recommended reading

Why a Detection-Centric Approach to Cybersecurity is the Wrong Path for Federal

Andrea Danti/

Ken Ammon is chief strategy officer at Xceedium.

National Security Agency Director Adm. Michael Rogers recently stated, "Traditionally, we’ve largely been focused on attempts to prevent intrusions. I’ve increasingly come to the opinion that we must spend more time focused on detection." This is a troubling statement. Surely, detection is a key component of any security program. But should our government be spending more time on detection than prevention? The answer is no. 

What’s Wrong with a Detection-Centric Approach? 

The answer is best illustrated by applying this logic to other disciplines. Would you rather detect cancer or prevent cancer? Detect a crime or prevent a crime? Detect a security incident or prevent one? While detection represents a critical component of any complete program, a logical approach shows prevention is always preferred. The fact is that the majority of security incidents are the direct result of a failure to integrate security prevention into IT operations. 

Over the past decade, security monitoring and IT operations have evolved into an “us” and “them” paradigm, which perpetuates the existing bolt-on security model. In effect, the more we invest in better monitoring tools, the more problems we uncover. The result is a game of security whack-a-mole where the moles outpace the security operation teams’ ability to mitigate the risk. 

One example is poor credential management. Recent studies indicated a significant number of contractors maintained valid system administration login credentials years after they changed companies and no longer required access to the system. Given that all attacks follow two basic steps -- gain access and elevate rights -- this should be unacceptable to IT and security operation teams.

Most security incidents are merely symptoms of a combination of inadequate IT operational security controls, lack of defined and automated processes and lack of attribution. Lack of attribution, in particular, leads to situations where contractor “A” blames contractor “B” for deleting a database or shutting down a server. Without appropriate prevention platforms, security monitoring teams will continue to struggle with attribution and root cause remediation.

How to Build Prevention into Our Systems 

At the core of the issue is a lack of leadership. Security budgets are typically small, with the exception of post-breach funding, when the money is deployed in a fashion that doesn’t address inadequate prevention. Many chief information officers survey the enterprise IT market landscape looking for someone who has gotten it right and, admittedly, they have struggled to find a replicable model based upon proven success. But cloud computing has permanently changed that landscape.

Gartner’s magic quadrant for public cloud providers has Amazon Web Services significantly ahead of the field with a proven track record of weathering the constant onslaught of global attacks, all the while serving a massive and diverse global market. The secret sauce: corporate leadership and a commitment to fully integrate IT and security operations. The combination of integrated security controls focused on least privilege and continuous monitoring keeps the game of security whack-a-mole in check. 

The U.S. federal government continues to point to an integrated approach to security. The Federal Risk and Authorization Management Program, National Institute of Standards and Technology and the Department of Homeland Security's Continuous Diagnostics and Mitigation all bang this drum. In fact, the next phase of CDM is focused on least privilege and infrastructure integrity -- foundational elements of security prevention. Federal CIOs need to embrace this approach to succeed.

Ways to Strike Appropriate Balance Between Prevention and Detection

Our long history of bolting on or ignoring security has resulted in countless legacy systems with glairing security challenges, constrained operations and maintenance budgets. With Phase I of DHS’ CDM program rolling out over the next year, security monitoring will shine an even brighter light on IT operation gaps in process and accountability. Asking for additional funding to close these gaps is unpopular in general, but this is where leadership plays a key role. Congress and the executive branch must support additional security funding for the necessary prevention technology and the CIO must be aligned with the chief information security officer.

Departments and agencies should be replicating an existing successful model with least privilege enforcement and full attribution. Failure to adapt will leave contractors vulnerable to more efficient and secure IT operational models implemented by FedRAMP-authorized providers. The benefits to security monitoring teams can be dramatic and will include: 

  • Reduction in false alarms as the result of least privilege-related access controls
  • Full attribution: no more confusion around root cause analysis
  • Access to session recording, reducing log analysis complexity for security analysts

The last key element in security is to follow NIST’s “Common Control” approach: invest in foundational security prevention systems designed to centrally support legacy, virtual and cloud based systems. Centralized and automated controls will provide full attribution across all contractors and facilitate least privilege across all platforms.  

(Image via Andrea Danti/

Threatwatch Alert

Network intrusion

FBI Warns Doctors, Dentists Their FTP Servers Are Targets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.