On Security Controls - Deter, Prevent, Correct and Detect
I often think we are too fucused on discussing and evaluating functionallity of perticular technology and tool, and as such forget to more fundamentaly assess the amount and type of security functionally a specific solution provides. Below are some notes, thoughts and discussions on security controls.
Preventive controls reduce exposure. These are the controls that reduces attack surface and possible vulnerabilities. System hardening (e.g. disabling services and applications) and segmentation (e.g. using router or firewall ACL:s) are example of preventive controls. Preventive controls acts before the attack by disallowing or making interactions with the target impossible. Preventive control are the most cost effective of all controls.
Deterrent controls reduce the likelihood of an attack. These are the controls or mechanisms that somehow makes the act of exploiting the target more difficult or unattractive, but not impossible. An example of a deterrent control are anything that actively discourages a party to commit something malicious, e.g. awareness and accountability efforts. I argue that an IPS is an deterrent control, because the asset remains vulnerable and can still be exploited. It only reduces likelyhood, not possibility. Deterrent controls may act before the attack when they aim to discourage, but also during the when the control actively try to deterr an ongoing attack.
Corrective controls reduces impact. Examples are systems that try to mimimise the damage from a situation. Examples are systems that quarantines systems, users or applications when certain conditions apply to them, or anti-virus systems that automatically tries to remove malware infected items that allready have precense on the system. Incident response and forensics is also a corrective control. Corrective controls act during or after an attack.
Detective controls discover security issues and conserns. Detective controls creates visibility and reduces uncertainty. Examples of detective controls is performing log analysis and deploying sensors that actively looks for indications of attacks, and vulnerability assessment solutions that bring insight into where vulnerabilites are present. Detective controls are necessary for deterrent and corrective controls to work. I believe this control is best implemented by performing security monitoring.
I believe these are good components of a defense in depth strategy, together with the ordinary network, host and application idea. I also think this captures the importance of monitoring and response, and the problem of determining the value of deterrent controls.