5.5. Enterprise Security Capabilities

💡 First Principle: A firewall alone stopped being sufficient the moment attackers learned to tunnel through port 443. Enterprise security capabilities are the specific technologies deployed across the environment to enforce security policies and protect against threats. They're the technical implementations of the security controls discussed in Phase 2. Unlike architecture (which determines placement), capabilities focus on what each technology does and when to deploy it.

What happens when capabilities are deployed without strategy? Organizations buy "best of breed" tools that overlap in coverage, leave gaps between them, and don't integrate for correlation. A company might have an NGFW, an IPS, and a WAF — all doing partial packet inspection — while lacking endpoint detection entirely. Capability planning ensures comprehensive coverage without redundancy.

Consider the capabilities as a defensive lineup in sports: each player has a specific position and role. The firewall guards the perimeter, IDS/IPS monitors traffic flow, EDR watches endpoints, DLP protects data, and NAC controls admission. If two players guard the same zone and nobody covers another, the defense fails.