http://blog.clearnetsec.com/articles/2007/02/28/unbalanced-reliance-on-prevention en-us 40 <p> On my last several ‘exit calls’ for security assessments I’ve wanted to ask the customer if they had anything alerting them to the activities performed. </p> <p> The obvious need for detection is a tiresome mantra to repeat, given that <b><i>prevention will always fail</i></b>. In fact, is it not better to log all activities (e.g. syslog, netflow, successful sessions, etc.) in spite of using prevention tools? If knowing you’ve been compromised is a better state that not knowing, then isn’t it better to pay appropriate attention to all the events versus haphazardly trusting prevention solutions? </p> <img src="http://blog.clearnetsec.com/files/iStock_000002497333XSmall.jpg" align="right"> <p> I just finished an external security assessment for a Bank which had an IPS enabled firewall. They requested two rounds of scanning: one with the IPS features enabled and the other with them disabled. Results: no difference. This from normal to aggressive scanning (full 65k scans, full vuln. scans from multiple tools, few metasploit shots, exhaustive brute forcing, etc.) and without any efforts to be elusive. </p> <p> I’m betting if I ask this client if he noticed any activity spikes or if he was alerted to anything he’ll say no. Furthermore, I bet he has nothing setup to help him easily go check. </p> <p> I’m running across more and more of these where it seems the first indicators of something bad is when actual fraud occurs. Compromise, theft of data, spread of attackers’ control -- all missed opportunities to <b><i>detect and contain</i></b> because of an unbalanced reliance on prevention tools. </p> Wed, 28 Feb 2007 10:01:00 -0700 urn:uuid:3516c58f-49d4-4722-b69e-31ee53a6efa8 tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/02/28/unbalanced-reliance-on-prevention security ClearNet ClearNet Security Tate Hansen logs detection