PREVENTION VS DETECTION? THE ANSWER IS UNDERSTANDING
There is an ongoing discussion within the security and compliance community (fueled by vendors) about the value of preventing attacks immediately, versus the value of detecting them once they have penetrated defenses. Those who tout the values of prevention point out that often once an attack has penetrated an IT environment it may be too late to protect data. Those who push the importance of detection point out that prevention will never be 100% perfect so it is more important to realize when there is a problem so it can be isolated and remediated quickly. The obvious answer is that both are important; neither can be truly effective without the other. The problem, however, is that neither are being executed effectively. The constant disclosure of major breaches, which typically occur for months before detection, demonstrates consistent failures of both prevention and detection amongst our nations largest enterprises. If attempts at both prevention and detection fail, what then should we focus on? I would argue the answer is understanding.
The process of securing large IT networks has become a convoluted mess. There are so many security products, so much data to be collected, so many variables to be controlled, and so much at stake that understanding it all has become a major challenge. Simply understanding what assets you have, how they may be vulnerable, and what protective measures are being taken is difficult. Furthermore, collecting, correlating, and analyzing the ocean of security data creates another headache in itself.
State of the art prevention solutions work great if they are configured perfectly and can be afforded. They become useless, however, if you do not know how they may be circumvented or bypassed, or once hackers find a new way to steal data. Detection is too little, too late if you are not able to locate, isolate, and remediate an attack immediately. Ultimately, they both will fail without an in depth understanding of the IT environment and detailed insight into the activity within it. I hear a lot of feedback from security professionals who spend a ridiculous amount of time just collecting data. Organizations with many remote locations struggle to efficiently transfer data back to headquarters where it can be analyzed. If the data does make its way back to security professionals, there is so much data from so many different locations that discerning anything important from it is a near impossible task.
Detection and prevention are important, but a third dimension is needed. Solutions that offer understanding of security and compliance, such as AristotleInsight, from Sergeant Laboratories, act as accountants for security processes. Just as Luca Pacioli and double entry bookkeeping revolutionized the practice of financial accounting, solutions that provide understanding and track security configurations and processes have the power to change the way we approach the security of our valuable information.
AristotleInsight is a big data security analytics solution implementing the UDAPE model. The solution collects, links, and organizes security data in order to establish baselines, conduct user behavior analysis, recognize anomalies, and detect advanced persistent threats.