How would you describe the difference between a breach-detection system and a traditional intrusion detection/prevention...
system or next-generation firewall, particularly from the perspective of how each type of device interacts with network traffic? In which enterprise settings would a breach-detection system be more appropriate to leverage?
There's definitely a difference between traditional network security controls such as intrusion prevention systems or next-generation firewalls and actual breach detection. The former security controls can provide information and insight (oftentimes too much) into what's taking place on the network such as network scans, denial-of-service attacks and blocked intrusions. Breach detection systems can go a step further and actually confirm that a breach has occurred by using things like heuristics, traffic analysis and predefined security policies.
The interesting thing I have found over the years is that many network admins and even executives that are privy to what's happening on the network are quick to quote how many times their network is attacked or "hacked" every single day. It's usually a number in the thousands or tens of thousands range. However, this does not paint an accurate picture of actual information risk. In the end, what matters the most is actual detection/confirmation of security breaches and, of course, the prevention of such incidents.
It seems that breach detection is the new "cybersecurity" -- yet another vendor-born rebranding to stir up interest in the market. There's no doubt to the validity of "response is the new prevention" approach to breach detection. I'm just not convinced it's another technology we must layer on to fix our security woes, especially given how much we're overlooking the simple stuff.
When it comes to deciding where a breach detection system may be appropriate to deploy (and likely used in conjunction with an IPS or NGFW), I suggest:
- In complex IT environments, namely large enterprise business and government agencies; and
- Small and medium-sized environments where little to no security technologies are in place to detect such security incidents.
In the end, the enterprise that blocks all attacks is not the one that wins because that's an impossible feat. Instead, the enterprise that wins is the one that has a technical and operational environment that facilitates the prompt response to security breaches to help minimize the impact to the organization.
Ask the Expert:
Want to ask Kevin Beaver a question about network security? Submit your question now via email. (All questions are anonymous.)
Beyond the Page: Learn more about breach detection systems
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Kevin Beaver
While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.