1. Introduction

Risk reduction is often associated with prevention only. Effective security, however, also needs detection and response. Those three (prevention, detection, response) are the fundamental pieces of the process oriented approach to IT security, which allows us to effectively reduce the risk and is the subject of this article.

2. Risk and Countermeasures

Let’s assume that the risk has been identified. Then the decision about risk handling needs to be made. The risk can be:

a) reduced (countermeasure implemented)
b) accepted (no countermeasure; cost of potential loss accepted)
c) transferred (risk is transferred to the insurance company)
d) avoided (the activity which leads to the risk is stopped)

This article is about risk reduction, so it’s assumed that a countermeasure will be implemented. As mentioned at the very beginning of the article, risk reduction is often associated with prevention only. It would work fine if prevention countermeasures were perfect, but reality is different. We need to assume that the attacker will be able to bypass prevention countermeasures, and we need a way to detect the attacker if this happens. Here we come to defense in depth thinking.

3. Defense in depth thinking

We need to change our way of thinking. Remember that complexity is the worst enemy of security. Modern security systems are complex, and it is reasonable to assume that someone will be able to bypass their protections. It doesn’t mean, however, that there is no hope for defenders. The defenders can implement detection countermeasures in order to detect the attacker who bypassed prevention countermeasures. This is how defense in depth works.

When prevention only is implemented, the attacker has only one obstacle to overcome. When prevention and detection are implemented, the attacker has to bypass two obstacles, which is more difficult. From the defender’s point of view, the probability of catching the attacker increases when prevention is used together with detection. Thus the risk is reduced.

4. Bypassing detection

One can say at this point that detection can also be bypassed. It’s absolutely true. However, it doesn’t mean that detection is useless. Detection still can be used (and should be used) in order to try to detect if something bad is going on. I used the word ‘try’ intentionally in the last sentence. Think about IDS (Intrusion Detection System) for example. This system detects known attacks (signatures used for detection) and tries to detect unknown attacks (heuristic approach). That’s why there is no guarantee to detect the attacks. Although detection is not perfect, the risk decreases when detection is implemented. Thus, implementing detection makes sense.

5. Real world analogies

Let’s analyze some real world examples to better understand why prevention and detection is better than prevention only. Think about an alarm in a company environment. One could say, for example, that locks in the doors (prevention) are enough, and we don’t need to spend money on anything else. In reality, many companies have also alarms (detection). Why do they spend extra money on alarms? They know that the intruder can break into the building and then alarms will detect the presence of the intruder. Thus, the assumption is that prevention countermeasures can be bypassed. As we can see, defense in depth thinking is also applied in the real world.

Let’s discuss also another example, which will be continued in the next section of the article: an alarm in the car. Why do we use alarms in our cars? We want to know if someone has broken into our car. Again, we assume that prevention can be bypassed and we implement detection.

6. Don’t forget about the response

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

It’s important to realize that detection itself is useless if there is no response. Think about the case of an alarm in the car from the previous section. It’s fine when an alarm detects that something bad is going on. However, it’s only a notification that something is going on. There has to be a response (we don’t want the thief to steal our car). We need to go to the car and stop the thief. And we need to do it quickly, so the response has to be fast.

7. This is a process

It has been presented so far, that prevention should be used together with detection and response. We need to remember that those three (prevention, detection, response) should be used in a continuous manner. They can not be switched off when employees go home. Security is a continuous, ongoing process. There is no alternative when we want to have effective security. We have to be able to respond to the security incident in the dead of the night. If something bad is going on at night and we wait until 8 AM, then it will be probably too late. If we don’t respond immediately, the attacker may have enough time to steal interesting information from our company. Prevention, detection and response are the fundamental pieces of the process oriented approach to IT security, which allows us to implement effective security in our companies.

8. Summary

It was presented why risk reduction should not be associated with prevention only. Modern systems are complex and this complexity is the worst enemy of security. Thus, it is reasonable to assume that prevention can be bypassed. That’s why we should implement detection, to detect the attacker who bypassed prevention (this is basically how defense in depth works). Prevention and detection are not perfect, but reduce the risk more effectively when used together (then the attacker has two obstacles to overcome). It needs to be remembered that detection is useless without response and this response needs to be quick to stop the attacker before it’s too late. Security is an ongoing, continuous process based on prevention, detection and response, and the process oriented approach to IT security allows us to implement security effectively.