Paradigm Shift in Information Protection: Moving from Prevention to Detection

Posted on by

Key Elements of Security

All of us (at least of the security specialists) believe that security consists of three key elements:

  1. Prevention
  2. Protection
  3. Response

Security Incidents: Externally vs. Internally Caused Incidents

Furthermore we all believed that most of  the security incidents, around 70% say an older FBI survey, have been caused by employees and at least people from the inside of an organisation without mentioning if these have been fraudulent activities or if these incidents had been caused by accident.

Now things have changed. I do not have an exact number from a survey but now a lot of people believe that the ratio is now 30% from inside and 70% from the outside.

What is the conclusion? Looking at this a lot of people believe that the reduction in the inside caused incidents are a result of better prevention and awareness campaign.

Looking at the information available on the internet we need to come to the conclusion that the absolut amount of security incidents from the inside are still the same while the number of externally caused security incidents increased dramatically.

Advanced Persistent Threats

The acronym APT was not used till 2005 but then created by the US government. I do not want to describe the nature of an APT in detail – that has been done often enough – but I would like to point out that it becomes more and more difficult to prevent your infrastructure from being penetrated. Due to the fact that APT result in slow and low intrusions it is also really difficult to detect them.

When it comes to an intrusion there are two key elements you can deal with:

  1. Time to Detection
  2. Mean Time to fix

The ultimate goal is to reduce both times to a minimum which means reducing your information leakage.

Conclusion

Let’s gather some facts I described in my posting:

  1. Threats from the outside (cyber threats) are increasing dramatically
  2. Intrusion Techniques evolve – APT is reality
  3. Prevention is not effective
  4. Detection is the only solution against APT

The only conclusion I can come to it that organization that want to achieve a reasonable “amount” of security need to focus on detection and shift their capabilities.

 You might want to walk trough the Prezi attached

Leave a comment