There's a trend underway in the information security field to shift from a prevention mentality -- in which organisations try to make the perimeter impenetrable and avoid breaches -- to a focus on rapid detection, where they can quickly identify and mitigate threats.
Some vendors are already addressing this shift, and some security executives say it's the best way to approach security in today's environment. But there are potential pitfalls with putting too much emphasis on detection if it means cutting back on prevention efforts and resources.
Clearly, rapid detection is gaining traction. Research firm IDC has designated a new category for products that can detect stealthy malware-based attacks designed for cyber-espionage ("Specialised Threat Analysis and Protection") and expects the market to grow from about $200 million worldwide in 2012 to $1.17 billion by 2017.
The thinking behind a shift in security approach is that it's impossible to keep out everything, so companies should focus on quickly detecting and mitigating threats. While it doesn't mean abandoning prevention, it suggests companies devote more resources to detection and remediation than they have in the past, with the understanding that breaches are going to happen.
"Prevention is a great strategy when it works. But unfortunately no preventative measure can be completely effective," says Timothy Ryan, managing director of the Cyber Investigations practice at Kroll Advisory Solutions, a provider of risk mitigation products and services.
"For that reason, companies cannot rely on prevention and protection alone," Ryan says. They must also rely on an information security plan that blends technology and processes to identify and respond to compromises quickly. The right tools and processes often reduce the time and cost of an investigation, he says.
"Rapid detection and efficient, effective response is the new prevention," says David Scholtz, CEO of Damballa, a security technology provider. "The mindshift here is what's being prevented. We can no longer prevent our networks and systems from becoming infected, but we can prevent those infections from growing and evolving to become damaging breaches."
Organisations can do this by discovering threats that successfully bypass layers of prevention and cutting them down before they do damage, Scholtz says. "Today, you can continue to add prevention-based solutions to an already fortified yet disappearing perimeter, but it's the small percentage of threats that get through that then equate to 100% of your risk," he says.
Cyber criminals are using more sophisticated methods to evade detection, Scholtz says. "They are leveraging these methods precisely because they can easily switch attack vector, or slightly tweak their malware, and instantly they're again undetectable by traditional prevention methods," he says.
It doesn't matter if an intruder is a trusted insider or a meticulous attacker who has engineered a way in through persistent and crafty means, says Vincent Berk, CEO of FlowTraq, a network security provider. "The bottom line is that hackers are already in your network," he says. "Once businesses reach this realisation, they will automatically start shifting their defensive philosophy from perimeter defense to defense-in-depth."
This shift in thinking puts more emphasis on careful collection of system logs and traffic records, and focuses on detecting what's unusual in the network, Berk says. "Large data transfers, unusual access patterns or reconnaissance behavior are all signs of somebody already on the inside searching for the crown jewels," he says.
But not everyone thinks the shift in security mindset is a good idea.
"I think the idea of switching from a prevention strategy to a detection one is a false dichotomy," says Wendy Nather, research director, security, at 451 Research. "First of all, because prevention tends to be more automated and therefore cheaper than detection. Second, because detection is just as imperfect as prevention. People may complain that antivirus misses a lot of malware, but so do intrusion detection systems. Firewalls and SIEMs are only as good as the experts who configure them, no matter which generation' they purport to be."