Choosing Between Preventing and Detecting Attacks

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


You might think that security teams would be good at both preventing attackers from breaching their systems and at detecting attackers that are able to sidestep their prevention controls. It turns out that is not the case.

In the Blue Report 2023, our analysis of 14 million attack simulations found that organizations are making four “impossible” tradeoffs when it comes to managing their threat exposure. One trade-off is choosing between prevention efficacy and detection efficacy. 

We compared prevention and detection scores across regions and industries. Indeed, we found that performance varied between regions and industries. 

However, we also found that performance on prevention versus detection also varied within regions and industries. The stronger a region or industry is at prevention, the weaker they are at detection, and vice versa, especially across industries.

Security teams face a dilemma similar to a short blanket that covers either someone's head or feet, not both. They appear to only be able to dedicate their time, money, and resources to so many problems at once. They deploy their budgets and resources to cover one exposed spot, but this leaves other areas out in the cold.

Performance by Industry

Our findings suggest that organizations’ cyberattack prevention and detection readiness vary considerably, both between industries and within industries.

Prevention Effectiveness

There is a broad range in performance when it comes to attack prevention. It is striking that several of the least effective industries are critically sensitive industries, including healthcare, technology, transportation, financial services, and energy and utilities. More than 3 out of 10 attacks successfully bypassed these industries’ security controls. Given how fundamental these industries are to society’s well being, the sensitivity of data in these sectors and the attractiveness of these organizations to cybercriminals, there is an urgent need for them to enhance their efforts and their investments in cybersecurity defenses.


Prevention effectiveness score by industry

On the other hand, it's reassuring to note that some sectors fare better: the government and administration sector has a superior prevention effectiveness score of 73%, while manufacturing and engineering and the services sector have leading prevention effectiveness scores of 77% and 81%, respectively. These industries may have practices other sectors can learn from.

Detection Effectiveness

There are also significant variances between industries when it comes to detection effectiveness.


Log and alert scores by industry

The healthcare and pharmaceuticals industry leads in detection effectiveness. This superior performance could be due to the heightened regulatory oversight and sensitive nature of data in this industry during the pandemic, which likely necessitated stronger cybersecurity measures. The technology, and energy and utilities industries also show better than average results. 

At the other end of the spectrum, conglomerates, and organizations in the professional services industry have the least success logging attacks. They also have low alert scores, along with organizations in the transportation and logistics, professional services and retail and consumer goods industries. 

In addition to variances between industries, organizations within an industry also appear to be making a trade-off between their prevention and detection capabilities. Industries that are strong at detection are weak at prevention, and vice versa. For example, as you can see in the charts above, the industries with the top 6 detection scores also have the 6 lowest prevention scores.

Performance by Region

Prevention Effectiveness

When it comes to regional disparities, there is a North-South divide in cybersecurity preparedness. The disparity may be rooted in various factors, like a region's economic development status, level of digital maturity, access to skilled cybersecurity professionals, and the degree to which governments focus on cybersecurity regulations.


Prevention effectiveness score by region

In general, organizations in South Asia, Latin America and Asia-Pacific regions exhibit more limited abilities to prevent attacks, with scores of 44%, 55% and 64%, respectively. As regions are experiencing strong digital growth, a robust expansion in cybersecurity measures could potentially prevent cyber threats from disrupting their digital booms.

In contrast, North America and Europe, Middle East and Africa (EMEA), with identical scores of 70%, exhibit a more robust level of threat protection. Organizations in these regions likely have the security measures in place to provide a reasonable level of protection against various threats. However, their scores also suggest the need for continued investment to enhance protections and stay ahead of the evolving threat landscape.

Detection Effectiveness

The inverse correlation between prevent and detection we saw for industries breaks down somewhat when viewed by region. For example, Latin America and Asia-Pacific face the same struggles with attack alerting that they do with prevention effectiveness. But even for Latin America and the Asia-Pacific some of the contrast remains: they have the highest logging scores of all regions.


Log and alert scores by region

Organizations in EMEA face a clearer trade-off. They have commendable average prevention scores of 70%, but fall short in detection effectiveness, showing the lowest log and alert scores, 37% and 13% respectively. This discrepancy suggests that organizations in EMEA are investing heavily in preventive technologies and strategies but not allocating sufficient resources towards detection controls. This can leave them vulnerable to attacks that evade preventive measures, thereby undermining their overall security posture.

When it comes to attack detection, North America again ranks at the top, with high scores for attack logging and alerting. Combined with high prevention effectiveness, North America organizations demonstrate a relatively comprehensive and mature approach to cybersecurity. The lower detection scores, in particular a logging score of 37% suggests that there is still significant room for these organizations in this region to optimize their security controls.

Overcoming the Trade-off

Many organizations continue to struggle to prevent and detect cyber attacks simultaneously. Fortunately, their performance could be improved by taking a different approach.

Implementing a continuous threat exposure management (CTEM) program is one approach to cybersecurity that empowers organizations to effectively prioritize potential risks and corresponding remediation efforts.

Organizations with effective CTEM programs use attack simulations to identify and mitigate real-world threats to their networks and systems. Simulations allow them to test their security posture and identify vulnerabilities before they are exploited by real attackers.

Moreover, attack simulations can allow organizations to better balance attack prevention and detection. By simultaneously evaluating the ability of their security controls to prevent attacks, log potential threats, and generate appropriate alerts, organizations can identify the gaps in their cyber defense posture that matter the most. Organizations can then allocate resources efficiently and effectively to address the most critical areas of concern, rather than making trade-offs between them.

Picus Security, the pioneer in breach and attack simulations (BAS), can help you to proactively validate your security controls, and continually improve your defenses so you can stay one step ahead of your adversaries. 

To learn more about other trade-offs organizations face in managing their threat exposure, download the Blue Report 2023, or read our other blogs in this series.