How would you know if your prevention methods failed to catch a critical threat? One of two ways: Either a customer, an auditor, or another third party would find out about it (an embarrassing situation for you) or you could get lucky and find it yourself — which is rare without detection.
Prevention techniques and technologies (e.g., security controls, firewalls, encryption, antivirus), are designed to block an attacker from getting in, and can be critical to your security strategy. However, they can’t be the only defense you have in place. If history is any indicator (and we believe it is), attackers will find a way in. So, as a defender, you also need the ability to detect threats once they are inside your modern cloud infrastructure. That’s why companies are shifting their focus to detection techniques and technologies (e.g., monitoring, alerting).
In this post, we’ll explain what detection does that prevention cannot, what to watch out for if you’re relying on prevention alone, and how you can use them in parallel.
Detection Keeps Prevention Honest
You’ve probably heard the phrase “Trust, but verify.” You want to trust that your prevention techniques are working, but how would you know if they were not? That’s where detection tools come into play.
Detection tools (such as an IDS or continuous monitoring solution) give you continuous visibility into activity within your modern environment. They not only alert you about known issues (e.g., CVEs and previously disclosed threats), but also about new and unknown ones that may be trying to slip past defenses. With this information, you can quickly make decisions, such as whether to patch a server, shut down access to an application, or write a new script to detect similar events in the future. This is something prevention tools are not built to do, because that’s not their purpose.
While tools like firewalls or antivirus can mitigate common and known security events, they weren’t designed to detect new threats, and on top of that, many prevention tools don’t have built-in alerting to notify you in real-time about new issues. It’s important to note here that some security solutions may offer both prevention and detection, just be sure you understand what it is and understand its purpose.
A good rule of thumb is to have a detection control for every prevention control you have in place. Especially if you’re running in the cloud, you know that new threats are always cropping up, so it’s inevitable that some undiscovered attack will slip past your prevention solutions, which is where detection comes in.
When Prevention Fails
Statistically speaking, prevention will fail at some point. And one of the biggest reasons companies are rushing to adopt detection solutions is that workload payloads are moving to the cloud.
In the cloud, companies are able to operate at scale. As they scale, detection becomes more and more critical because changes happen rapidly and there are a greater number of endpoints to watch.
Gartner put it best: “Treat the cloud as an opportunity to apply fresh thinking and to adopt new methods for defending information from attack.” While prevention was popular back in the days when static, on-premise environments were less prone to today’s invasive and tricky attacks, we’re operating on a whole new battlefield in today’s cloud.
With hundreds or thousands of hosts running at any given moment, having the ability to see into all of them, understand when new threats and vulnerabilities try to make their way in, and shut down hosts and apps to stop threats in their tracks is key to being effective in the cloud. Consider now your best opportunity to rethink security with cloud-based detection.
How Detection and Prevention Go Hand-in-Hand
This is not to say you should throw your prevention tools and techniques out the window. Detection tools collect the data you need to have (the who, what, where, and when) about a security event as it’s happening, so your security team can respond at the speed and scale of the cloud. Prevention doesn’t offer this intel because it’s only designed to block, not aid in an investigation. In practice, you should look to use prevention techniques and tools in order to keep known threats out, and layer on detection capabilities so you can find and remove new and unknown threats.
This way, if there is ever a point of failure or a gap in coverage (and there inevitably will be), your second-layer defense (detection) will kick in, keeping you in the know. Even more, detection will help you see where your gaps are anywhere in your security infrastructure so you can continuously develop more robust defenses.
Final Words . . .
It’s never been more important to have the ability to simultaneously identify intrusions, vulnerabilities, insider threats, and data loss. And not only should you have the ability to detect when anomalous activity happens, but also know exactly where it is and how to respond to it. Automated monitoring is an intelligent form of detection that not only alerts you about potential threats, but also gives you contextual and historical data to inform your response so you can get right to work.
Solutions like the Threat Stack intrusion detection platform allow you to apply this level of detection to your existing security infrastructure for end-to-end coverage and visibility. Installed at the host layer, Threat Stack is able to identify and correlate suspicious activity anywhere across your environment (cloud, hybrid, or on-premise), keeping you in the know and steps ahead of your adversaries.
If you’re interested in learning more about our solution, let us know, and we’ll set up a demo.