8.5. Detection and Preventative Controls

💡 First Principle: Prevention reduces the attack surface; detection identifies attacks that bypass prevention. No preventive control is perfect — so every security architecture must assume prevention will fail and invest proportionally in detection. The goal is not to prevent all attacks (impossible) but to minimize dwell time: the faster you detect, the less damage occurs.

Detection and prevention technologies span a spectrum from network-layer filtering (firewalls, IPS) to endpoint-layer monitoring (EDR) to deception technologies (honeypots) that are designed to be attacked. Layering these technologies creates defense in depth — an attacker who evades the firewall hits the IPS; an attacker who evades the IPS triggers the EDR; an attacker who evades the EDR touches a honeypot.

Why this matters: The exam tests your ability to select the right detection or prevention technology for a given scenario. IDS vs. IPS placement decisions, WAF vs. network firewall capabilities, and the operational tradeoffs of active blocking vs. passive monitoring are common question patterns.

⚠️ Common Misconception: "IDS and IPS are the same technology, just with different names." IDS passively monitors traffic and generates alerts — it does not block. IPS sits inline and can drop malicious packets in real-time. The operational implication: a false positive on an IDS wastes analyst time; a false positive on an IPS causes a business outage. This risk profile determines placement: IPS at critical choke points where false-positive risk is low and blocking is essential; IDS deployed broadly for visibility.