Chris Sanders started a poll on Twitter asking “Would you rather get a real-time alert with partial context immediately, or a full context alert delayed by 30 mins?” I answered by saying I would prefer full context delayed by 30 minutes. I also replied with the text at left, from my first book The Tao of Network Security Monitoring (2004). It’s titled “Real Time Isn’t Always the Best Time.”
Dustin Webber then asked “if you have [indicators of compromise] IOC that merit ‘real-time’ notification then you should be in the business of prevention. Right?”
Long ago I decided to not have extended conversations over Twitter, as well as to not try to compress complex thoughts into 140 characters — hence this post!
There is a difference, in my mind, between high-fidelity matching (using the vernacular from my newest book, The Practice of Network Security Monitoring, 50% off now with code RSAREADING) and prevention.
To Dustin’s point, I agree that if it is possible to generate a match (or “alert,” etc.) with 100% accuracy (or possibly near 100%, depending on the severity of the problematic event), i.e., with no chance or almost no chance of a false positive, then it is certainly worth seeking a preventive action for that problematic event. To use a phrase from the last decade, “if you can detect it, why can’t you prevent it?”
However, there are likely cases where zero- or low-false positive events do not have corresponding preventive actions. Two come to mind.
First, although you can reliably detect a problem, you may not be able to do anything about it. The security team may lack the authority, or technical capability, to implement a preventive action.
Second, although you can reliably detect a problem, you may not want to do anything about it. The security team may desire to instead watch an intruder until such time that containment or incident mitigation is required.
This, then, is my answer to Dustin’s question!