If most organizations were already treating protection and detection equally, attackers would not be spending an average of 200 days inside target systems or networks before being detected. More than six months is plenty of time for adversaries to fully achieve their goals, plus explore, define new goals and find new targets.
Don’t misunderstand. As essential as detection is, it is not necessarily a fail-safe. But the sooner a breach is detected, the sooner you can mount a defense and stop adversaries from achieving their goal, or at least minimize the damage. And even if there is damage, at least you will have insight into what happened. You’ll be in a better position to deal with fallout from the current breach and to combat the next inevitable breach.
Any knowledge you can gain is to your advantage. Consider the Hillary Clinton campaign. In the wake of the hacking of the Democratic National Committee and various DNC leaders, the campaign would really like to know what exactly was stolen. If it knew what potentially damaging information was pending release, it could prepare a response.
And by the way, detection can help out in cases that don’t involve malicious adversaries. We know about a vendor employee who submitted a formal proposal by pressing “Reply All” to a message from the customer — with all of the vendor’s competitors copied. With good detection architecture, the vendor would have known about that misstep early on, giving it an opportunity to modify its proposal before the deadline.
Admittedly, when an adversary compromises protection, the required response is a diversion of resources and a theoretical loss. However, this is a completely different scope of loss than having to deal with the adversary accomplishing its goal and inflicting purposeful damage. Turning back an adversary after a breach can only be done when there is an effective detection program in place, which then kicks off the last part of the triad: an effective reaction program.
Sign up for Computerworld eNewsletters.