Network Security Preventive vs Detective Controls

When it comes to network security, there are two primary types of controls: preventive controls and detective controls. While both are important, they serve different functions in protecting your network. In this post, we'll take a closer look at the differences between preventive and detective controls and how they contribute to your overall network security strategy.

Preventive Controls

Preventive controls, as the name suggests, are designed to prevent security incidents from occurring in the first place. These types of controls are proactive in nature and aim to eliminate potential threats before they can cause harm.

Some examples of preventive controls include:

• Firewalls and antivirus software to block or quarantine malicious traffic.
• Access controls that limit access to sensitive data and systems.
• Network segmentation to isolate critical systems and limit lateral movement in the event of a breach.
• Security awareness training to educate employees on safe browsing, password hygiene and email phishing.

Preventive controls tend to be more effective in reducing the overall risk of a security incident. In fact, the SANS Institute report on cyber security, found that "an effective security program contains a minimum of 60% preventive controls".

Detective Controls

Detective controls, on the other hand, are designed to identify security incidents after they have occurred. These types of controls are reactive in nature and aim to detect and respond to security incidents as quickly as possible to reduce the impact of the incident.

Some examples of detective controls include:

• Intrusion detection and prevention systems (IDPS) that monitor network traffic for malicious activity.
• Security information and event management (SIEM) tools that aggregate and correlate log data to identify anomalies or malicious activity.
• Anti-malware software that scans systems for viruses, Trojans and other malware.
• Incident response plans that outline the steps to take in the event of a security incident.

Detective controls tend to be less effective in reducing the overall risk of a security incident, as they do not prevent the incident from occurring in the first place. However, they are critical in mitigating the impact of a security incident once it has occurred.

Which Control Should You Prioritize?

To determine which control to prioritize, it is important to evaluate your organization's risk tolerance, compliance requirements, and objectives.

For example, if you store sensitive customer data or receive payments through your software, you may prioritize preventive controls to ensure the confidentiality, integrity, and availability of your data. On the other hand, if your system is a cloud-based solution, you may prioritize detective controls to detect and address sophisticated attacks like SQL injection or Cross-Site Scripting (XSS) that could affect your clients.

In reality, effective network security demands a balance of both preventive and detective controls. But prioritizing one over the other can depend on your unique situation.

Conclusion

In summary, preventive controls aim to eliminate risks before they can cause harm, while detective controls detect and respond to incidents after they have occurred. Both controls are important in maintaining overall network security, and effective security programs should ensure a good balance between the two types of controls for optimal security.

References:

• "Developing a Minimum Security Baseline for a Small Cyber Security Program", SANS Institute, April 2019.
• "Preventive Control vs Detective Control: Difference", Micro Health LLC., October 2021.