skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Prevention Eventually Fails

Prevention Eventually Fails

/ 5 min read

zerotrust , richardbejtlich , martyroesch , wellarchitectedsecurity , cyberresilience

Prevention vs. Detection: Understanding the Distinction

In cybersecurity, one of the most persistent debates centers around prevention and detection: Can we stop attacks before they happen, or must we rely on detecting and responding to them? This question has been relevant for decades. Back in May 2003, Network Magazine published an article titled “Emerging Technology: Detection vs. Prevention - Evolution or Revolution?” that explored this exact issue. At the heart of this debate lies a recurring confusion between enforcing security policies and auditing them.

Policy enforcement tools, like firewalls, routers with Access Control Lists (ACLs), and Intrusion Prevention Systems (IPS), work by enforcing rules to block suspicious traffic or deny access to sensitive areas. However, these tools are far from perfect. On the other hand, policy audit and verification tools—like traditional Intrusion Detection Systems (IDS) and network traffic analyzers (such as Argus and Sandstorm’s NetIntercept)—are designed to monitor and report activity. Their role is not to block but to tell us what’s happening on the network.

Marty Roesch, founder of Sourcefire and creator of the open-source IDS tool Snort, explains it well: “IPS is access control, and IDS is network monitoring. IPS is policy enforcement, and IDS is audit.” This distinction is critical but not universally understood in the security community. As Jeff Wilson of Infonetics Research notes, the average user wants to “stop attacks” rather than monitor and respond. But what happens when prevention inevitably fails? And it will, eventually.

Prevention Eventually Fails – Why It’s Inevitable

Prevention mechanisms—firewalls, IPSs, and similar tools—are only as effective as the signatures, policies, and rules they follow. Attackers continuously find new ways to bypass or exploit these defenses. At some point, every preventative measure will miss a threat, whether due to a novel attack vector or sophisticated evasion techniques. When this happens, it’s up to audit tools and detection systems to capture critical data, giving teams a clear record of network events to analyze.

As Roesch points out, the role of IDS isn’t to block attacks but to provide visibility into vulnerabilities. Relying solely on prevention leaves organizations blind to the extent and impact of a breach when it occurs. It’s audit and monitoring systems that allow us to “fail gracefully” by helping us understand and respond to the scope of an incident.

Building Cyber Resilience: Beyond Prevention and Detection

Prevention is essential but only one layer of a comprehensive cybersecurity strategy. A robust approach includes detection and audit capabilities, so that when prevention fails, we’re prepared to identify, contain, and respond effectively. In cybersecurity, it’s not enough to merely hope for the best; we must also be prepared for the worst. The phrase “prevention always fails” is better phrased as “prevention eventually fails”—it’s a realistic view that prioritizes resilience over pure prevention.

True cyber resilience requires a proactive approach, aligned with the organization’s mission, and focused on minimizing risk under the assumption that compromise is possible. This involves three primary approaches:

  1. Embedding Cyber Resilience into Architecture and Engineering: Security cannot be added as an afterthought. It must be part of the system’s design and architecture from the very beginning.
  2. Increasing the Attackers’ Cost: By making it more resource-intensive for attackers to succeed through layered defenses, we can deter and exhaust threats more effectively.
  3. Containing and Limiting Access: Tactical measures to limit the access that attackers can gain, reducing potential damage if they do breach defenses.

In its Special Publication 800-160, the National Institute of Standards and Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on the systems that use or are enabled by cyber resources.” This concept of resilience emphasizes the need to anticipate threats, withstand attacks, recover quickly, and continuously adapt to evolving risks.

Microsoft’s Well-Architected Security Principles

Microsoft’s Well-Architected Security Framework offers additional insight on designing resilient, secure systems. A resilient system should be built with a Zero Trust approach, which operates on the principle of “never trust, always verify.” This model integrates the core security principles of confidentiality, integrity, and availability (the CIA triad), ensuring that the workload meets business goals while prioritizing security. To build resilience, Microsoft suggests asking the following questions:

  • Do your defensive measures create a meaningful barrier that increases the cost for attackers?
  • Are your security controls effective at reducing the scope of an incident (the “blast radius”)?
  • Can you assess how valuable the workload might be to an attacker, and understand the impact of compromise?
  • Are you prepared to detect, respond to, and recover from disruptions effectively?

These questions establish a mindset centered on resilience and continuous improvement. The Zero Trust model emphasizes verifying identities, enforcing least-privilege access, and designing for compromise by assuming breaches will happen. This approach encourages layered defenses, continuous validation, and compensating controls to contain and respond to incidents effectively.

Continuous Improvement and Balancing Trade-offs

Security is not a one-time effort but an ongoing, iterative process. Cyber resilience relies on regularly updating defenses, improving detection, and staying informed on the latest threat vectors. As attackers evolve their methods, so must our defenses.

Balancing security with reliability is essential, though they can sometimes pull in opposite directions. For instance, while data exfiltration attacks may not impact availability, they can severely harm an organization’s brand. Prioritizing both security and reliability helps organizations protect mission-critical workloads effectively, weighing the impact of security controls against operational resilience.

Key Takeaways for Cyber Resilience

Building a resilient cybersecurity strategy means continuously adapting to emerging threats, integrating resilience into architecture, increasing attackers’ costs, and limiting their access. By embedding these principles at every layer of the organization, companies can better withstand and respond to breaches. Prevention, detection, and resilience together form a multi-layered defense that can stand up to the challenges of today’s ever-evolving threat landscape.

Resilience is an ongoing journey. The principles outlined here provide a foundation for organizations committed to protecting their assets and responding to inevitable breaches with strength and agility.

Continue with Zero Trust series Zero Trust

Check out what's latest

Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
Study Reveals Vulnerabilities of LLMs to Bit-Flip Attacks
APT-K-47 Group Linked to Sophisticated Cyber Attack Campaign
APT-K-47 Group Linked to Sophisticated Cyber Attack Campaign
New Detection System for Advanced Persistent Threats Introduced
New Detection System for Advanced Persistent Threats Introduced