Hardly a day goes by without news coverage of a high-profile data breach or successful attack. All these organisations include security teams that do their best to secure their IT environment. Some organisations may even lack the necessary focus on security or lack the required security budget.

Nevertheless, why do all these data breaches occur? Maybe the majority of security teams concentrate on protective measures alone. We as an industry typically think in terms of protection and this is also the simplest metaphor to explain to management.

Historically, security was mostly concerned with access control (remember the Bell - La Padula Model?). The underlying idea was that if you control the access a single user may have to what they strictly needs this will protect the company’s crown jewels sufficiently.

After the invention of the Internet, perimeter defences became a must. Everybody implemented firewalls at the perimeter, sometimes sophisticated multi-level architectures that resemble the high wall that nobody would be able to penetrate. Some years ago we learned that the idea of a hard shell with a soft inside is dead. Hence we segregated our networks and hardened the hosts within. In a way, we just shrank the perimeter into several smaller perimeters.

Nowadays antivirus software is present almost everywhere, which should notice any malware and block it, thus protecting us. Later, people added network intrusion detection and prevention systems to the mix again with the idea to protect against intrusion from the perimeter or from other networks. After the first big data breaches, people started to add sandboxing devices to their network as yet another attempt to block malicious attackers.

The fundamental problem with this approach is that it skips over something: attackers are really clever and will find a way to get what they want whatever the protection. In a way cyber threats are like bacteria in the human body: they’re constantly in-and-around us.

If we accept that fact, then the question changes from “what do we need to do to protect against an attack?” to “what do we need to do to survive the inevitable successful attack with as little damage as possible?”

If we start to think in this way the obvious next questions (and unfortunately these aren’t simple ones!) become:

• how would we notice an attack and how long would it take us?
• which types of attacks can we detect? and
• if we notice the attack do we know what to do to contain it and limit its consequences?

The trouble with these kind of questions is that you can’t buy a shiny box to solve the issue: It involves people and processes which are harder to get right than adding yet another tool.

Don’t get me wrong: I’m far from declaring protection dead, but I strongly believe that it misses a lot if it isn’t accompanied by stable incident detection and response capabilities.