Defending Your Network: Detection versus Prevention

Wednesday, November 17, 2010

Robb Reck

C787d4daae33f0e155e00c614f07b0ee

Prevention versus Detection

When you think of a very secure facility, what comes to mind? I think of an imposing building, with a huge fence around it, some armed guards roaming around outside.

And what comes to mind when you think of a secure corporate network? Firewalls, IPS's, and two factor authentication are the things that jump to mind for me.

Those defenses are not enough to make a network (or a building) secure.

I am not here to argue that those defenses are bad. Certainly they are an important part of a good security scheme, but by themselves they cannot protect a building or a network. All of the protection mechanisms mentioned above are preventative in nature; meaning their goal is to stop an attack from being successfully completed.

Preventative defenses are susceptible to being defeated. Firewalls have to have some kind of access allowed, which may be used to gain a foothold. IPS's are unable to accurately categorize every packet that flies by, and two factor authentication is only as good as the implementation. Even if your preventative defenses are not breached, you may see authorized employees performing unauthorized activities. Preventative techniques are very poor at helping with that type of situation.

That's where detection systems come into play. These systems are not meant to stop a hacker from getting onto your systems, they are meant to provide evidence of who did it, when they did it, and what they did. Detective systems are what we need to count on to give us assurance about the state of our network, and to provide the relevant details when an incident takes place.

The moment a hacker makes it through your firewall, a good detective system will generate traffic that can be used to both identify that a breach occurred, as well as provide forensic evidence later to track who did what. Preventative systems are much harder to defeat because even if you manage to turn them off, that in itself should generate alerts to let you know something has happened.

Detective technologies especially shine when it comes to providing auditing on trusted employees. SIEMs can be set to watch for suspicious activities, which may be an indication of fraud, and alert on them.  Log management systems can be used to dig into the details of processes and transactions that have failed to help us figure out where things went wrong.

Log monitoring is my favorite preventative technology. These systems start with the premise that moving log files to a central logging location allows for greater security and easier reporting on issues. If a hacker manages to take over ServerA, they will not be able to wipe away evidence of their crime, because ServerA's logs are actually being held on LogServerA. Covering their tracks becomes increasingly difficult, or impossible.

Intrusion detection systems are another effective way to detect unauthorized behavior on your network. Since the IDS systems are monitoring all traffic that flows through the network, the attacker will be detected as soon as first contact is made. Even if his connection looks innocent and does not trigger an alert, that data will remain in the system to be used during investigations.

In conclusion, prevention is not enough. Our prevention systems cannot block every type of malicious activity, and we should not expect them to. Implementing high quality detective technologies gives us the kind of visibility into what's going on in our network that we can never have without them.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
13928
Network->General
IDS Security Strategies Network Security Detective Systems Monitoring
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.