Prevention vs Detection, Rebalancing Your Security Program

February 04, 2015


In this whiteboard Wednesday we will talk about the two major types of security products out there, preventative security products, and detection products.

Gartner states that security teams spend about 10% of their budget today on security products focused on detecting attackers within their network and they see that changing to 75% of their budget by the year 2020. As security teams come to realize that it is almost impossible to prevent every attack against their network and users, they will start to rebalance their security dollars to invest more heavily in incident detection and response.

If you are interested in learning how Rapid7 can help you detect and respond to attacks, check out our InsightIDR product or learn more about our incident response services.


Video Transcript

Hello and welcome to this Rapid7 Whiteboard Wednesday. My name is Chris Kirsch. I am the principal product marketing manager here at Rapid7 for userinsight (now InsightIDR). Today I would like to talk about the choice of prevention versus detection as part of your security program and how I think that's going to shift over the next few years. I'd like to borrow a graphic here from Gartner, a model of how they view security programs. Most companies start out with prediction. They start out with an asset inventory, with vulnerability management, maybe with penetration testing to check out where the systems are vulnerable. So this is just kind of trying to figure out and predicting where an attacker is most likely to get in. For example, the Nexpose vulnerability management solution would fit in the prediction category here.

Show more Show less

The next stage is prevention. So here we're trying to block an attacker from getting into the network. Think about technologies like encryption. Think about security controls that are part of the operating system, maybe, or third party vendors. If an IPS is set up for blocking or a DLP is set up for blocking, it could also be in the prevention space.

Then the next category is detection. Here we're assuming that some attackers will not be blocked by these preventative measures and will actually manage to get into the network. So as companies realize that they can't keep all the attackers out, they need methodologies to detect attackers on their network. That's what the detection space is about. So here, if an IDS is set up only for detection, we would put it here. If you set up InsightIDR for detecting attackers on your network, for example using compromised credentials or moving laterally across the network, that would be in the detection space.

And then once you've detected an attacker on your network, you also want to figure out: What is impacted? How do I contain it? How do I respond to the incident? So that's all in the respond segment here. So again, user insight goes across both areas here because we help you investigate an incident and figure out who is impacted, what machines are impacted and so on so that you can contain an incident. Forensics tools are also in this bucket and so on.

What's really interesting is that we're seeing a shift from spending only here to spending mostly here over the next few years. So another Gartner graphic that I'd like to pull in is that spending last year for these two sectors here, detection and response, was only about 10% of the security budget. Gartner believes that by 2020, that will grow to 75%. So that's really flipping how we view the world as part of a security program, from up here to down here. We'll still continue doing this, but I think this part will probably become cheaper, become easier, integrated into the operating systems. Some of it will be easier to roll out, and licensing costs might also go down, and this part here is much more important.

Now the 10% to 75% is interesting, but it's even more interesting if you think about that this is of a growing pie. The security budgets are increasing by themselves, as well. So if you would like to explore moving from the prediction prevention space to the detection response space and figuring out how that feels and what your options are, I invite you to go to the Rapid7.com page and sign up for a free guided user inside demo.

Thank you very much for joining us on the Whiteboard Wednesday today, and I hope to see you next week