Prevention or detection: which Is critical for defending your network?

Emad Fahmy, Systems Engineering Manager Middle East at NETSCOUT, explores what is crucial to defending a network: Prevention or detection.

There are two primary physical defenses for safeguarding a building: prevention and detection. A building can be protected by either preventing someone from entering them without permission or detecting them when they have trespassed onto the property. Although prevention is often the preferred method, however, a determined adversary can potentially gain access to a property without permission, given enough time and resources. In this scenario, detection becomes the only alternative.

The same holds for protecting assets in the digital world, especially now that the holiday season has arrived, and people are preoccupied with upcoming festivities. There are two primary defenses applied here, prevention and detection. Like in the physical world, a determined cyber adversary will gain access to any digital asset, given enough time and resources. The important question is – how quickly can you determine that an adversary has penetrated your network?

If You Can’t Prevent, You Must Discover

This is where detection comes in. It is important to assess whether the tools and procedures are set up to find attacks when they happen quickly. Unfortunately, most businesses do not. It can often take days, weeks, and even months before an attack is discovered.

The interval between breach and discovery is known as dwell time, and it is projected to be more than 200 days in most cases, and IBM says that in some cases, it can be as long as 280 days. If it takes this long to identify that an attack is underway, determining the root cause may be impossible if there is insufficient historical data to review.

As a result, it is just as important, if not more so, to invest in improving your ability to identify when a breach has occurred rather than determining when a breach is currently ongoing or determining whether a firewall or intrusion detection system rules have actively blocked an assault.

New attacks occur all the time, and bad actors are continuously devising new ways to infiltrate networks. Therefore, it is essential to realize that, eventually, a malicious actor will access your network. What will be vital in this situation is how soon you can detect that attack, whether as it occurs or shortly after or whether it is discovered weeks or months after. In the latter situation, would you have access to enough historical data to indicate when the attack began, or will that data be lost by the time the attack is detected?

Data is key

It is essential to have data from several months back to determine when the network was first broken into. Having advanced network detection and response tools is vital. These tools store all the important information, including layer 2–7 metadata and packets, to pinpoint the root cause of an attack, not just flow data, which is irrelevant.

To successfully secure a network, it is crucial to be able to understand how much historical data you are currently storing, if there is indeed enough data to go back and research the start of the attack if it occurred 200 days ago or are you going to rely on catching bad actors faster than the industry average. It is essential to understand the need for leveraging both prevention and detection capabilities and ensuring that you have enough storage to thoroughly investigate an attack when it occurs.