There are only two distinct defenses in cyber security – proactive and reactive. Proactive defense refers to actions that prevent an incident from occurring. In this sense proactive and preventive are synonymous. Reactive defense refers to any response when an attack is underway or has already done the damage. In what follows we will explain why using the term prevention as a catch-all word creates confusion. We give a more precise and practical definition for prevention.
The word prevention lends itself to variety of interpretations and the meaning depends on the context in which it’s used. Any action taken before an untoward incident that causes significant damage occurs, can be construed as a preventive measure. However, we contend that in the context of security (cyber security in particular). The term has a specific technical meaning and should be used circumspectly. Our focus will be the domain of cyber security.
The Problem
The most effective way to achieve a secure environment is to prevent an adverse event from happening. This statement means very little unless one understands the sense in which “prevent” is used. For example, in the context of vulnerability management, the identification of a vulnerability before it becomes exploitable, would eminently qualify as prevention. Much to the consternation of the security community, the term prevention is used where an anti-virus software discovers and thwarts an attack – a successful attack has been “prevented”. The concept of prevention is highly context sensitive. We can use it equally effectively to a post attack scenario where prompt action may have prevented much damage to the enterprise.
Evidently, the semantically flexible word “prevention” lends itself to mean different things in different contexts. This flexibility leads to confusion and misunderstandings when used in technical contexts. The security industry is rife with examples of usage of this in completely different senses.
Cyber Defence
The goal of a comprehensive security architecture is to arrive at an acceptable risk posture for the enterprise. There are two distinct approaches to accomplish this: Proactive and Reactive.
Attacks are perpetrated invariably by exploiting some weakness in the organization. In the context of cyber security, the weaknesses are described by using the concept of Attack Surface.
According to IBM, an organization’s attack surface is the sum of vulnerabilities, pathways or methods. It is sometimes called attack vectors—that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack. (https://www.ibm.com/topics/attack-surface). While, in general the attack surface can be used to describe digital attacks, physical attacks or social engineering attacks etc. We will focus on digital attacks in this article.
Digital Attack Surface comprises of software vulnerabilities, OS vulnerabilities, weak passwords, firmware vulnerabilities, misconfigurations, assets exposed to the internet, outdated and obsolete applications and data, shared resources such as databases and directories, weak encryption policies, vulnerabilities in TLS among others.
We will relate the concept of attack surface to give a more precise meaning to the term “Prevention”. This will pave the way to unambiguously understand the concept of prevention in the context of cyber security.
Prevention Based Security
Any proactive action that results in a reduction of the attack surface of an organization can be defined as a preventive measure. Knowing beforehand that an undesirable event is likely to happen, and being able to take measures to block all pathways that can lead to the occurrence of such an event most definitely qualifies as prevention.
Defining Preventive measure as an action that reduces the attack surface gives us not only an unambiguous way to understand prevention, but also provides a way to quantify preventive measures in terms of the resulting reduction in the attack surface.
In principle, if the attack surface is reduced to zero, it should lead to a completely secure environment. However, in practice this will never be the case. There will always be residual, unknown, unidentified weaknesses that leaves the enterprise open to potential attack.
This naturally leads to the second proactive approach to security, namely Detection Based Security.
Detection Based Security
Vulnerabilities are constantly discovered by the research community and by the underworld as well. There is often a time lag between the discovery of a vulnerability and the availability of a remedy to plug the vulnerability. It may also happen that the vulnerability is not even known to the research community, but only to the underworld. Under these circumstances, exploits using the vulnerability can, in principle, be used to attack an organization. But if the organization’s defences are good such attacks may be thwarted before it produces any significant damage. The detection may not necessarily be based only on the signature of a virus or a malware. It may be accomplished by detecting an anomalous behaviour.
In this scenario, it is the timely detection of an on-going attack that helps in ensuring that the attack is not successful. This scenario is often erroneously described as a preventive measure. The processes involved in a purely preventive approach (as described in the previous section) compared to the ones used in a detection-based threat mitigation strategy are completely different. Detection based approach to security does not result in a reduction of the attack surface. But ofcourse, it will limit the damage by ensuring that the attack is thwarted before it results in damage.
Detection-based-security measures are reactive measures. In other words they depend on the ability to detect an attack and act only after an attack has started.
It is our contention that the terms “Prevention” and “Proactive” should be reserved. Exclusively, for the case where a reduction in the attack surface can be demonstrated.
Post-attack Clean-up
It is not far-fetched to imagine that residual risk after due consideration for both prevention-based and detection-based strategies is not negligible can still lead to an attack. In this scenario, a further mitigation strategy could be to establish an Incident Management Strategy and/or a Disaster Recovery Strategy. It is easily seen that the focus here is not to prevent the adverse event from happening, but to limit the potential damage caused by such an event having occurred. In such a scenario, quite different strategies and practices will be required for effective risk management than preventive or detection-based measures. It is then imperative to deal with this as a class by itself to evolve effective strategies.
Conclusion
A comprehensive enterprise security uses a combination of Proactive and Reactive strategies. We have argued that only those measures that result in reduction of the attack surface deserve to be called “Preventive” or “Proactive”. Preventive Security and detection-based security complement each other. The most effective risk mitigation is achieved by adopting preventive measures. We propose that the term “Preventive”, “Prevention”, “Proactive”, be reserved to refer strictly to those measures that result in a reduction in the attack surface. While anti-virus software and anomaly-based detection of an on-going attack etc., are still necessary for effective security they do not result in the reduction of the attack surface.
