Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

Cyber threat prevention vs. detection: Striking the right balance for your university or school district

Mark Guntrip | Aug 20, 2022

illustration of scales weighing a computer labeled prevention and a computer labeled detection

Share this article

Historically, data, apps, and users were secured in a data center behind a hardened perimeter that prevented access by anyone outside the “castle walls.” In the rare instance that a remote office, user, or other entity from outside that perimeter needed to connect to the data center, the IT team simply extended the walls around the entity — typically through a VPN.

The cloud, however, has changed network architecture forever. Expanded threat surfaces caused by new technology initiatives, cloud migration, and the growing need for remote learning and extended research make it impossible to extend data-center-like protection to every distributed and mobile entity. As a result, universities and school districts have come to realize that data breaches are inevitable — forcing security organizations to develop strategies focused on detecting malicious actors’ behavior once they are inside the network and stopping their lateral spread.

Breaches have proven to be incredibly costly for the education sector. According to IBM Security’s Cost of a Data Breach Report 2022, the cost of a breach in this industry is nearly $4 million. Part of that can be attributed to the success that ransomware attacks have had targeting K-12 education, with the sector seeing the highest rate of ransom payouts in 2021 (53%).

Education institutions are starting to realize they can’t completely abandon threat prevention, given the rise of a new category of attacks dubbed Highly Evasive Adaptive Threats (HEAT). HEAT attacks bypass traditional detect-and-respond cybersecurity approaches by hiding in plain sight among seemingly innocuous technologies, such as Java communications and VPNs. This allows malicious actors to breach the network and lie in wait for days, weeks, or even months, while they surreptitiously spread throughout the network in search of a priority target that they can strike at the right moment. For every improvement in detection techniques, there is an equal advancement in evasion capabilities.

Striking the right balance for today’s threats

It’s clear that education security leaders need a two-pronged approach anchored by both prevention and detection technologies. Working together, prevention and detection provide the best security coverage against today’s HEAT attacks, streamline security operations, and preserve expected end-user experience wherever the learning, research or daily tasks take them.

However, rethinking your security strategy so that it incorporates the right balance between prevention and detection is easier said than done. The following are five critical steps to take toward deploying a holistic security strategy:

1. Take stock of your priorities.

Evolving choices in the way we work constantly change security requirements and make them unique to each individual institution — the one-size-fits-all security stack from major vendors is simply not a viable option anymore. Universities and school districts need to constantly assess their security needs based on their business model, operational structure, app usage, connectivity, and work culture. Security professionals then need to identify the weakest link and the most critical assets that need to be protected, and make sure they are as secure as possible given these changing conditions.

Advice: The ubiquitous nature of the web and email in today’s education environment and the enticing targets they represent mean that you should focus on securing these potential access points.

2. Re-evaluate your budget.

According to the 2022 CyberEdge Cyberthreat Defense Report, security spend has leveled off to around 12 percent of the overall IT budget, despite growing threats and increased risk. This budget crunch makes it more important than ever to spend what little money is available on the right technologies. Spending too much on detection may open your organization to risk while overwhelming your security team. On the other hand, spending too much on prevention may reduce the number of successful breaches but can increase the impact of each event. It’s important that you find the right balance based on your unique security needs.

Advice: Over the past several years, budgets have drifted toward detection solutions — perhaps too much. A good balance includes a hardened front door anchored by a sandbox as well as subsequent detection and remediation technologies.

3. Consider changes in how we learn and work.

The only certainty in the future of learning and work is change. Will learning be hybrid or remote again in the future? Will workers continue to drift back to the office? Will another global pandemic or geopolitical event push people back home? How will application architectures and connectivity continue to evolve? Will we continue to see a blur between personal and business use of devices? Whatever the answers, you need to be prepared to provide users with fast, reliable, and secure experiences wherever business takes them.

Advice: Whether there’s a return to the classroom and office, a continuation of learn and work from home, or some hybrid scenario, there’s no doubt that the future of work is in the cloud. It’s important to pursue a cloud-native security strategy that can protect highly distributed and mobile assets.

4. Preserve the end-user experience.

Security can’t be seen as an inhibitor to productivity. Forcing users to use custom browsers or email clients, shutting off sections of the Internet, disabling common features such as cut and paste on browsers, or inserting services inside the data path that slow performance are all good ways to alienate your user base. Security needs to protect users and their devices while simultaneously preserving the end-user experience in form, function, and performance.

Advice: Consider technology that makes security invisible to end users to prevent them from turning off protections or creating workarounds. Shadow IT has been a challenge for security departments for years. With today’s remote and hybrid workforce, overcoming these challenges is even more paramount.

5. Cut through the noise with automation.

Detection creates a lot of noise. Today’s Security Operations Center (SOC) personnel are overwhelmed with false positives for detecting security breaches. Every event, every abnormal behavior, and every unexpected spike in traffic that gets flagged has to be investigated by someone — and that someone is inevitably a member of the SOC team. Sure, artificial intelligence (AI) and machine learning (ML) have put more context around security events, but the high volume is still there. Automation can clean up a lot of these false positives, allowing security professionals to focus on the problems that really matter.

Advice: A stronger prevention strategy can stop most threats from gaining a foothold in the network, allowing security professionals to focus all their efforts on mitigating the threats that manage to get through.

Detection has gained favor over the past several years as education institutions have accepted the fact that breaches are a given. But the pendulum has swung too far. A security strategy that starts with a hardened front door and is augmented by powerful detection and remediation solutions provides a two-pronged approach to protecting highly distributed, agile, cloud-based organizations. Finding the right balance varies, however, and will be unique to your university or school district.

Protect students, staff, and resources whether remote, hybrid, or on-site: see solutions

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.