Detection vs Prevention: The Defender’s Dilemma
In this interview with Dark Reading at Blackhat 2016, Brian Gillooly and Roger Thorton discuss AlienVault's take on the detection vs prevention debate that often occurs within the security community.
BRIAN: I will tell you, I have actually lived both sides, right? So if you are of the belief that, “Hey, we don't need this detection stuff, because if we just got it right, we would keep the bad guys out.” I would say, “You probably haven't been in the security business for a long time.” When I was in the security business, that was how I felt, and I worked and founded a company called Fortified Software, and I truly believe in my heart of hearts that if we just made the software more robust, then it would be resilient to attack and everything would be fine, but after you spend enough time in security and you take an interest and passion and you start reading, there is a game theory concept of the defender's dilemma, and that is to keep a bad guy out. This is not just true for computers. It could be in the physical world, too. You are in the cockpit of an airplane, or a military base, or a bank vault. To keep the bad guy out, you as a defender have this big disadvantage in that the bad guy gets to choose where, when, and how he attacks. So you need to be on your game and perfect at all times at every place against every method. It is just not ever going to work out that way. One of the things I learned when I was at fortified, and we had a lot of big banks and DoD as customers. A more sophisticated approach to security is that I am going to try my best to keep people out, but I am not going to constrict the flow of business, and to truly keep everyone out, I would kill the business. So I will try my best, but I will be really good at detection, and the reason for that is the inevitable break-in. It flips the odds. So I go from these odds stacked against me with the defender's dilemma to there is now a bad guy in my environment, the environment I control completely, and that bad guy is a stranger in a strange land, so they are going to have to look around, snoop around, look around, move around, find the precious things they are trying to steal.
ROGER: And with the detection approach, you also know a little bit more about that adversary than you would have had you not had that opportunity.
BRIAN: So this is why I personally went from naively believing that, “Boy, if protection was done right, we would get it perfect,” to the point where you need both, right, to leave your enterprise completely wide open. You need detection, it would melt because there would be so many demands on it, so we try to do effective protection, and of course, you see a lot of companies have the circle. It feeds itself. Good prevention, great detection, improves the prevention, and it is a never-ending game.