infoTECH Feature

December 16, 2014

Improve Prevention? Or Default to Detection and Response?

As security worries rise, financial institutions are carefully deliberating how best to allocate their security investments between prevention, detection, and response.

In medieval times, the king’s security chief had a straightforward job. Find a sheer cliff, build a stone castle on its summit, and throw up a guard tower at each corner. Safe! In today’s parlance, he had solid prevention, so he didn’t have to worry as much about detection and response.

But in today’s hyper-connected world, prevention is harder. Security chiefs find their perimeters constantly assaulted and too often breached. When that happens, there had better be a strong detection framework in place, so that culprits can’t explore, corrupt, and download at their leisure, and a strong response framework to limit the reputational and economic damage.

But does that mean it’s time to forsake prevention? Here’s a top security chief in a Fortune interview in September: 

The ability to actually block the bad guys from getting in, I think we’ve kind of lost that game. The real game is, how do you find them as fast as possible after they’re inside, and before they’ve stolen data? If you look at the mean time to detection for breaches last year, the average was something like 243 days. If you can reduce that to a week, you’re a world-class rock star.

Granted, the mind boggles at 243 days. Eight months inside the information vault! So yes, evicting them after a week would be real progress. But who’s to say that as hackers get better, a week isn’t plenty of time for them to download data, plant malware, or otherwise wreak havoc before they leave by the door left open for them? 

Certainly that security chief’s greater point is spot on. Few companies have the detection and response capabilities they need when prevention fails. But imagine telling your board of directors you’re confident you can catch intruders inside of a week!

Better prevention is still the first order of business for these reasons: 

  • Cost - Preventive security is economically sound. After one of the famous breaches, the retailer spent about $150 million to settle claims by payment card networks. Banks spent $200 million to replace cards. And who can estimate the damage to the retailer’s brand, customer trust, and subsequent sales?
  • Less Harm – Breached retailers are now committing to chip and PIN, after years of stated intentions and starts in that direction. Had this smart card technology been in place earlier, the intrusions might still have occurred, but intruders would have been unable to read sensitive information from customers’ credit cards. Prevention can take multiple forms; it doesn’t always mean hardening the perimeter. 
  • The Human Weak Link In almost every breach, a human mistake undermined what had appeared to be a reliable system. As one journalist put it, “Why bother to hack into complex security systems when it’s so much easier to hack into people?” It only takes one person unfamiliar with the bank’s security policies or willing to circumvent them (sometimes because uncalibrated security measures make it hard for employees to access data they need).

The relative ease by which hackers have gained access in the past is not an argument for opening the doors. It’s an argument for making sure you are incorporating today’s innovative, granular, purpose-designed prevention methods like these:

Security from the Inside Out means start with the crown jewels deep inside your castle; identify your most sensitive data and assets. Then tighten security and access around them, incorporating layers of protection that are tightest around what you value most. Only when you have properly secured your most treasured and sought-after data and assets should you then extend fine-grained access to selected individuals or groups of employees, customers, vendors, and others.

Containment means minimizing the inevitable compromise that comes with making valuable assets accessible. It means eliminating avenues for anyone, innocent or otherwise, to gain access to more sensitive data and assets beyond what they are specifically entitled. Thus an insider turned rogue can cause harm only relative to those assets to which he or she had been granted access. For example, the mobile banking app used by a high-value customer to move money would be set to access only the specific data he needs to perform that function. If somehow compromised, he could not see, let alone access other areas.

Hide your endpoints. The king couldn’t hide the castle, but you can. You can make your bank’s tempting devices and transactions invisible to anybody who doesn’t need to see or access them. They can’t get in there because they don’t even know that anything is there. It’s not just about being a hardened target – you’re not even on the radar. You’re not just preventing intrusions, you’re preventing attempts.

So, to answer our title question, by all means keep recalibrating your security investments in line with today’s reality. But prevention does and should remain the first line of defense, because if and when you get prevention right, detection and response will cost a lot less.

Mr. Olson is Vice President, Global Financial Services and Mr. McCarney is Director, Global Security and Cloud Portfolio for Blue Bell, Penn.-based Unisys Corp. They can be reached at [email protected] and [email protected].




Edited by Maurice Nagle
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers