Detection versus prevention architecture in cyber security; this is akin to a religious war. There are those in the camp of detection only, and they say that prevention isn’t possible. There are those in the prevention camp and they say that prevention is the only true way to do cyber security.
We think that prevention is possible. The problem is the elephant in the room that nobody wants to discuss; false positives. This is the rule that makes us put ‘any any’ at the end of our firewall rule.
We can avoid this by understanding the problem in a mathematical way. Here’s the reality. We understand with a hand on my heart, if you slow the business down to a crawl because of a false positive, if you’re going to have a very uncomfortable conversation with the business.
My suggestion is have that uncomfortable conversation now ask the business how much downtime can we tolerate? That might be a scary question to those in cyber, but the reality is the CEO, the CFO, the CEO, they already know this calculation. They know the number. There are multiple factors that lead to downtime in the business. I’m recording this at a time when the coronavirus is running rampant around the world.
Employees get sick, they go on strike. The weather causes impacts to many businesses. Once you understand what that number is and you could be pleasantly surprised, it could be three or four minutes a month. It could be just a few seconds. It almost doesn’t matter. The reality is, once you understand what that number is, collaborate with your vendors, get the smartest people you can in a room, an engineer and SLA to satisfy the business needs with full prevention architecture.
I guarantee you prevention is possible. I work at an enterprise organization where we are entirely in prevention mode, and yet we flourish as a business. Thousands of employees, billions in revenue situated in the Middle East, surrounded by hostile threats, many attacks, and yet we flourish.
How how have we been able to do this? Because we don’t ask if we’re going to get false positives. We ask when we get a false positive, what can we do to mitigate it to the shortest time possible and never repeat that same false positive again. This is how you architect your solution in prevention only mode. For more information about threat prevention, read our white papers on Cyber Talk.