The basic rule of Network Security is “prevention is ideal, detection is a must” – stopping something from getting into your network is ideal, but not realistic all the time. If a nation-state level actor or another entity with a lot of resources wants to find a way into your network – it’s only a matter of time before they find a way in. Once someone finds a way in, detection comes into play.
Prevention vs. Detection
Thinking about a house, to prevent entry, an owner would do things like install deadbolts on doors and make sure they’re locked before going to bed at night.
Detection would include something like an audible alarm on the doors that goes off when the door is opened.
With a computer network, prevention takes the form of actions like:
- Keeping patches up to date
- Removing default credentials
- Hardening configurations
- Limiting physical access to sensitive systems
Detection on a computer network typically involves:
- Enabling and configuring logging
- Monitoring physical access via access logs or surveillance
- Setting up honeypots/canary tokens
- Creating alerts for specific conditions
A Note on Deterrence
Having things that let would be wrong-doers know that there are things like surveillance in use not only help to monitor a situation for problems, but also help to actively deter behavior.
In terms of computer networks, doing things like changing default login banners to let users know they’re being logged tells would be attackers that they’re going to have to try harder to get in or better yet – move on.