At the Gartner Security and Risk Management Summit in National Harbor, Sid Deshpande, a Gartner security analyst, talked about how organizations are most willing to spend on information security immediately after a breach. In doing so, businesses often end up spending more than they need to on security, while getting less return on investment in terms of reduced risk.
There is also a heavy focus on detection and response technologies. This is understandable – real-time detection and response solutions are at the frontline of a security stack. They are the last line of defense and the first step in recovery after an incident, and their absence is most acutely felt when attacks happen. However, the problem is that too many cloud security teams are depending almost exclusively on their last line of defense/first responder. This should not be the case.
Public cloud customers need to start choosing to spend their money and allocate vital prevention measures when times are good. They need to learn to be skeptical of sunny days and learn to be ready for the rain before a single drop ever falls.
Investing Proactively In Prevention Is The Best “Umbrella” You Can Buy
Strong detection and response technologies and processes should be part of the security toolkit for any environment. At the same time though, it’s crucial to not skimp on the other pillars of security that are easily overlooked – security posture assessments, compliance management, tamper protection, IAM audits, etc. By spending a dollar on prevention, auditing and intentional security training you will be yielding a better overall return than you would if that same cash had gone toward additional detection and response.
Why? I’m glad you asked! Three reasons:
#1: The best way to win a battle is without ever firing a single shot
You can put preventative measures in place at a low-adrenaline time, when the ball is in your court and the pressure is low. Responding to incidents as they occur usually happens at a time when the alarm is blaring and stress levels are through the roof. Winning is good, but with appropriate prevention, you would not even have to fight!
Here’s a simple example — when it comes to data exposure and datajacking incidents on AWS, attackers can get their hands on databases and S3 buckets that have been left exposed to the public and steal sensitive information and hold companies hostage.
Detecting and responding to these incidents is important. But many of these incidents result from misconfigured security policies in the first place. If these companies had decided to spend the same money they have stored away to confront a breach on preventing that breach in the first place, then none of that hassle and staggering heroics would have ever been necessary.
#2: Fast May Not Be Fast Enough
In public cloud environments, an attacker with automated scripts can wreak havoc within seconds of gaining unauthorized access to an environment. CodeSpaces and the recent database encryption attacks are good examples of this. This means that the window of opportunity to respond to an attack after it happens is getting smaller and smaller.
A strong defensive posture can help mitigate the effects of these attacks by both preventing them from occurring in the first place, and reducing the blast radius of impact if and when they do occur.
When it comes to this type of attack, fast is never fast enough. No matter how good your security team’s detection and response tools and procedures are, they will be more effective in terms of overall loss mitigation with a powerful, proactive defense upfront.
#3: It’s Good To Prepare for The “Unknown Unknowns” –
Prevention is proactive, while detection and response are reactive. According to Gartner, known vulnerabilities will account for an overwhelming majority of breaches in the coming years. Preventive measures can protect against known vulnerabilities while allowing organizations to deal with the “unknown unknowns”.
It might be a cliche but in this space the best offense is a good defense. The list of potentially devastating public cloud attacks is growing all the time. The cost of building strong preventative walls, carrying out diligent audits, and consistently providing your teams with the latest trainings may seem high now. But it is nothing compared to the cost of letting an unknown threat into your system and simply hoping you are ready to deal with it.
Sometimes when the rain pours all you get is wet but sometimes you catch pneumonia. That’s why you need to do the smart thing and get yourself a good umbrella rather than just investing in cough drops and a wardrobe of dry shirts to change into. Even if the forecast is full of sunshine, when the clouds roll in you’ll always be glad you brought it.