Risk reduction is often associated with prevention only. Effective security, however, also needs detection and response. Those three (prevention, detection, response) are the fundamental pieces of the process oriented approach to IT security, which allows us to effectively reduce the risk and is the subject of this article.
Risk and Countermeasures
Let’s assume that the risk has been identified. Then the decision about risk handling needs to be made. The risk can be:
a) reduced (countermeasure implemented)
b) accepted (no countermeasure; cost of potential loss accepted)
c) transferred (risk is transferred to the insurance company)
d) avoided (the activity which leads to the risk is stopped)
This article is about risk reduction, so it’s assumed that a countermeasure will be implemented. As mentioned at the very beginning of the article, risk reduction is often associated with prevention only. It would work fine if prevention countermeasures were perfect, but reality is different. We need to assume that the attacker will be able to bypass prevention countermeasures, and we need a way to detect the attacker if this happens. Here we come to defense in depth thinking.
Defense in depth thinking
We need to change our way of thinking. Remember that complexity is the worst enemy of security. Modern security systems are complex, and it is reasonable to assume that someone will be able to bypass their protections. It doesn’t mean, however, that there is no hope for defenders. The defenders can implement detection countermeasures in order to detect the attacker who bypassed prevention countermeasures. This is how defense in depth works.
When prevention only is implemented, the attacker has only one obstacle to overcome. When prevention and detection are implemented, the attacker has to bypass two obstacles, which is more difficult. From the defender’s point of view, the probability of catching the attacker increases when prevention is used together with detection. Thus the risk is reduced.
One can say at this point that detection can also be bypassed. It’s absolutely true. However, it doesn’t mean that detection is useless. Detection still can be used (and should be used) in order to try to detect if something bad is going on. I used the word ‘try’ intentionally in the last sentence. Think about IDS (Intrusion Detection System) for example. This system detects known attacks (signatures used for detection) and tries to detect unknown attacks (heuristic approach). That’s why there is no guarantee to detect the attacks. Although detection is not perfect, the risk decreases when detection is implemented. Thus, implementing detection makes sense.
Real world analogies
Let’s analyze some real world examples to better understand why prevention and detection is better than prevention only. Think about an alarm in a company environment. One could say, for example, that locks in the doors (prevention) are enough, and we don’t need to spend money on anything else. In reality, many companies have also alarms (detection). Why do they spend extra money on alarms? They know that the intruder can break into the building and then alarms will detect the presence of the intruder. Thus, the assumption is that prevention countermeasures can be bypassed. As we can see, defense in depth thinking is also applied in the real world.
Let’s discuss also another example, which will be continued in the next section of the article: an alarm in the car. Why do we use alarms in our cars? We want to know if someone has broken into our car. Again, we assume that prevention can be bypassed and we implement detection.
Don’t forget about the response
It’s important to realize that detection itself is useless if there is no response. Think about the case of an alarm in the car from the previous section. It’s fine when an alarm detects that something bad is going on. However, it’s only a notification that something is going on. There has to be a response (we don’t want the thief to steal our car). We need to go to the car and stop the thief. And we need to do it quickly, so the response has to be fast.
This is a process
It has been presented so far, that prevention should be used together with detection and response. We need to remember that those three (prevention, detection, response) should be used in a continuous manner. They can not be switched off when employees go home. Security is a continuous, ongoing process. There is no alternative when we want to have effective security. We have to be able to respond to the security incident in the dead of the night. If something bad is going on at night and we wait until 8 AM, then it will be probably too late. If we don’t respond immediately, the attacker may have enough time to steal interesting information from our company. Prevention, detection and response are the fundamental pieces of the process oriented approach to IT security, which allows us to implement effective security in our companies.
It was presented why risk reduction should not be associated with prevention only. Modern systems are complex and this complexity is the worst enemy of security. Thus, it is reasonable to assume that prevention can be bypassed. That’s why we should implement detection, to detect the attacker who bypassed prevention (this is basically how defense in depth works). Prevention and detection are not perfect, but reduce the risk more effectively when used together (then the attacker has two obstacles to overcome). It needs to be remembered that detection is useless without response and this response needs to be quick to stop the attacker before it’s too late. Security is an ongoing, continuous process based on prevention, detection and response, and the process oriented approach to IT security allows us to implement security effectively.