How would you describe the difference between a breach-detection system and a traditional intrusion detection/prevention...
system or next-generation firewall, particularly from the perspective of how each type of device interacts with network traffic? In which enterprise settings would a breach-detection system be more appropriate to leverage?
There's definitely a difference between traditional network security controls such as intrusion prevention systems or next-generation firewalls and actual breach detection. The former security controls can provide information and insight (oftentimes too much) into what's taking place on the network such as network scans, denial-of-service attacks and blocked intrusions. Breach detection systems can go a step further and actually confirm that a breach has occurred by using things like heuristics, traffic analysis and predefined security policies.
The interesting thing I have found over the years is that many network admins and even executives that are privy to what's happening on the network are quick to quote how many times their network is attacked or "hacked" every single day. It's usually a number in the thousands or tens of thousands range. However, this does not paint an accurate picture of actual information risk. In the end, what matters the most is actual detection/confirmation of security breaches and, of course, the prevention of such incidents.
It seems that breach detection is the new "cybersecurity" -- yet another vendor-born rebranding to stir up interest in the market. There's no doubt to the validity of "response is the new prevention" approach to breach detection. I'm just not convinced it's another technology we must layer on to fix our security woes, especially given how much we're overlooking the simple stuff.
When it comes to deciding where a breach detection system may be appropriate to deploy (and likely used in conjunction with an IPS or NGFW), I suggest:
- In complex IT environments, namely large enterprise business and government agencies; and
- Small and medium-sized environments where little to no security technologies are in place to detect such security incidents.
In the end, the enterprise that blocks all attacks is not the one that wins because that's an impossible feat. Instead, the enterprise that wins is the one that has a technical and operational environment that facilitates the prompt response to security breaches to help minimize the impact to the organization.
Ask the Expert:
Want to ask Kevin Beaver a question about network security? Submit your question now via email. (All questions are anonymous.)
Beyond the Page: Learn more about breach detection systems
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading