can be hard work. Threat intelligence gateways (i.e. Centripetal Networks, Ixia, LookingGlass Networks, etc.) have the potential to transform this labor-intensive practice by scoring threats and then blocking volumes of them at the network perimeter. Why not do this with tried-and-true network firewalls? Because they are incapable of tracking\/blocking the volumes of threats that purpose-built threat intelligence gateways can.\u00a0Secure DNS. Closely related to threat gateways, secure DNS services are designed to track and block malicious domains, zones, and associated IP addresses without any effort on the user\u2019s part. Cisco's OpenDNS is the big kahuna here, but others, including Comodo, Infoblox, and Neustar, offer similar services. Note that there are many free secure DNS service offerings, including the recently announced Quad9 from IBM.Micro-segmentation. Technologies such as Cisco ACI and VMware NSX took the concepts of firewalling, ACLs, and network segmentation and married them to the simplicity of software-based policy management and enforcement. Others (Illumio, vArmour, ShieldX, etc.) offer similar multi-platform functionality. CISOs will use these technologies more ubiquitously and beyond the data center in 2018 to greatly reducing the overall attack surface.Intelligent application controls. I\u2019m thinking here about tools that profile applications, determine a baseline of normal activity, and then either alert when things go haywire or block activities that appear to represent anomalous\/suspicious behavior. Edgewise, VMware AppDefense, and ThreatStack come to mind here.While there\u2019s really no such thing as, "set-it-and-forget-it," security technology, these tools don\u2019t require as much constant care and feeding as legacy security controls or monitoring or analytics systems. This means CISOs won\u2019t need an army of staffers, months of deployment\/customization, and weeks of staff training to benefit from these investments.\u00a0Remember the old joke about the two guys who try to outrun a bear. The first guy says it\u2019s useless because bears are much faster than people. The second one responds, \u201cI don\u2019t have to outrun the bear; I just have to outrun you.\u201d In cybersecurity, cyber criminals, hacktivists, and state-sponsored cyber adversaries are the bears. Advanced threat prevention isn\u2019t a panacea, but smart CISOs will use those tools to stay ahead of other organizations that rely on elementary security controls and maintain appetizing and wide-open attack surfaces.