This shift in thinking puts more emphasis on careful collection of system logs and traffic records, and focuses on detecting what's unusual in the network, Berk says. "Large data transfers, unusual access patterns or reconnaissance behavior are all signs of somebody already on the inside searching for the crown jewels," he says.
But not everyone thinks the shift in security mindset is a good idea.
"I think the idea of switching from a prevention strategy to a detection one is a false dichotomy," says Wendy Nather, research director, security, at 451 Research. "First of all, because prevention tends to be more automated and therefore cheaper than detection. Second, because detection is just as imperfect as prevention. People may complain that antivirus misses a lot of malware, but so do intrusion detection systems. Firewalls and SIEMs are only as good as the experts who configure them, no matter which generation' they purport to be."
Many products that are seen as "prevention" actually rely on detection to work, Nather adds, whether it's through signatures, blacklists, rules, heuristics, or other algorithms. "You're looking for specific patterns, either in the data or in the behavior, and taking actions based on what you detect."
Preventive measures such as whitelisting and mitigating known vulnerabilities "are always going to be just as important as detection," Nather says. "Giving up on prevention because it can't be done perfectly is a very narrow mindset that security professionals can't afford."
Prevention "continues to be the top priority for defenders," adds Wolfgang Kandek, CTO at Qualys, a security platform provider. "The major shift is that the perimeter has dissolved. Today, workstations are as much under direct attack as are Internet-connected servers, and they need to be protected wherever they are, inside the enterprise network, at the user's home, hotels, airports and coffee shops."
Detection is best used after a comprehensive prevention strategy has been implemented, to go after the advanced threats that make it through even though all preventive steps have been taken, Kandek says. "In a network that has no-to-little preventive technology, detection will get flooded with alerts that will quickly overwhelm IT capabilities to follow up and investigate each alert," he says.
Many experts say there should ideally be a mix, with organizations giving equal emphasis to prevention and detection.
"There cannot be an either/or' approach to prevention and rapid detection," says Ed Powers, national managing principal, security and privacy, at consulting firm Deloitte. "The vast majority of organizations must do both."
This is because enterprises continually introduce new cyber risks, Powers says. In addition, malicious actors are unrelenting in exploiting these changes, resulting in the rapid evolution of threats -- many of which can't be detected by traditional preventive means.
Sign up for CIO Asia eNewsletters.